Project report on secured wireless network for an enterprise with redundancy

SECURED WIRELESS NETWORK FOR AN ENTERPRISE WITH REDUNDANCY
HARKIRAT SINGH DHILLON TARANDEEP KAUR VARINDER SINGH
PROJECT REPORT
ON
SECURED WIRELESS NETWORK FOR AN ENTERPRISE
Wireless Project - WLS 5507 – 0NA
Submitted To: Submitted By:
Prof. Waleed Ejaz Harkirat Singh Dhillon
Varinder Singh
Tarandeep Kaur

Page1
This Project is regarding the security of an Enterprise Network. In this project we
will create a secure Wlan network using CISCO controller, light Aps and external
Server. Our motive is to secure network by providing every employee of the
company with his/her own username and password in order to connect to the
network. To secure the network we will use WPA2 and AES encryption in our
project.It is not feasible to use a single password for the whole network as it can
expose the network to rogue attacks and hackers resulting in data theft or
compromising the secuirty of whole company’s network.Also, we will introduce
redudancy in the network in case one controller fails the other one can do the job
without a hinch.
The management of the whole network is centeralized i.e. the whole setup can be
managed from one place. Wireless LAN controllers are responsible for
systemwide WLAN functions and provide centralized management. Large
number of
AP’s can be managed by single controller and also easy to deploy and removal of
APs. We created an external DHCP server, which provides IP addresses to the
devices. We can track which devices are connected to the network on this server.
Active directory is also a major part of this project in which we create user
credentials for different users. It provide centralized repository for user account
information, directory authentication, authorization and assignment of right and
permissions. It maintains the relationship between resources and enable them to
work together. A Network Policy has been created for authentication of Wi-Fi
network on RADIUS authentication and authorization sever. A particular user can
be de-authorized, without changing key for everyone. It has ability to direct users
into particular user profiles based on RADIUS attribute. Also we can add new
users and remove retired users. It is potential solution to setup a secured wireless
network for an enterprise.

Page2
Acknowledgement
We are grateful to Prof Waleed Ejaz, project in charge for unflinching support,
guidance and pearls of wisdom to enable me to complete this project. The way he
instilled knowledge of the module was undoubtly praise worthy and valuable. We
are also grateful to my Coordinator of Department Prof. Kevin Ramdass and
Mehdi Akbari for the supervision and encouragement during course. We are also
thankful to Humber College as a whole that is doing yeoman’s service by teaching
the learner abreast with the RF technology, telecom, networking etc. knowledge
that is the need of the day. We are grateful to Bhawandeep Singh and Amandeep
Kaur Randhawa for providing us with their project report and work. We found it
utmost useful for guidance and completion of our project.
Last but not the least: We thank all classmates at Humber College for extending
kind cooperation.

Page3
INDEX
Contents
1. Network topology.....................................................................................................4
2. Components Used.....................................................................................................5
2. Basic step to be followed in controller configuration..............................................6
4. Setting up Cisco Wireless Controller using Cisco WLAN Express ........................7
(Wired Method)...............................................................................................................7
5. Using the GUI to Create WLANs ..........................................................................12
6. Using the GUI to Configure DHCP Scope.............................................................15
7. Introduction to Virtual Box.......................................................................................19
8. Microsoft Server as Virtual machine ........................................................................20
 Configure DHCP server............................................................................................33
9) 802.1X Authentication via WiFi – Active Directory + Network Policy
Server + Cisco WLAN + Group Policy........................................................................39
10) INTRODUCING REDUNDANCY ON WLC’S...................................................64
REFERENCES..............................................................................................................72

Page4
1. Network topology

Page5
2. Components Used
A. Wireless controller – 2x
a. Hardware Specifications
b. Data Ports - 4 x 1 Gigabit Ethernet Ports
c. Console Port - 1 x RJ45
d. External 48V Power Supply
B. Access points
C. Ethernet cables
D. Console cables
E. Laptop additional server

Page6
2. Basic step to be followed in controller configuration
Figure 2: Controller basic setup

Page7
4. Setting up Cisco Wireless Controller using Cisco WLAN
Express
(Wired Method)
Step 1 Connect the laptop’s wired Ethernet port directly to the service port of
WLC (port no. 1). The port LEDs blink to indicate that both the machines are
properly connected
NOTE: It may take several minutes for the WLC to fully power on to make the
GUI available to the PC. Do not auto-configure the WLC.
Figure 3: Wireless controller
The LEDs on the front panel provide the system status:
If the LEDs is off, it means that the WLC is not ready.
If the LEDs is solid green , it means that the WLC is ready
Step 2
Assign a static IP address 192.168.1.X to the laptop to access the WLC GUI
Step 3
Open any one of the following supported web browsers and type
http://192.168.100.10 (the ip address may get changed because the WLC’s are
used in lab experiments, but you can change it to desired ip address by configuring
the WLC through console cable and Putty )

