Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[PlumberCon/NinjaCon] Attacking Cisco Enterprise WLAN

Attacking Cisco Enterprise WLAN (or F*** again ???)

Oliver Roeschke
Daniel Mende


Enterprise WLAN solutions depict complex setups that should support security and manageability by combining several technologies and protocols. This complexity needs distinguished design patterns to ensure all security goals. Usage of insecure mechanisms can result in total breakdown regarding security. One prominent example is Cisco’s Structured Wireless-Aware Network (SWAN) architecture, composed of autonomous access points combined with some components for centralized management. This architecture is still deployed in a number of early corporate wireless networks. The proprietary ‘Wireless LAN Context Control Protocol’ (WLCCP) plays a major role in here.

Unfortunately, the protocol design is debatable in several aspects, leading to practical attacks that impose high risk to wireless networks. A second example is Cisco’s current solution, called ‘Unified Wireless Networks’. It consists of several entities with interesting communication patterns. Additionally it is built on a broken trust model.

In this talk we will describe the inner workings of these pieces, dissect the vulnerable parts and have some discussion on good or bad protocol design. As usual, some demos will demonstrate the issues.

Concept of Enterprise WLAN

Very different from home networks. Implementation of roaming, centralised management and authentication. Many more APs, all to be configured in the same way.

APs deal with the connection from the wireless to the wired network. In the background a controller deals with the centralised management and authentication scheme. Implementation of enterprise technologies such as RADIUS.

Cisco’s 1st generation – SWAN

Most proprietary of all generations.

Wireless Lan Control Domain –> a collection of controllers that implement a domain.

Based on WLCCP with “autonomous” access points. Authentication is  done against the controller (WDS Master)

Mobile Node authentication and key management outsourced to Master

WLCCP Protocol (Wireless Lan Context Control Protocol)

  • Basic Wireshark parser for some message types available (not complete)

Infrastructure Authentication

  • for Intra-AP communication
  • Establishes encryption key – Context Transfer Key (CTK)
  • LEAP Based

Client Authentication

  • all Cisco-supported EAP methods
  • Establishes key for WLAN encryption


WLCCP enables roaming while using encryption for the connection. Normally a complete re-authentication and a new encryption key is needed. WLCCP supports Fast Handoff without needing to complete a full EAP authentication exchange. Timing it listed as < 150ms which allows for seamless roaming between APs.

  • Requires client support
  • Controllers transfer WEP/WPA/WPA2 keys to APs
  • Transfer is encrypted by CTK

Infrastructure Master Voting

Masters announce themselves by sending “SCM Advertisement Replies”

Doesn’t contain any encrypted identification by sending a packet advertising himself as the preferred master

Attackers can claim master just like similar flaws in other Cisco routing protocols (e.g HSRP)

LEAP Authentication is vulnerable to known attacks from Joshua Wright (ASLEAP)

Links :

%d bloggers like this: