Forum

I have a couple of questions, to do with Cisco gear.

I have a controller set up in a pretty simple way. Just a simple WLAN using EAP-PEAP.

FIrst, the beacons. Within the beacons there is this:

[code]Cisco Proprietary
Element ID: 133 Cisco Proprietary [100]
Length: 30 [101]
OUI: 0x00-0x00-0x8F [102-104]
Value: 0x000F00FF035900 [105-111]
AP Name: AP001d.a1ee.31b. [112-127]
Number of clients: 1 [128]
Value: 0x000027 [129-131][/code]

This sends out the 'AP Name', which is set within the controller. In my example here, it's just the default name which is AP{MAC address}. The thing is, in a deployment, the AP names are going to be the location of them. This is info that I don't want broadcast in beacons.
Is there a way to turn off this Cisco element?

Secondly, when the station is associated, it receives the EAP request. In this request, I see the following:

[code]802.1x Authentication
Protocol Version: 2 [30]
Packet Type: 0 EAP - Packet [31]
Body Length: 41 [32-33]
Extensible Authentication Protocol
Code: 1 Request [34]
Identifier: 1 [35]
Length: 41 [36-37]
Type: 1 Identity [38]
Type-Data: .networkid=d,nasid=quicktest,portid=1 [39-74][/code]

The direction of this frame is to the staion, asking it who it is. I don't see the need for the 'nasid=quicktest' part, because in my mind, this is only relevant to the RADIUS server where the controller is set up as a client with shared secret.
Again, this is configuration data that I don't want broadcast to the world in the clear. Is there a way to stop this?

I figured the first one out.
On the controller, go:
[code]WLANS > {WLAN name} > Advanced > Un-tick Aironet IE[/code]

The second bit about NAS ID might take a bit more thinking.

I think this is the answer for the second question.

From RFC 2869:

[code]2.3.1. Protocol Overview

The EAP conversation between the authenticating peer (dial-in user)
and the NAS begins with the negotiation of EAP within LCP. Once EAP
has been negotiated, the NAS MUST send an EAP-Request/Identity
message to the authenticating peer, unless identity is determined via
some other means such as Called-Station-Id or Calling-Station-Id.
The peer will then respond with an EAP-Response/Identity which the
the NAS will then forward to the RADIUS server in the EAP-Message
attribute of a RADIUS Access-Request packet. The RADIUS Server will
typically use the EAP-Response/Identity to determine which EAP type
is to be applied to the user.[/code]

From RFC 3579:

[code] In RADIUS/EAP, RADIUS is used to shuttle RADIUS-encapsulated EAP
Packets between the NAS and an authentication server.

The authenticating peer and the NAS begin the EAP conversation by
negotiating use of EAP. Once EAP has been negotiated, the NAS SHOULD
send an initial EAP-Request message to the authenticating peer. This
will typically be an EAP-Request/Identity, although it could be an
EAP-Request for an authentication method (Types 4 and greater). A
NAS MAY be configured to initiate with a default authentication
method. This is useful in cases where the identity is determined by
another means (such as Called-Station-Id, Calling-Station-Id and/or
Originating-Line-Info); where a single authentication method is
required, which includes its own identity exchange; where identity
hiding is desired, so that the identity is not requested until after
a protected channel has been set up.[/code]

[quote]AP Name: AP001d.a1ee.31b. [112-127][/quote]
Do you know if this line is also in the beacons of older autonomous Cisco APs and older code? If so it could be a good way to find ?LOST? APs in an old deployment that does not have any documentation lol.