Page8
If you are unable to login into WLC , then join the console cable and open Putty
software for WLC 2504 initial configuration.
Putty>Serial>ok
After that a command box will open and type the following commands for
configuration of WLC-
>Clear config
Are you sure you want to clear configuration ? (y/n) Y
>reset system
The system has unsaved changes.
Would you like to save them now ? (y/n) N
Configuration not saved !
Are you sure you would like to reset the system ? (y/n) Y
This will take some time as the system will be restarted

Page9
When system will come live again, do the following configuration

Page10
Now, the WLC has been configured it can be accessed by typing the ip address
we assigned it in the configuration.

Page11
Step 4 Login into WLC
Username- admin
Password- Humber1 (set in configuration)
Step 5 Go to ADVANCE option which appear when you will login into WLC.
After that browse the COMMAND>SET TIME
This option will let you set the current time in order you were unable to
configure it.
It is necessary to set the time because the AP’s will not work if the time is not set
to current time.

Page12
5. Using the GUI to Create WLANs
To create WLANs using the GUI, follow these steps:
Step 1 Go to WLANs page.
Figure- Wlan page

Page13
This page lists all of the WLANs currently configured on the controller. For each
WLAN, you can see its WLAN ID, pro le name, type, SSID, status, and security
policies. The total number of WLANs appears in the upper right-hand corner of
the page. If the list of WLANs spans multiple pages, you can access these pages
by clicking the page number links.
Step 2 Create a new WLAN by choosing Create New from the drop-down list
and clicking Go.
After this the following page will pop-up, add the details as you desire.
Wlan> new page
Step 3 From the Type drop-down list, choose WLAN to create a WLAN.
Step 4 In the Profile Name text box, enter up to 32 alphanumeric characters for
the profile name to be assigned to this WLAN. The profile name must be
unique.
Step 5 In the WLAN SSID text box, enter up to 32 alphanumeric characters for
the SSID to be assigned to this WLAN.
Step 6 From the WLAN ID drop-down list, choose the ID number for this WLAN.
Step 7 Click Apply to commit your changes. The WLANs > Edit page appears

Page14
Figure : WLANs > Edit Page
Step 8 Use the parameters on the General, Security, QoS, and Advanced tabs to
configure this WLAN. Seethe sections in the rest of this chapter for instructions
on configuring specific features for WLANs.
Step 9 On the General tab, select the Status check box to enable this WLAN. Be
sure to leave it unselected until you have finished making configuration changes
to the WLAN.
Step 10 Click Apply to commit your changes.
Step 11 Click Save Configuration to save your changes.

Page15
6. Using the GUI to Configure DHCP Scope
Step 1 Choose Controller > Internal DHCP Server > DHCP Scope to open the
DHCP Scopes page >DHCP Scopes
NOTE: If you ever want to delete an existing DHCP scope, hover your cursor
over the blue drop-down arrow for that scope and choose Remove.
Step 2 Click New to add a new DHCP scope. The DHCP Scope > New page
appears.
Step 3 In the Scope Name text box, enter a name for the new DHCP scope.
Step 4 Click Apply. When the DHCP Scopes page reappears, click the name of
the new scope. The DHCP Scope > Edit page appears DHCP Scope > Edit Page
Step 5 In the Pool Start Address text box, enter the starting IP address in the range
assigned to the clients.
NOTE: This pool must be unique for each DHCP scope and must not include the static IP
Step 6 In the Pool End Address text box, enter the ending IP address in the range
assigned to the clients.
NOTE: This pool must be unique for each DHCP scope and must not include the
static IP addresses of routers or other servers.
Step 7 In the Network text box, enter the network served by this DHCP scope.
This IP address is used by the management interface with Netmask applied, as
configured on the Interfaces page.
Step 8 In the Netmask text box, enter the subnet mask assigned to all wireless
clients.
Step 9 In the Lease Time text box, enter the amount of time (from 0 to 65536
seconds) that an IP address is granted to a client.

