Wireless networking is popular among users because of its advantages: mobility, relative easy configuration and a lot of cheaper devices. If we consider security, a properly configured wireless network can be as safe as the wired one. A CCNA candidate must know the fundamentals of wireless technologies and how to configure the devices used in these environments. In this article, we try to approach this important topic by the help of Packet Tracer. Not so much theory, just hands-on labs!
The building blocks of a wireless LAN (or WLAN) are a bit different than a wired network. The hosts are called stations (STA), with an interface capable of receiving and transmitting radio signals by an antenna. We can build a peer-to-peer network from just these devices (this is called ad-hoc mode), but it’s more common to build a Basic Service Set (BSS), which is a network consists of some STAs and a special device called Access Point (AP). In this case, we are talking about infrastructure mode. If we want to cover more area than a single BSS can, we need to build an Extended Service Set (ESS): this is a network with more than one BSS connected by the distribution system (in many cases this is a wired segment, but we can use the so called Wireless Distribution System – WDS – technology to achieve the same purpose). In our first lab, we’ll build a simple ESS. We’ll model a little company which has two buildings, connected by a wired network and WLANs inside the buildings. We want to achieve roaming, so that we can move between the buildings with an operational network device. The topology looks like the following:
In this topology, there’s a laptop as STA, two APs and wired distribution system. The APs corresponds the 802.11n Wi-Fi standard. In the initial network, the STA connects to AccessPoint1, because it’s inside its covering area. Let’s switch to Physical tab! You can see that there are the two buildings and the laptop. Move it to the other building, switch back to Logical tab and see that laptop connects to the other AP – so PT correctly shows the effect of covering areas.
The first thing to do is to configure the name of the WLAN, the Service Set Identifier (SSID). Click on the Config tab of each AP and write in the SSID of “testing” instead of the “Default”. The radio signal will be lost to the STA, because we need to configure the SSID to the same, so go to the Laptop then search for the PC Wireless application on the Desktop tab, click on the Connect tab and wait for the SSID to appear. (Notice the signal strength: if you move along the Laptop, it should reflect the distance from the AP.) If you click on the Connect button, the connection will be active again. Moreover, the laptop should receive its IP address from the server.
In an ESS, we need to pay attention to interference: if our APs are all transmitting on the same frequency (in other words, on the same channel), then interference can occur. To avoid this, we have to configure the APs into different channels. The rule is that on neighboring APs, we need to use channels that are at least 5 channels far from each other. So if we want to use channel 6 on AccessPoint0 (the default setting), then we need to set channel 1 or channel 11 on AccessPoint1.
Now experiment with roaming for a bit: switch to Physical tab and let’s start to continuously ping the server from the laptop (ping –t 192.168.1.1), after a short time move back the STA to the original place, and see what happens. Ideally, the ping breaks for a while, but soon after it should continue. (Unfortunately, PT sometimes doesn’t do this, but the following may help: save the file, close PT and start it again.)
In a WLAN, we have to consider security issues: someone can easily intercept our traffic and can manipulate it, can connect to the network without permission and so on. So we must apply some protocols to authenticate users and encrypt the data. The first such protocol was WEP (Wired Equivalent Privacy), which is obsolete, because it can be easily broken, but it’s better than nothing. Configuration is really simple: we need to configure a pre-shared key, a kind of password on each device. The length of the key can be 40 or 104 bits long, which can be described by 10 or 26 hexadecimal digits. The actual length of the key is 64 or 128 bits long, because WEP uses a so called Initialization Vector or IV – this is a 24 bit value to complete the key. For our lab, we’ll use the shorter key, and to be honest, in real life, the longer key doesn’t give us much more security either.
The configuration steps are the following: go to the Config tab on each AP, search for Port1 and choose WEP from the Authentication area. An entry field named Key comes alive, where we need to write in the key, let’s use a simple-to-remember value: 123456789A. Below this the Encryption type drop-down shows the two options for key length. On the client, follow the same steps as before, but now when you’ll discover the network name, you can see that security is WEP:
Click on Connect, and there you can enter the key to the WEP Key 1 field, then click on Connect. The radio connection comes alive again.
If you move along many wireless networks with different settings, it can be easier to define profiles for each of them. The wireless client have this feature: start the PC Wireless application, go to Profiles tab, and choose New. Fill in the name of the profile (for example, myWEP), and on the next window choose Advanced Setup. A wizard starts: in the first window we can configure the mode (PT doesn’t support ad-hoc) and the SSID, in the second we can specify the IP addressing method, and in the third we need to setup the security. Choose WEP and then fill in the key on the next step. The last window is a summary of the settings, save it and after this you can connect to the network by this profile.
