Comprehensive Notes – Cisco Live Wireless Security Session

Wireless Threat Landscape

  • Wired ports often rely on physical security; RF propagates beyond walls → attackers can be anywhere within signal range
  • Key wireless threat classes
    • Passive eaves-dropping ⇒ need strong encryption
    • L2 injection/spoofing ⇒ need authentication + integrity
    • RF jamming/DoS ⇒ monitoring & mitigation tools
    • Rogue APs/evil-twins (masquerade, MITM)
    • Back-door APs plugged into open switch ports
  • Three defence pillars repeatedly referenced
    1. Secure the Air (encryption, PMF, WIDS/WIPS)
    2. Secure the Devices (robust authN/Z, certificates, posture)
    3. Secure the Network (segmentation, threat containment, fabric)

WPA Evolution

  • Wi-Fi Alliance certifies interoperability; IEEE writes the spec (802.11i basis)
  • Two operational modes
    • Personal ⇒ pre-shared key (PSK/SAE)
    • Enterprise ⇒ 802.1X + EAP (+ RADIUS)
  • WPA2 ≈ 20 yrs old; legacy ciphers lingered
  • WPA3 (2018)
    • Mandatory for Wi-Fi 6/6E/7 certification ⇒ forces client upgrade
    • Removes legacy: TKIP, WEP, WPS, WPA-TKIP, WEP open/shared, etc.
    • Adds mandatory 802.11w PMF
    • Personal → SAE (Simultaneous Auth of Equals)
    • Enhanced Open → OWE (Opportunistic Wireless Encryption)
    • Interop testing now includes “negative testing” → attempt to break implementations (post-KRACK lesson)

Authentication & Authorization Fundamentals

  • Terminology
    • Supplicant = client station (STA)
    • Authenticator = network access device (WLC/AP)
    • Authentication Server = AAA/RADIUS (ICE)
    • Credential Server = user DB (e.g.
      AD)
  • 802.1X/EAP flow
    1. EAP exchanges between Supplicant & Auth Server (tunnelled via Authenticator)
    2. Both derive PMK (256bits=32bytes)(256\,\text{bits}=32\,\text{bytes})
    3. 4-Way Handshake derives PTK (5-tuple: PMK + ANonce + SNonce + MACs)
    4. GTK delivered for B/M-cast
  • Authorization realised through segmentation
    • Static VLAN per SSID (simple but beacon-heavy)
    • Dynamic VLAN (single SSID, VLAN chosen per user/group)
    • Advanced: Cisco TrustSec SGT, SDA fabric, Adaptive Policy (Meraki)
  • QoS marking can also be enforced via RADIUS attributes

Cisco Identity Services Engine (ISE) Architecture

  • Personas
    • PAN (Policy Admin Node) – GUI, config, reporting
    • MnT (Monitor & Troubleshoot) – logging/alerts
    • PSN (Policy Services Node) – actual RADIUS
    • PxGrid Controller – context sharing across eco-system
  • Deployment
    • Stand-alone only for labs; prod = distributed, PSN scaled & often load-balanced
    • Keep latency PSN⇌AD low; slow AD = auth time-outs ⇒ mass Wi-Fi outage
  • NADs (WLC/AP/SW) send RADIUS to PSN/LB VIP

Migration to Cloud Identity (Microsoft Entra ID)

  • On-prem AD → Cloud ID challenges: different protocols & WAN latency
  • Two migration patterns
    1. Keep username/password UX:
    • Change PEEP-MSCHAPv2 → EAP-TTLS/PAP
    • ICE uses ROPC to Entra ID
    • PAP sends passwd in clear inside TLS tunnel – Microsoft & Cisco caution: acceptable but not ideal
    1. Go certificate-based (EAP-TLS)
    • ICE validates cert locally; consults Entra for CRL, group, Intune compliance etc.
    • Requires automated cert provisioning (outside scope)
    • Use TLS 1.3 (ICE 3.4 / 3.3p2+)
  • Windows quirk: EAP-TLS frames padded to MTU ⇒ RADIUS packet fragmentation → ensure jumbo / adjust FW ACL / collocate PSN
  • Meraki Dashboard adding native Entra ID integration (Early-Access)