Page16
Step 10 In the Default Routers text box, enter the IP address of the optional router
connecting the controllers. Each router must include a DHCP forwarding agent,
which allows a single controller to serve the clients of multiple controllers.
Step 11 In the DNS Domain Name text box, enter the optional domain name
system (DNS) domain name of this DHCP scope for use with one or more DNS
servers.
Step 12 In the DNS Servers text box, enter the IP address of the optional DNS
server. Each DNS server must be able to update a client’s DNS entry to match the
IP address assigned by this DHCP scope.
Step 13 In the NetBIOS Name Servers text box, enter the IP address of the
optional Microsoft Network Basic Input Output System (NetBIOS) name server,
such as the Internet Naming Service (WINS) server.
Step 14 From the Status drop-down list, choose Enabled to enable this DHCP
scope or choose Disabled to disable it.
Step 17 Choose DHCP Allocated Leases to see the remaining lease time for
wireless clients. The DHCP Allocated Lease page appears, showing the MAC
address, IP address, and remaining lease time for the wireless clients

Page17
 Using the GUI to Configure Dynamic Interfaces to configure a
primary DHCP server for a management, AP-manager, or dynamic
interface that will be assigned to the WLAN.
Step 1 Choose WLANs to open the WLANs page.
Step 2 Click the ID number of the WLAN for which you wish to assign an
interface. The WLANs > Edit
NOTE: When you want to use the internal DHCP server, you must set the
management interface IP address of the controller as the DHCP server IP address.
Step 3 On the General tab, unselect the Status check box and click Apply to
disable the WLAN.
Step 4 Re-click the ID number of the WLAN.
Step 5 On the General tab, choose the interface for which you configured a
primary DHCP server to be used with this WLAN from the Interface drop-down
list.
Step 6 Choose the Advanced tab to open the WLANs > Edit (Advanced) page.

Page18
Step 7 If you want to define a DHCP server on the WLAN that will override the
DHCP server address on the interface assigned to the WLAN, select the DHCP
Server Override check box and enter the IP address of the desired DHCP server
in the DHCP Server IP Address text box. The default value for the check box is
disabled.
Note the preferred method for configuring DHCP is to use the primary DHCP
address assigned to a particular interface instead of the DHCP server override.
Note DHCP Server override is applicable only for the default group.
Step 8 If you want to require all clients to obtain their IP addresses from a DHCP
server, select the DHCP Address. Assignment required check box. When this
feature is enabled, any client with a static IP address is not allowed on the
network. The default value is disabled.
Note DHCP Address. Assignment required is not supported for wired guest
LANs.
Step 10 On the General tab, select the Status check box and click Apply to
reenable the WLAN.
Figure : WLAN>Edit>Advanced

Page19
7. Introduction to Virtual Box
What is Virtual Box?
Virtual Box is a free, open source, cross-platform application for creating,
managing and running virtual machines (VMs) – computers whose hardware
components are emulated by the host computer, the computer that runs the
program. How do I get it?
The easiest way to get the latest version of Virtual Box is to download it from the
download page of the Virtual Box website – http://www.virtualbox.org
There you can download the correct version for your platform, or if you’re using
Linux you can click through to find a list of instructions for various Linux
distributions.
For each Linux distribution you’re given the option of downloading either the
“i386”or “amd64” option. “i386” is the 32 bit version; “amd64” is the 64 bit
version. If you’re not sure which version of the operating system you’re using
you’re almost certainly using the 32 bit version and so you will want to download
the “i386” version of Virtual Box.
Installing Virtual Box is just like installing any other program on your platform,
so you shouldn’t have any problem with the installation. If you do get stuck
though, you can read the installation guide on the Virtual Box website.

Page20
8. Microsoft Server as Virtual machine
To create a new virtual machine, you need to start VirtualBox In the toolbar, click
the New button. The New Virtual Machine Wizard is displayed in a new window
Click the Next button to move though the various steps of the wizard. The wizard
enables you to configure the basic details of the virtual machine. On the VM
Name and OS Type step, enter a descriptive name for the virtual machine in the
Name (Microsoft server 2012) field and select the operating system (Microsoft
Windows) and version (Windows 2012 64 bit) that you are going to install from
the drop-down lists, as shown in Figure 10. It is important to select the correct
operating system and version as this determines the default settings for Virtual
Box uses for the virtual machine. You can change the settings later after you have
created the virtual machine.

Page21
On the Memory step, you can simply accept the default. This is the amount of
host memory (RAM) that Virtual Box assigns to the virtual machine when it runs.
You can change the settings of the virtual machine later, when you import the
template into Oracle VDI.
Figure : Memory size setup
On the Virtual Hard Disk step, ensure Start-up Disk is selected (see Figure) ,
select Create new hard disk and click Next. The Virtual Disk Creation Wizard
is displayed in a new window so you can create the new virtual disk.

