1. Home
  2. Networking
  3. Wireless lan security

Securing Bridge-to-Bridge Links

Root bridge to nonroot bridge communications can be secured with LEAP authentication and Cisco TKIP. It is strongly recommended that you use this or IPSec VPN over bridged links to secure the data traffic.

Examples 12-22 and 12-23 provide a deployment example for securing the root to nonroot bridged link using LEAP/with Cisco TKIP configuration. Example 12-22 shows a root bridge configuration in which LEAP authentication is enabled to authenticate the nonroot bridges. As shown in the example, Cisco TKIP is enabled to provide data confidentiality and to protect data integrity between the root and nonroot bridges.

Example 12-22. Security Configuration Required on the IOS-Enabled Root Bridge

ROOT-BRIDGE(config)#int dot11Radio 0

ROOT-BRIDGE(config-if)#ssid bridgedLink

! Enable LEAP authentication and specify the LEAP list name "LEAP-AUTH"

ROOT-BRIDGE(config-if-ssid)#authentication network-eap LEAP-AUTH

! Enable infrastructure mode association with the non-root bridges

ROOT-BRIDGE(config-if-ssid)#infrastructure-ssid

ROOT-BRIDGE(config-if-ssid)#exit

! Enable encryption parameters

ROOT-BRIDGE(config-if)#encryption mode wep mandatory mic key-hash

! Enable broadcast key rotation for every 900 seconds (15 minutes)

ROOT-BRIDGE(config-if)#broadcast-key change 900

ROOT-BRIDGE(config-if)#exit

! Configure radius server parameters for EAP authentication

ROOT-BRIDGE(config)#aaa new-model

! Specify Radius server information

ROOT-BRIDGE(config)#radius-server host 10.10.10.5 auth-port 1812 acct-port 1813 key

tmelab

! Specify EAP authentication servers

ROOT-BRIDGE(config)#aaa group server radius rad-eap

! Specify 10.10.10.5 server as an EAP authentication server

ROOT-BRIDGE(config-sg-radius)#server 10.10.10.5 auth-port 1812 acct-port 1813

ROOT-BRIDGE(config-sg-radius)#exit

! Specify rad-eap group of servers to be used for LEAP authentication

ROOT-BRIDGE(config)#aaa authentication login LEAP-AUTH group rad-eap

! Configure miscellaneous radius server parameters

ROOT-BRIDGE(config)#radius-server attribute 32 include-in-access-req format %h

ROOT-BRIDGE(config)#radius-server vsa send accounting

ROOT-BRIDGE(config)#end

Example 12-23 shows the nonroot configuration in which LEAP authentication is enabled to protect the bridged link to the root bridge. Note that you must specify LEAP authentication credentials (username and password) on the nonroot bridge. Even though it is not explicitly configured in Example 12-23, Cisco TKIP is negotiated as the cipher when the bridged link is initially "brought up" between the root and nonroot bridges. (This is because the root bridge is configured with Cisco TKIP.)

Example 12-23. Configuration on the IOS-Enabled Nonroot Bridge

NR-BRIDGE1(config)#int dot11Radio 0

NR-BRIDGE1(config-if)#ssid bridgedLink

! Enable LEAP authentication and specify the LEAP list name "LEAP-AUTH"

NR-BRIDGE1(config-if-ssid)#authentication network-eap LEAP-AUTH

! Enable infrastructure mode association with the root bridge

NR-BRIDGE1(config-if-ssid)#infrastructure-ssid

! Specify username and password for LEAP authentication

NR-BRIDGE1(config-if-ssid)#authentication client username nonRoot1 password 0 tmelab

NR-BRIDGE1(config-if-ssid)#end

The same debug commands for the EAP/802.1x authentication on the AP can be used on the root bridge to debug the nonroot bridge authentication problems.



    		Chapter 1. Securing WLANs Overview
    		Chapter 2. Basic Security Mechanics and Mechanisms
    		Chapter 3. WLAN Standards
    		Chapter 4. WLAN Fundamentals
    		Chapter 5. WLAN Basic Authentication and Privacy Methods
    		Chapter 6. Wireless Vulnerabilities
    		Chapter 7. EAP Authentication Protocols for WLANs
    		Chapter 8. WLAN Encryption and Data Integrity Protocols
    		Chapter 9. SWAN: End-to-End Security Deployment
    		Chapter 10. Design Guidelines for Secure WLAN
    		Chapter 11. Operational and Design Considerations for Secure WLANs
    		Chapter 12. WLAN Security Configuration Guidelines and Examples
    		Cisco Enterprise Class Wireless LAN Products
    		WLAN Security Methods: Configuration Guidelines and Examples
    		SWAN Nonswitching Deployment: Configuration Guidelines and Examples
    		Securing Bridge-to-Bridge Links
    		Secure WLAN Management Configuration Guidelines
    		SWAN Central Switching Deployment: Configuration Guidelines and Examples
    		Summary
    		Chapter 13. WLAN Deployment Examples
    		Appendix A. Resources and References