Secure Fast Roaming

  • L2 roam issues: channel scan & full 4-way handshake
  • Solutions
    • 802.11k – neighbour list
    • 802.11v – BSS transition advice/steering
    • 802.11r – Fast-BSS Transition (FT) → re-use PMK, derive new PTK quickly
  • L3 roam: maintain IP when moving across subnets
    • Centralised tunnelling (CAPWAP)
    • SDA fabric (LISP) or EVPN overlays – policy at edge

KRACK & 802.11w PMF

  • KRACK (Key Reinstallation Attack, 2017) exploited 10 vulns (9 client, 1 infra) mainly around FT handshake
  • Demonstrated need for integrity of mgmt frames
  • 802.11w PMF supplies authenticity / integrity / confidentiality post-auth
  • WPA3 makes PMF mandatory ⇒ network immune to most deauth/MITM attempts

Guest Access Scenarios

  • Traditional Central Web Auth w/ URL redirect
    • Open SSID; first HTTP gets 302 to portal (ISE/Spaces/3rd-party)
    • After portal success, ISE issues CoA; WLC re-auths via MAC Auth Bypass (MAB)
  • Problem: Random MAC addresses (iOS 14+, Android, Win11)
    • iOS 18 behaviour: Secure SSID ⇒ persistent random MAC; open SSID ⇒ rotates every 14 days
    • Adjust policy expectations (portal reprompt etc.)
  • OWE / Enhanced Open
    • Unauthenticated Diffie-Hellman → PMK;
      provides encryption + PMF, but no server authentication ⇒ MITM risk
    • Real-world rogue hotspots (e.g. Aus. Federal Police 2023 case)
  • OpenRoaming (WBA)
    • Decouples access from identity (federated certificates)
    • Device auto-joins with enterprise-grade EAP-TLS security (used at Cisco Live via app profile)
    • Use cases: venues, retail, universities (Freshman week ‘IT storm’)

Consumer/IoT Devices on Enterprise WLAN – WPA Personal & SAE

  • PSK weakness: PTK relies solely on shared secret ⇒ offline dictionary attack feasible (see Hive Systems table)
  • WPA3-Personal uses SAE (Dragonfly) ⇒ security not tied to password strength; adds forward secrecy, resists offline cracks
  • Transition mode (PSK+SAE) permits old devices but susceptible to downgrade (client responsible for ‘transition disable’)
  • Identity-PSK / Identity-SAE (iPSK)
    • Multiple keys on one SSID; key ↔ device identity in RADIUS
    • ICE assigns key per group/profile and can enable private-group peer isolation
    • Meraki flavour: iPSK without RADIUS (‘Wi-Fi Private Network’) – key chosen by admin maps to policy; currently WPA2 only

6 GHz (Wi-Fi 6E) & Wi-Fi 7 Security Implications

  • 6 GHz has no legacy (only Wi-Fi6/7) ⇒ must use WPA3 + PMF
  • Admins often extend same SSID over 2.4/5/6 GHz → controller/Dashboard auto-enforce:
    • WPA2 permitted on 2.4/5; silently stripped on 6 GHz
    • 11w optional on WPA2 radios, mandatory on WPA3 radios
  • Wi-Fi 7 introduces new mandatory ciphers (HCCA/GCMP-256) to enable 4K QAM, Multi-Link Operation etc.
    • If not enabled, client falls back to Wi-Fi6 behaviour

Day-1/Day-2 Monitoring & Threat Detection

  • Use Cisco Catalyst Center (on-prem) or Meraki Dashboard (cloud) as central threat console
    • Rogue detection & classification (High / Potential / Friendly)
    • WIDS/WIPS attack-vector library (vs signature count); zero-day coverage
    • Auto packet capture (Intelligent Capture) for forensics
    • Compliance reports
  • Practical advice
    • In CCI, investigate every High Threat; periodically review “Potential” list & mark neighbour APs benign ⇒ noise reduction (Prime users’ lesson)