Page22
Figure : Virtual Hard Disk Step
On the following steps, select VDI (Virtual Box Disk Image) as the file type,
dynamically allocated as the storage details, and accept the defaults for the
virtual disk file location and size, and then click Create to create the virtual disk.
When the virtual disk is created, the Virtual Disk Creation Wizard is closed and
you are returned to the Summary step of the New Virtual Machine Wizard. Click
Create to create the virtual machine. The wizard is closed and the newly-created
virtual machine is listed in Oracle VM Virtual Box Manager, as shown in Figure

Page23
Figure-: Virtual Machine Added
Since you want to install an operating system in the virtual machine, you need to
make sure the virtual machine can access the installation media. To do this, you
edit the virtual machine settings. In Oracle VM VirtualBox Manager, select the
virtual machine and then in the toolbar click the Settings button. The Settings
window is displayed. In the navigation on the left, select Storage as shown in
Figure.
In the Storage Tree section, select Empty below the IDE Controller. The
CD/DVD Drive attributes are displayed. Click the CD/DVD icon next to the

Page24
CD/DVD Drive drop-down list and select the location of the installation media,
as follows:
drive to the host's physical CD/DVD
drive,
select Host Drive <drive-name>.
To insert an ISO image in the virtual CD/DVD drive, select Choose a virtual
CD/DVD disk file and browse for the ISO image.
Figure : Virtual Machine Storage Settings
Click OK to apply the storage settings. The Settings window is closed. If you
connected the virtual machine's CD/DVD drive to the host's physical CD/DVD
drive, insert the installation media in the host's CD/DVD drive now. You are now
ready to start the virtual machine and install the operating system.
In Oracle VM VirtualBox Manager, select the virtual machine and click the Start
button in the toolbar. A new window is displayed, which shows the virtual
machine booting up. Depending on the operating system and the configuration of
the virtual machine, VirtualBox might display some warnings first. It is safe to
ignore these warnings. The virtual machine should boot from the installation
media, as shown in Figure

Page25
Figure : An Installation Program in a Running Virtual Machine
You can now perform all your normal steps for installing the operating system.
Be sure to make a note of the user name and password of the administrator user
account you create in the virtual machine, which you will need in order to log in
to the virtual machine. Do not join the virtual machine to a Windows domain (it
can be a member of a workgroup) as the domain configuration is performed later.
The virtual machine might reboot several times during the installation. When the
installation is complete, you might also want to let Windows Update to install any
updates.

Page26
 Installing Active Directory and DHCP and DNS
Before proceeding to anything else , make sure that you have set up the IP address
of the Server to be Static.
Follow the steps to make IP address set to static –
Open the network and sharing center
Click on Change Adapter Settings
• Right click on the network adapter
• Select Properties
• Select Internet Protocol Version 4
• Click Properties
• Type in your Static IP address configuration
• Click OK

Page27
Figure : Static IP on Microsoft Server
1. Open the Server Manager from the task bar.
2. From the Server Manager Dashboard, select Add roles and features.
Figure : Server’s Dashboard
This will launch the Roles and Features Wizard allowing for modifications to be
performed on the Windows Server 2012 instance.

Page28
Select Role-based or features-based installation from the Installation Type
screen and click Next.
3) The current server is selected by default. Click Next to proceed to the Server
Roles tab.
4) From the Server Roles page place a check mark in the check box next to
Active Directory Domain Services, DNS,and DHCP. A notice will appear
explaining additional roles services or features are also required to install
domain services, click Add Features
5) Review and select optional features to install during the AD DS installation
by placing a check in the box next to any desired features, and then click
Next.
Figure : Addition of Roles in Microsoft server
6) Review the information on the Tab and click Next.
7) On the Confirm installation selections screen, review the installation and
then click Install.

Page29
Note: The installation progress will be displayed on the screen. Once
installed, the AD DS role will be displayed on the ‘Server Manager’ landing
page
Once the installation of DNS, DHCP and Active Directory roles is
complete you will get a notification in the Server Manager console to
“Promote this server to a domain controller” and to “Complete DHCP
configuration”. You can to run the “Promote this server to a domain
controller” first, click on that.
Figure : Notification after Installation
 Configure Active Directory
Once the AD DS role is installed the server will need to be configured for
your domain.
1) If you have not done so already, Open the Server Manager from the task
bar.
2) Open the Notifications Pane by selecting the Notifications icon from the
top of the Server Manager. From the notification regarding configuring AD
DS, click Promote this server to a domain controller.

