Forum

  • I have a couple of questions, to do with Cisco gear.

    I have a controller set up in a pretty simple way. Just a simple WLAN using EAP-PEAP.

    FIrst, the beacons. Within the beacons there is this:

    [code]Cisco Proprietary
    Element ID: 133 Cisco Proprietary [100]
    Length: 30 [101]
    OUI: 0x00-0x00-0x8F [102-104]
    Value: 0x000F00FF035900 [105-111]
    AP Name: AP001d.a1ee.31b. [112-127]
    Number of clients: 1 [128]
    Value: 0x000027 [129-131][/code]

    This sends out the 'AP Name', which is set within the controller. In my example here, it's just the default name which is AP{MAC address}. The thing is, in a deployment, the AP names are going to be the location of them. This is info that I don't want broadcast in beacons.
    Is there a way to turn off this Cisco element?

    Secondly, when the station is associated, it receives the EAP request. In this request, I see the following:

    [code]802.1x Authentication
    Protocol Version: 2 [30]
    Packet Type: 0 EAP - Packet [31]
    Body Length: 41 [32-33]
    Extensible Authentication Protocol
    Code: 1 Request [34]
    Identifier: 1 [35]
    Length: 41 [36-37]
    Type: 1 Identity [38]
    Type-Data: .networkid=d,nasid=quicktest,portid=1 [39-74][/code]

    The direction of this frame is to the staion, asking it who it is. I don't see the need for the 'nasid=quicktest' part, because in my mind, this is only relevant to the RADIUS server where the controller is set up as a client with shared secret.
    Again, this is configuration data that I don't want broadcast to the world in the clear. Is there a way to stop this?

  • I figured the first one out.
    On the controller, go:
    [code]WLANS > {WLAN name} > Advanced > Un-tick Aironet IE[/code]

    The second bit about NAS ID might take a bit more thinking.

  • I think this is the answer for the second question.

    From RFC 2869:

    [code]2.3.1. Protocol Overview

    The EAP conversation between the authenticating peer (dial-in user)
    and the NAS begins with the negotiation of EAP within LCP. Once EAP
    has been negotiated, the NAS MUST send an EAP-Request/Identity
    message to the authenticating peer, unless identity is determined via
    some other means such as Called-Station-Id or Calling-Station-Id.
    The peer will then respond with an EAP-Response/Identity which the
    the NAS will then forward to the RADIUS server in the EAP-Message
    attribute of a RADIUS Access-Request packet. The RADIUS Server will
    typically use the EAP-Response/Identity to determine which EAP type
    is to be applied to the user.[/code]

    From RFC 3579:

    [code] In RADIUS/EAP, RADIUS is used to shuttle RADIUS-encapsulated EAP
    Packets between the NAS and an authentication server.

    The authenticating peer and the NAS begin the EAP conversation by
    negotiating use of EAP. Once EAP has been negotiated, the NAS SHOULD
    send an initial EAP-Request message to the authenticating peer. This
    will typically be an EAP-Request/Identity, although it could be an
    EAP-Request for an authentication method (Types 4 and greater). A
    NAS MAY be configured to initiate with a default authentication
    method. This is useful in cases where the identity is determined by
    another means (such as Called-Station-Id, Calling-Station-Id and/or
    Originating-Line-Info); where a single authentication method is
    required, which includes its own identity exchange; where identity
    hiding is desired, so that the identity is not requested until after
    a protected channel has been set up.[/code]

  • [quote]AP Name: AP001d.a1ee.31b. [112-127][/quote]
    Do you know if this line is also in the beacons of older autonomous Cisco APs and older code? If so it could be a good way to find ?LOST? APs in an old deployment that does not have any documentation lol.

Page 1 of 1
  • 1