Best Practice to configure WLAN Security Layer-2 vs Layer-3

Wifi cannot be much more secure than LAN and whenever we create SSID under the WLAN tab, then after creating It we need to apply some WLAN security parameters to ensure that our wireless access is protected and only Authenticated and Authorised users will connect and access the Wifi network.

In this blog, we will discuss WLAN security parameters including

  • Layer-2,
  • Layer-3
  • AAA Server.
WLAN Security
WLAN Security

Configuring WLAN Security : Layer-2

WLANs with corporate or enterprise SSID must have Layer-2 & Layer-3 Security along with AAA authentication. I don’t think a Wireless network is a trusted network, especially for a secure network/server or application. If we keep it open or un-secure then anyone can connect over wifi signal.

WLAN Layer-2 has multiple parameters including Open, WEP, WPA, WPA2, and WPA3, with multiple Authentication Keys.

Configuring WLAN Layer2 Security
Configuring WLAN Security : Layer-2

We should configure all required security parameters based on our design and requirements. For more details, you can also visit Cisco.com.

How WPA Works

To understand WPA in a simple way, it is to make traffic/packets in an encryption form, so whenever a user sends or receives data over WiFi it will be encrypted with a Key to make data secure.

Types of Wireless Security Encryption Protocols:

Wireless security encryption is mainly divided into four main types:

  • Wired Equivalent Privacy Protocol (WEP)
  • Wi-Fi Protected Access Protocol (WPA)
  • Wi-Fi Protected Access 2 Protocol (WPA2)
  • Wi-Fi Protected Access 3 Protocol (WPA3)

WPA offers two authentication modes:

  • Enterprise mode: Enterprise mode WPA requires an authentication server. RADIUS is used for authentication and key distribution, and TKIP is used with the option of AES available as well.
  • Personal mode: Personal mode WPA uses Pre-Shared keys, making it the weaker option, but the one that is most likely to be seen in a home environment.

Configuring WLAN Security : Layer-3

Layer-3 Security under the WLAN tab used for Guest access.  If we select or use Layer-3 security for guest access then Layer-2 security will not be applicable to the users because this traffic is to access the internet of Guest users only, but we can set 802.1x along with Web-Auth (if req).

Also read : https://techblog.kbrosistechnologies.com/configuring-wlan-ssid-cisco-wlc/

Configuring Web Authentication

Configuring Web Authentication (GUI)

Step 1:  Choose WLANs to open the WLANs page.

Step 2: Click the ID number of the WLAN for which you want to configure web authentication, like Guest SSID. The WLANs > Edit page appears.

Configuring Web Authentication
Configuring Web Authentication

Step 3: Choose the Security tab

Step 4: Click on Layer 3 sub-tabs.

Step 5: Select the Web Policy check box.

Step 6: Make sure that the Authentication option should be selected/ checked.

Step 7: Click Apply.

Web-Auth
Web-Auth

This Layer-3 WLAN security has multiple options that we can implement based on our requirements.

  1. Web Policy + Authentication— which is also called Web-Auth.
  2. Web Policy + Passthrough
  3. Web Policy + Conditional Web Redirect
  4. Web Policy + Splash Page Web Redirect
  5. Web Policy + On Mac filter failure
Web Policy + Authentication (Web-Auth)

This option is mostly used for Guest access. If you select this combination then the Guest user will get a username and password prompt while connecting to the wireless network, which needs to be created locally in the WLC.

Web Policy + Passthrough

This flavour also has another option called Email Input

With the passthrough option, the user will not get any username password prompt to connect with Guest wifi. It displays only a page with a warning or an alert statement that needs to be accepted or click OK and then the user can enter their email address which becomes their username for authentication.

Web Policy + Conditional Web Redirect

With this option, you can conditionally redirect the user to a particular site, URL, or web page, but it requires 802.1x Authentication completed successfully.

Web Policy + Splash Page Web Redirect

With this combination, the user is redirected to a particular web page after 802.1x authentication has been completed successfully. After the redirect, the user has full access to the network.

Web Policy + On Mac filter failure

This combination is the most secure method to allow web access. In this feature, need to add a client address in the WLC locally and allow Mac filtering in the Layer-2 security tab.

If Mac-address is successfully validated, then the user will directly go to in Run state and can access it.

On Mac filter failure
On Mac filter failure

AAA server Tab

In this Tab, we can choose our Radius server for Authentication. First, we need to add / Integrate the AAA Radius server with WLC. Please see the below screenshot.

To add AAA server in WLC.

Step 1: Go to Security TAB

Step 2: Click on the AAA parameter

Step 3: Click on New which is placed top right side of the WLC

Step 4:  Add AAA server details and save.

Configure AAA in WLC
Configure AAA in WLC

After adding AAA sever in WLC, need to apply AAA server to respective WLAN.

  1. Need to go WLAN tab and select WLAN ID
  2. Click on the Security tab
  3. Click on the AAA Server Tab
  4. Select Authentication and Accounting servers (same sever which you have added in WLC with above path).
Configuring AAA Server
Configuring AAA Server

Conclusion

Whenever we create an SSID for WLAN, always ensure that appropriate WLAN Security parameters should be selected and applied as per business requirements. For Guest access, it is very important that you have to use proper web policies to make wireless access secure.

FAQ

Q. What is SSID

A. SSID is a network name that is a combination of MAC address and network name which allows users to connect with a Wireless network.

Q. What is Layer-2 WLAN security in Wireless

A. This parameter has security options (WPA2/WPA3, 802.1X, etc) that allow the network access more protected and allow to access the Wireless network only to Authorised and Authenticated users.

Q.  What is Layer-3 security in Wireless

A. Layer-3 WLAN Security is required to Authenticate guest users to access Web or Wireless networks.

Q What is Web-Auth in the wireless Layer-3 Security tab

A.  It is the combination of Web Policy with Authentication method which is called Web-Auth.

Q Why WLAN Security is Important

A. Whenever we create any SSID under WLAN tab and apply broadcast, then everyone will get access of the netw0rk over wifi. It is very important to apply security parameters to secure your wireless network.

Visit to our site : https://www.kbrosistechnologies.com/

Watch more Video : http://www.youtube.com/@kbrosistechnologies

Please Share

Related Posts