Page30
Figure : Configure Active Directory
3) You can change the name of your server if you want to, it can be done in
following way which is demonstrated by the above given figures –
(i) From the LOCAL SERVER display board, double click
on computer name. the following dialog box will
appear

Page31
(ii) Now click on change to rename your server
(iii) Now enter the desired name for computer and for your
workgroup.
(iv) Click OK to finish it.
(v) The changed computer name along with the workgroup
name will be seen on LOCAL SERVER display board
as shown in figure.

Page32
Figure – Updated Computer name and Workgroup name.
4) From the Deployment Configuration tab select Add a new forest from the
radial options menu. Insert your root domain name into the Root domain
name field, and then click Next.
5) Select a Domain and Forest functional level, and then input a password for
the Directory Services Restore Mode (DSRM) in the provided password
fields

Page33
The DSRM password is used when booting the Domain Controller into
recovery mode.
6) Review the warning on the DNS Options tab and select Next. 7) Confirm
or enter a NetBIOS name and click Next.
8) Specify the location of the Database, Log files, and SYSVOL folders and then
click Next. (by default)
9) Review the configuration options and click Next.
10) The system checks to ensure all necessary prerequisites are installed on
the system prior to moving forward. If the system passes these checks,
proceed by clicking Install. After this the System will reboot.
Login into server again using your name and password.
 Configure DHCP server
Log into the server and open DHCP in the start menu. You will notice that it is
not configured yet

Page34
1) “Complete DHCP configuration”.
2) This provides some tasks that need to be performed to enable the DHCP
server role to work properly after role installation.
Figure : The last page of Add Role Wizard after DHCP role installation 3)
Launch the DHCP post-install wizard and complete the steps required.
4) Creation of DHCP security groups (DHCP Administrators and DHCP
Users). For these security groups to be effective, the DHCP server service
needs to be restarted. This will need to be performed separately by the
administrator.

Page35
Figure : DHCP Post-Install configuration wizard – Introduction Page
5) Authorization of DHCP server in Active Directory (only in case of a
domain-joint setup). In a domain joined environment, only after the
DHCP server is authorized, it will start serving the DHCP client requests.
Authorization of DHCP server can only be performed by a domain user
that has permissions to create objects in the Net services container in
Active Directory.

Page36
Figure : DHCP Post-Install configuration wizard – Authorization Page 6)
After that, enter the scope name as you desire.
7) After that, define the IP address range for your DHCP scope.

Page37
Figure : IP adress range page 8)
Set Lease time.
9) Configure DHCP option.
10) After that, set Default gateway

Page38
11) Now enter Domain name and DNS server details. On the Domain
Name and DNS Servers screen, enter the IP addresses of all DNS
servers the client should use. Click Next when done
12) On the WINS Servers screen, if you have WINS servers add them
here. Click Next when done.
Most Windows environments no longer use WINS for name resolution.
Although, some legacy applications and hardware may still require it, so
check your environment before skipping this

Page39
13) On the Activate Scope page, select Yes, I want to activate this
scope now. A scope must be activated before it is allowed to assign
clients IP addresses. If you do not want to activate it at this time,
select No, I will activate this scope later. Click Next when done.
14) Click Finish.
9) 802.1X Authentication via WiFi – Active Directory +
Network Policy Server + Cisco WLAN + Group Policy
Here is how to implement 802.1X authentication in a Windows Server 2012 R2
domain environment using Protected-EAP authentication. By creating the
Network Policy server first, once we switch the authentication type from
whatever to 802.1X via RADIUS, our Network Policy Server will immediately
start processing requests and allowing machines on the domain. By configuring
the Cisco Wireless LAN Controller or Group Policy first, clients will try
connecting to a RADIUS server that doesn’t exist or present invalid credentials.
A. Active Directory
First, we need to create a security group in Active Directory to allow a list of
specific users and computers to login to the domain.
a) Create User Account in Server 2012 Domain Controller
Here I will create user account in server 2012 domain controller using AD Users
and Computers snap-in.
Step 1: Open AD Users and Computers snap-in from Server Manager.

Page40
Step 2: Create an Organizational Unit
Organizational Unit or simply OU is a container object of AD domain which can
hold users, computers, and other objects. Basically, you create user accounts and
computers inside an OU. I will create an OU named Management. Right-click
domain in AD users and Computers, choose New and click Organizational Unit.
Type Management to name the OU. Check the Protect container from
accidental deletion option. This option will protect this object from accidental
deletion.

Page41
Step 3: Create New User
Right-click the Management OU, click New and click User
Now type the user information. Type the first name and last name. Here user
logon name is the name that the user will use to actually log in the computer in
the network. So when user tries to log in, he will type this name on username
field. Now click Next.