In a larger WLAN and for home networking, a Wi-Fi router is more appropriate. In our second lab topology, we’ll use a Linksys router:
The topology is rather usual: we have DSL connection to the ISP cloud, in the WLAN there’s a wired PC and a wireless STA. These types of routers can be configured by web browser through HTTP, so at first, go to the admin PC and check its IP address. The Linksys router acts as a DHCP server, so we should get IP addressing information from this, and we need to use the gateway address in the web browser to get to the login window, and then use the username of admin and the password of admin:
Now we can see the web interface of the router. Let’s start with a security setting: change the administrator password. Go to Administration menu, and there find the Router password fields. Change the default password to “secretpass” and save it by going down to the Save settings button. The router should prompt you with a new login window, enter the new password and you’re done.
If we need a public IP address for Internet connection, we can choose from some methods: static, DHCP or PPPoE. Although PT supports PPP over Ethernet, it’s a bit more difficult to use because of the server side configuration. In our example, the simplest method will be static IP. The ISP router’s Fa0/0 interface has configured address of 192.0.0.1/24, so go to the Setup menu, and choose Static IP from the Internet connection type drop-down. Configure 192.0.0.2/24 as IP address, 192.0.0.1 as Default gateway and 18.104.22.168 as DNS 1 and Static DNS 1 under the DHCP settings. If we want, we can change other DHCP settings on the LAN also (real routers usually use the 192.168.1.0/24 network). Don’t forget to click on Save Settings! Now in the Status menu we can check the settings, and because the router does NAT by default, we can even test the reachability of www.net.com from PC1.
Now expand our LAN by a new STA: drag and drop a PC to the topology, but this is a wired one by default. The easiest method to use a wireless PC is dragging one from the Custom made devices category (or we can replace the built in NIC to a Linksys WMP300N under the Physical tab of the PC). Let’s rename it PC2. The next goal is to achieve that this PC cannot connect to our network, by MAC filtering. This method can prevent a PC with given MAC address to connect to the WLAN, or we can do the opposite thing: only a given PC can connect. First, we need the MAC address of PC1, because we want it to connect, so go to Command Prompt on it and issue the ipconfig /all command. Select the Physical address value, copy it to the clipboard by right click, and then go to the Linksys web interface. Setup some basic settings first on the Wireless menu: the SSID (“testing”), the channel (use 9), and disable the SSID broadcast (this is a security setting that prevent hackers to know the existence of our WLAN, but a real hacker can easily bypass it). Save the settings, then go to Wireless MAC filter tab and fill in as follows (note: the MAC address format is important):
Now we need to setup PC1. One thing to observe: the SSID won’t appear in the wireless utility, so we need to edit the default profile (or enter the SSID on the Config tab of PC1). To practice the MAC filtering, let’s configure PC2 to connect also.
Instead of WEP in today’s networks, we’re using more secure protocols: WPA and WPA2. They provide more robust authentication and encryption functions. Because WPA2 is more preferable, use this in the next exercise: set up WPA2 personal mode. This is based on a pre-shared key authentication and we can use TKIP or AES encryption. AES (Advanced Encryption Standard) is more secure. The configuration is simple: go to the Wireless menu on the web interface, choose Wireless Security menu, and select WPA2 Personal from the Security Mode drop-down. As can be seen, AES is already selected, so just fill in the Passphrase field, use “SecretKey123” (we need to use a passphrase with a minimum of 8 characters long), and save it. To ease our work, switch back SSID broadcast under the basic settings. Now on the clients, we should see the Security of WPA2-PSK in the wireless utility and in the next window, we need to fill in the same key to restore the full connectivity.
This method is suitable for home environments, but in an enterprise network, we should use a more secure method. Extensible Authentication Protocol (EAP) is the solution: with this, we can use various methods to authenticate our users. The most common is using the RADIUS protocol, in which an external server is used to authenticate the users, the AP is only acts like a relay. Let’s configure this: put a server called RADIUS into the topology, connect it to the Linksys router and give it the IP address of 192.168.0.10/24. Go to the Config tab, and under Services search for AAA (an acronym for Authentication, Authorization and Accounting). Turn on the service, and setup the client’s data. In this case, the client will be the Linksys router: give its name, IP address, and choose a pre-shared key (RadiusPass) which will be used between the Wi-Fi router and the RADIUS server. Then create users for the STAs, so each user will have separate username and password to enter the network. Each data can be entered by clicking on the + sign. The final configuration should look like this:
On the Linksys router, we need to select WPA2 Enterprise as Security mode. Here, we have to set the IP address of the RADIUS server and the shared key. Finally, go to PC1, and for the sake of simplicity, use the Config tab to set the Wireless0 interface, like on the next figure:
Alternatively, you can create a new profile for this connection (try it on PC2). Now the connection is authenticated by the RADIUS server, and this is more secure than using a shared key known by much people.
Packet Tracer supports some more functions like the real Linksys router: saving/restoring the configuration, upgrading the firmware, DMZ and port forwarding functions and Access Control. Try these also, as we can build interesting networking scenarios with them. Good luck!