Rogue AP Detection & Mitigation Techniques

  • Definitions
    • Rogue AP = any AP not in your inventory (most are harmless ‘neighbours’)
    • Malicious rogue: evil-twin, soft-AP, AP-on-wire etc.
  • Containment methods
    1. RF deauth/disassoc spoof (legacy);
      ineffective vs clients using PMF
    2. PMF-denial window (12.0.1 code) – race to send disassoc before client authenticates
    3. Location-based: use Cisco Spaces/CMX to pinpoint rogue for physical removal – preferable in WPA3 era
  • Rogue-on-wire detection tricky (802.11 MAC ≠ Ethernet MAC): heuristics, sequential OUIs, client gateway MAC, but best defence is 802.1X on switch ports
  • Meraki Air Marshal enhancements (MR31): scans all channels, incl. out-of-reg-domain, for hidden rogues (contain limited by reg rules)

Network as Sensor & Enforcer

  • Secure Network Analytics (Stealthwatch) or 3rd-party SEIM inspects full FlexNetFlow ⇒ unmatched throughput visibility
    • Network as Sensor – detect C2 callbacks, lateral scans, data exfiltration
  • Rapid Threat Containment (RTC) via PXGrid
    1. Sensor raises alert (malware, low Talos IP-reputation, etc.)
    2. ICE issues Change-of-Authorization (CoA) to WLC/AP
    3. Client moved to quarantine VLAN or SGT (deny-all)
  • Demo recap
    • STA trust score 9 (Engineering SGT) → contacts bad IP → score 3
    • Talos reputation triggers CoA → SDA fabric enforces quarantine SGT (deny-all)
    • Ops can view end-to-end event trail in DNA Center’s User 360 & ICE logs

Key Takeaways & Best Practices

  • Enable 802.1X on wired & wireless; treat all media as untrusted
  • Migrate to WPA3 everywhere; PMF gives huge security uplift
  • Use certificate-based EAP-TLS, especially when moving to cloud identity
  • Minimise SSIDs; use Dynamic VLAN/SDA/TrustSec/iPSK to scale segmentation
  • Plan for random MAC: adjust guest portal logic, employ OpenRoaming
  • For IoT/legacy devices adopt Identity-PSK/SAE with per-device keys & isolation
  • In WPA3 world, rely more on location + physical removal than on RF containment
  • Integrate Catalyst Center or Meraki Dashboard with ICE & Stealthwatch for closed-loop detection–response
  • Keep PSN
  • When extending SSID to 6 GHz & Wi-Fi 7, validate cipher settings; controllers auto-strip WPA2 on 6 GHz but admins must enable new 7-series ciphers

Practical “To-Do” Checklist

  • [ ] Audit all WLANs: remove TKIP/WEP; turn on PMF mandatory where possible
  • [ ] Schedule WPA3 transition tests; document devices lacking support
  • [ ] Stand-up cert enrollment automation (SCEP, AnyConnect NVM, MDM)
  • [ ] Configure Dynamic VLAN / SDA SGTs to cut SSID count ≤ 4
  • [ ] Deploy ISE PSN nodes close to controllers/WLCs; add LB VIP
  • [ ] Enable 11k/v/r fast roam on clients & WLAN; verify voice/video hand-off (<50 ms)
  • [ ] Implement Rogue triage workflow in Catalyst Center; monthly “Potential Rogue” review
  • [ ] Integrate sensor feeds (Stealthwatch, Talos) with ISE RTC policies
  • [ ] Pilot OpenRoaming for guest/visitor SSIDs; include app profile or QR onboarding
  • [ ] Document 6 GHz design: DFS, power, WPA3-only SSID mapping, Wi-Fi 7 cipher plan