Page42
Now type the password. Check user must change password at next logon. The
user will be forced to change the password when user logs in. Click Next.
Review the user configuration and click Finish.
You have successfully created a user account. You can open the properties of the
user account to tweak settings.

Page43
This process is useful if you have to create couple of user accounts. But imagine,
if you have to create hundreds or thousands of users. This process would be very
time-consuming. So to create many users within minutes you can use Windows
PowerShell scripts using NewADusercmdletor batch script using DsAdd
command.
In this example, we will allow any authenticated user or machine on the domain
to authenticate successfully to the RADIUS sever. In the screenshot below, we
can see I have added both Domain Users and Domain Computers to a security
group called WirelessAccess. Here is a screenshot with the above settings.
B. Network Policy Server
1. Open up Server Manager, click Add Roles, click Next on the
Before You Begin screen, check Network Policy and Access
Services and click Next, click Next on the Introduction screen,
check Network Policy Server (leave the rest unchecked) and click
Next, click Install.

Page44

Page45

Page46
2. Once Network Policy Server is installed, launch the Network Policy
Server snap-in (via MMC or Administrative Tools)

Page47
3. Inside of Network Policy Server, on NPC (Local), select RADIUS
server for 802.1X
Wireless or Wired Connections from the dropdown and click
Configure 802.1X
a) On the Select 802.1X Connections Type page, select Secure
Wireless Connections, and enter My Company’s Wireless. Click Next.

Page48
b) Click on the Add… button. Enter the following settings
▪ Friendly name: Cisco WLAN Controller
▪ Address: Enter your WLAN Controller’s IP address
▪ Select Generate, click the Generate button, and then copy down
the Shared Secret the wizard generated (we will use this later
to get the WLAN Controller to talk to the RADIUS server).
Click OK.
c) Click Next.

Page49
c) On the Configure an Authentication Method, select Microsoft:
Protected EAP (PEAP).
Click Next.
d) Click Next on the Specify User Groups (we will come back to this)
e) Click Next on the Configure Traffic Controls page.

Page50
f) Click Finish
4. Click on NPS (Local) -> Policies -> Network Policies. Right
click Secure Wireless Connections and click Properties.
5. Click on the Conditions tab, select NAS Port Type, and click
Remove
6. Still on the Conditions tab, click Add…, select Windows Groups
and click Add…, click Add Groups…, search for
WirelessAccess and click OK. Click OK on the Windows Groups
dialog box, click Apply on the Secure Wireless Connections

Page51
Properties box. You should now have something like the image
below:

Page52
Figure : Network Policy server
7. Click on the Constraints tab.
a) Uncheck all options under Less secure authentication methods.:
b) Click Apply.

Page53
C. Cisco WLAN
1. Login to your Cisco Wireless LAN Controller
2. Add a RADIUS server to your controller
a) Click on the Security tab
b) Select AAA -> Radius -> Authentication on the left side
c) Click the New… button in the top right
• Server IP Address: 192.168.10.100 (The IP address of your NPS
server we setup earlier)
• Shared Secret Format: ASCII
• Shared Secret: The long generated password you wrote down when
setting up the Network Policy Server
• Confirm Shared Secret: Same password in previous step
• Key Wrap: unchecked

Page54
• Port Number: 1812
• Server Status: Enabled
• Support for RFC 3576: Enabled
• Server Timeout: 2
• Network User: Checked
• Management: Checked
• IP Sec: Unchecked
• Here is a screenshot with the above settings
CISCO WLAN >Security> AAA>RADIUS
3. Create or modify a wireless network to use 802.1X
a) Click on the WLANs tab
b) Create a new wireless network or select an existing WLAN ID to
edit

Page55
c) On the “WLANs > Add/Edit ‘My SSID'” page, use the following
settings
d) Security tab
1. Layer 2 Tab
a) Layer 2 Security: WPA+WPA2
b) MAC Filtering: Unchecked
c) WPA+WPA2 Parameters 1. WPA Policy: Unchecked
2. WPA2 Policy: Checked
3. WPA2 Encryption: AES checked, TKIP unchecked
4. Auth Key Mgmt: 802.1X
d) Here is a screenshot of the above settings
Wlan> layer 2 policies
2. Layer 3 Tab
a) Layer 3 Security: none
Web Policy: unchecked
3. AAA Servers Tab
a) Authentication Servers: checked Enabled
b) Server 1: Select your RADIUS server from the dropdown
c) Local EAP Authentication: Unchecked

Page56
D. Group Policy
1. Go to your domain controller and open up the Group Policy
Management console.
2. Right click the Organizational Unit you want to apply to policy to
and select Create a GPO in this domain, and Link it here…

