• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Critique my wireless setup

R

reicherb

Platinum Member
We've recently installed two wireless AP in public areas of our LAN. In order to make the secure we created 2 separate VLANs for wireless traffic. VLAN1 requires no authentication but has an access list that only allows access to our HTTP proxy (BorderManager). The other VLAN access list allows full access to all network resources but required Radius (LEAP) authentication. Each user will be given a unique ID and password. Currently the Radius server is housed on the APs but as the number of APs grows we'll move to another Radius server that can sync with NDS (perhaps border manager).

Does this sound like it's along the lines of how others are handling installation of APs that are multiple hops deep in a network? We looked at VPN and it was perhaps a better way to go but our budget didn't allow us to buy another VPN device. We also already allow VPN access to users outside the network and Radius authentication seemed plenty secure.

Any thoughts? Comments? Suggestions?


 
umm, sweet? 😀

Perhaps limit access to certain MAC addresses if the same people always use that particular AP. Also, make sure you use always effective passwords regardless of how muc hthe users complainLD

 
Originally posted by: Goosemaster
umm, sweet? 😀

Perhaps limit access to certain MAC addresses if the same people always use that particular AP. Also, make sure you use always effective passwords regardless of how muc hthe users complainLD
Click to expand...


Yup, sweet setup. Altho be careful about the 'effectiveness' of password policies. I work at a major shipping company which recently changed their password policies for LDAP and Ad accounts to be slightly more restrictive (8-14 characters, capital and lowercase, numbers.) I won't even begin to go into the sheer number of users who now write the password on a post-it note and slap it up on the monitor. Kinda counterproductive unless you can enfoce basic logic such as not writing the password down among your users.
 
You're doing it pretty much by the book. LEAP is OK.

When you get around to adding a "real" RADIUS box, toss in a certificate (self-signed or otherwise) and step up to PEAP with MSCHAPv2 authentication (or LDAP if *NIX) and you can then push some security policies associated with a "guest" account.

I use a Cisco AP1231 a/b/g at home with a 2003 SBS acting as a RADIUS and CA. I use EAP-TLS ... but I control all of the computers. Since you are accommodating guests and a wide variety of hosts, LEAP / PEAP is more than enough and a little less management hassle.

In the Lab, we have a completely open SSID / VLAN (still no broadcast SSID) that goes to a VPN server to handle folks with older / non-WPA enabled NICs (this in addition to a WPA / EAP enabled VLAN/SSID).

Ya done good. Now you have some time on your hands, do a little research on WDS and the Cisco WLSE ...

😀

Good Luck

Scott
 
Originally posted by: Thoreau
Yup, sweet setup. Altho be careful about the 'effectiveness' of password policies. I work at a major shipping company which recently changed their password policies for LDAP and Ad accounts to be slightly more restrictive (8-14 characters, capital and lowercase, numbers.) I won't even begin to go into the sheer number of users who now write the password on a post-it note and slap it up on the monitor. Kinda counterproductive unless you can enfoce basic logic such as not writing the password down among your users.
Click to expand...

Maybe you've gone too far with the policy. I think you want the passwords to be as hard to break as possible but if the users can't remember them or write them down they cause more support time and are much less secure.



Originally posted by: ScottMac
You're doing it pretty much by the book. LEAP is OK.

When you get around to adding a "real" RADIUS box, toss in a certificate (self-signed or otherwise) and step up to PEAP with MSCHAPv2 authentication (or LDAP if *NIX) and you can then push some security policies associated with a "guest" account.

I use a Cisco AP1231 a/b/g at home with a 2003 SBS acting as a RADIUS and CA. I use EAP-TLS ... but I control all of the computers. Since you are accommodating guests and a wide variety of hosts, LEAP / PEAP is more than enough and a little less management hassle.

In the Lab, we have a completely open SSID / VLAN (still no broadcast SSID) that goes to a VPN server to handle folks with older / non-WPA enabled NICs (this in addition to a WPA / EAP enabled VLAN/SSID).

Ya done good. Now you have some time on your hands, do a little research on WDS and the Cisco WLSE ...

😀

Good Luck

Scott
Click to expand...


We're a NetWare shop and are already talking about moving to LDAP to share resources. We are a school district and share a fiber network with other district for video conferencing. If we all move to LDAP we could share network resource (large printers, content filtering, off site storage, etc.) That might the way to go in the future. We also don't broadcast either SSID. I figure I'll let the people in the offices know what it is and avoid students finding APs when they should be working in class.

Man you've got a better setup at home than most of us here have at work!

"WDS and the Cisco WLSE ... " Never even heard of 'em Unfortunately being a school district I'm pretty much a one man show and there isn't a lot of time for research.

 
WDS = Wireless Domains - It's the concept of "log into the network, not the server" (sort of); it makes for better / more seamless roaming. The basic system is to authenticate at the first AP, then the hashed credentials are pushed to the next (roaming) likely AP. Because you've already auth'd once, the hashed credentials are quickly in-effect and greatly reduces the re-auth time at the next AP.

WLSE = Wireless LAN Support Engine - It'a a Cisco pizza-box server that's used to manage the Wireless Net. You can push firmware upgrades, collect stats, and it is / can be used in the WDS to store / hash / forward credentials.

When you get big into wireless (especially "One-Man Shows") it makes the entire wireless LAN much easier to monitor & manage as well as greatly enhancing the roaming capabilities (potentially on and off of campus).

Cisco (and 3COM) wireless is one of the products I support (when I'm not teaching). My philosophy is that to *really* know the product, you gotta live with it every day (hard to do in some support situations). So I got one to "live with." (I've got a 3COM 8K AP too).


You're gonna like this stuff, it's solid, got great lungs and ears, and the http / GUI is excellent (but you still have the CLI for ultimate control).

Have fun!

Scott
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top