Page57
Note, the policy must be linked to the OU containing a group of machines you
want to have WiFi access to or a parent of the OU.
3. Enter in 802.1X WiFi Policy for the Name and click OK
4. Right click your new GPO and click Edit
5. Navigate to Computer Configuration->Policies->Windows
Settings->Security Settings->Wireless Network (IEEE 802.11)
Policies
6. Right click and select Create A New Wireless Network Policy for
Windows Vista and Later Releases

Page58
5. Ensure the following settings are set for your Windows Vista and
Later Releases policy
1. General Tab
a) Policy Name: My Wireless Policy for Vista and Later Clients
b) Description: Vista and later wireless network for my company.
c) Check Use Windows WLAN AutoConfigure service for clients
d) Here is a screenshot with the above settings

Page59

Page60
e) Click the Add… button and select Infrastructure
I. Connection Tab
Profile Name: My Network
1. Enter in your SSID (Wireless network name that gets broadcasted)
and click the Add… button
2. Check Connect Automatically when this network is in range
II. Security Tab
1. Authentication: WPA2-Enterprise
2. Encryption: AES
3. Select a network authentication method: Microsoft Protected EAP
(PEAP)
4. Authentication Mode: User or Computer authentication
5. Max Authentication Failures: 1
6. Check Cache user information for subsequent connections to this
network
7. Click OK
II. Network Permission Tab

Page61
a) Enter your network into Define permissions for viewing and connection
to wireless networks if it hasn’t been added already Uncheck Prevent
connections to ad-hoc networks
b) Uncheck Prevent connections to infrastructure networks
c) Check Allow user to view denied networks
d. Check Allow everyone to create all user profiles
e. Uncheck Only use Group Policy profiles for allowed networks
f. Leave all Windows 7 policy settings unchecked
g. Here is a screenshot with the above settings (to infrastructure
networks).
h. Click OK
1. Right click and select Create A New Windows XP Policy
2. Ensure the following settings are set for your Windows XP Policy
1. General Tab
a. XP Policy Name: My Wireless Policy for XP
Machines
b. Description: My wireless policy for XP machines.
c. Networks to access: Any available network (access
point preferred)

Page62
d. Check Use Windows WLAN AutoConfigure service
for clients
e. Uncheck Automatically connect to non-preferred
networks
2. Preferred Networks Tab
a. Click the Add… button and select Infrastructure
I. Network Properties Tab
1. Network name (SSID): My SSID
2. Description: My wireless network
3. Uncheck Connect even if network is not broadcasting
4. Authentication: WPA2
5. Encryption: AES
6. Check Enable Pairwise Master Key (PMK) Caching
7. Uncheck This network uses pre-authentication 8. Here is a picture
of the above settings

Page63
I. IEEE 802.1X Tab
1. EAP Type: Microsoft: Protected EAP (PEAP)
2. EAP Start Message: Transmit
3. Authentication Mode: User or Computer Authentication
4. Check Authenticate as computer when computer information is
available
5. Uncheck Authentication as guest when user or computer information
is unavailable
III. Click OK

Page64
10) INTRODUCING REDUNDANCY ON WLC’S
When an AP is fully joined to a controller, the AP learns of all the controllers
configured in that mobility group. Should the controllers that an AP is currently
registered with go down, the AP will send discoveries to any and all controllers
in the mobility group. Assuming one of the controller has the capacity to accept
the AP, the AP should join the least loaded controller it can find. If many
controllers in the mobility group, it can be difficult to determine what controller
the APs will join should their current controller fail.
If you want to have more control over how the APs move between controllers on
your network, you can configure the APs with Primary, Secondary & Tertiary
controller names. With the controller name configured on APs, the APs always
try to register the primary controller first. Should the primary controller go down,
the AP tries to register with the secondary controller. If the AP is not able to join
any of the configured controllers, it try to join any controller with Master
Controller setting configured, or if no Master Controller, then the least loaded
controller in the Mobility Group.
AP Failover priority can be used to determine who will register for a controller if
there is a contention. You can configure your wireless network so that the backup
controller recognize a join request from a higher priority AP and if necessary
disassociates a lower priority AP as a means to provide an available port for
higher fail over priority AP.
Before setting up redundancy, following are the points to remember –
• The setup provides redundancy for controllers across separate data centers
with low cost of deployment.
• These WLCs are independent of each other and do not share
configuration or IP addresses on any of their interfaces. Each WLC needs
to be managed separately, can run a different hardware and a different

Page65
software version, and can be deployed in different datacenters across the
WAN link.
• We must configure and manage both WLC separately.
• When a primary WLC resumes operation, the APs fall back from the
backup WLC to the primary WLC automatically if the AP fallback
option is enabled.
Step1: Configure both WLC’s and just make sure the hostname and IP address
used for management and the dynamic interfaces are different.
As we have configured the primary controller, we will configure the secondary
controller.
To configure the secondary controller, follow the direction as discussed in the
report earlier to configure the primary WLC.
The only difference will be the use of different IP address along with different
Hostname.
For Primary WLC, hostname- HumberController
IP add- 192.168.100.10
For Secondary WLC, hostname-HumberController2
IP add- 193.178.100.10
i Create WLAN
After configuring Secondary WLC, create a Wlan as we did in Primary
WLC.
Figure: WLAN Edit page ii Create DHCP Scope
Next we have to create a DHCP pool, in order to define the range of Ip
addresses.

Page66
Figure: DHCP SCOPE
Figure: DHCP Scope > Edit
iii Enabling RADIUS SERVER
Here we will be linking the Server we created on virtual machine, the one we
linked earlier for Primary WLC.

Page67
Figure: RADIUS Authentication Servers > New
Figure: Wlans > Edit > Security > AAA Servers
Step2: Go to Primary Controller GUI and navigate to Wireless > Access
Points > Global Configuration, then configure the backup controller on
the primary to point to the secondary controller.
Here is the screenshot of above mentioned step.

Page68
Figure: Primary WLC >
Wireless > Access Points > Global Configuration
Step3: Configure High Availability to input Primary and Backup controller IP
Address at Wireless AP.
Go to Wireless > Access Point > All APs, select specific AP and then Click on
High Availability tab.
Enter the primary WLC, secondary WLC IP and name here. Make sure that the
WLC name we entered on the AP high availability tab is correct and is case
sensitive.
Step4: Configure Mobility Group on both Primary and Secondary Controllers.
Go to Primary WLC GUI then navigate to Controller >
MobilityManagement > Mobility Groups and then click on new, enter the
details of secondary controller.
Here is the screenshot –

Page69
Figure: Primary WLC > Controller > Mobility Groups > New
Same on secondary WLC:
Go to Secondary WLC GUI then navigate to Controller >
MobilityManagement > Mobility Groups and then click on new, enter the
details of Primary controller.

Page70
Figure: Secondary WLC > Controller > Mobility Groups > New
HOW to FIND MAC ADDRESS OF WLC –
We will be needing MAC address of respective WLC’s in order to complete the
above given configuration.
To find MAC Address of the WLC, go to CONTROLLER > Inventory.
It will provide the Mac address. Here is the screenshot –
Figure: For MAC Address , go to Controller > Inventory
Step5: Enable Secondary Unit
Well, this option should be enabled on both the WLC’s for redundancy to work.
This option can be selected under CONTROLLER >GENERAL > HA SKU
Secondary Unit.
Here is the screenshot –

Page71
Figure : Controller > General > HA SKU Secodary Unit

Page72
REFERENCES
1) http://www.cisco.com/c/en/us/td/docs/wireless/controller/80/configuration
guide/b_cg80/b_cg80_chapter_010.html
2) Project Report on Securing Wireless Network for an Enterprise By
Bhawandeep Singh & Amandeep Kaur
3) https://blogs.technet.microsoft.com/canitpro/2015/01/19/stepby-step-
creating-awork-folders-test-lab-deployment-in-windowsserver-2012-r2/
4) https://www.youtube.com/watch?v=0WyBxwJD_c0
5) http://www.cisco.com/c/en/us/support/docs/wirelessmobility/wireless-
vlan/71477ap-group-vlans-wlc.html 6)
http://www.cisco.com/c/en/us/support/docs/wireless/2500series-
wirelesscontrollers/113034-2500-deploy-guide-00.html#anc25 7)
http://www.cisco.com/c/dam/en/us/td/docs/solutions/SBA/Febru
ary2013/Cisco_SBA_ BN_WirelessLANDeploymentGuideFeb2013.pdf
8) https://mrncciew.com/2013/04/07/ap-failover/
9) https://rscciew.wordpress.com/2014/06/07/n1-high-
availabilityconfiguration-on-cisco-2504wlc/
10) http://www.cisco.com/c/en/us/td/docs/wireless/technology/hi_av
ail/N1_High_Availability_Deployment_Guide.pdf

Project report on secured wireless network for an enterprise with redundancy

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to Project report on secured wireless network for an enterprise with redundancy

Similar to Project report on secured wireless network for an enterprise with redundancy (20)

Recently uploaded

Recently uploaded (20)

Project report on secured wireless network for an enterprise with redundancy