Enterprise Level Wireless Questions?

[cpals]

I've been looking into our wireless where I work due to some issues that have come up and have been investigating whether or not we're doing things properly. Two questions:

1. What is the best encryption/authentication out there right now besides WPA2? I don't think we can use WPA2 because not all of our XP machines are SP2. Right now we're using WPA w/TKIP and EAP-TLS for our wireless users. This seems to have been working fine, but I did fine a slight flaw (I believe) in our setup in that the clients aren't setup to specify which root authority to trust.

I've been reading up on PEAP-EAP-TLS, but can't find too much information on it, but from what I've read it's one notch up from EAP-TLS?

2. We currently use Cisco 12xx Aironets in our environment, but really don't utilize them too much due to how we've structured things. We pretty much only give users wireless if they ask for it; but I'd like to look into getting the wireless to connect before it's logged in (via computer certs). This would of course increase our wireless user count and I was just curious what a typical user/ap ratio is? 90% of the connections would be 802.11G

Thanks!

 

[spidey07]

1. WPA2 with AES encryption is best practice, but not all clients can support it. XP needs specific hot fixes if you are using zero config (built-in) wireless in addition to service packs.
1a. Need more info on authentication - what do you desire? Your last sentence makes me think much more information is needed as far as certificates and trust - are you doing machine auth or user auth? A WHOLE lot more information is needed in this regard on what kind of clients you are using and what they support. This is not an easy question or an easy answer.

2. Those APs will do whatever you want and tell them to do. The choice between computer vs. user AUTH is a security choice along with what clients you support and how you manage all of them.

Sorry to be blunt, but "it depends". I don't like more than 12 clients per access point but all of this depends on your applications, your security requirements, what you want/need, voice/video?

Your post can be broken down into:

1) clients you support (authentication and encryption) - a client is NOT a laptop running windows, keep this in mind
2) applications (which drives #3)
3) capacity/bandwidth

 

[cpals]

1 - For the authentication, I just want to double check everything to make sure we're running everything properly. If EAP-TLS is the best way to go then I'll keep it setup that way, but like I said there are some things that I don't think are setup correctly even with that. I would like to have the best authentication, but being able to manage it at the same time. Currently with the certificates it's a little of a pain since we issue them out manually and it would be nice to get away from the certificates side, but I'm not sure if PEAP is secure at all.

Currently we are only doing user authentication to gain access to the wireless. I am looking at adding on computer authentication also so that the computer can connect even if the user isn't logged on... from what I've read this will grant the 'wired' experience for end-users and they will get their group policies, etc like normal.

2 - You say the 'choice' between user/computer authentication... but wouldn't I be doing both essentially? I have it already working right now on a couple test computers - once the laptop boots up it authenticates via the machine certificate and then once a user logs in it deauthenticates the machine and authenticates as the user.

Why is a laptop not a client?

Our applications are fairly light with the usual Exchange, mild file-sharing, web browsing, etc. We currently don't do much voice/video.

Thanks as always Spidey.

 

[spidey07]

I was referring that clients many times are not laptops. PEAP is very secure, you just need a public cert for your radius server. It's probably also the most widely supported and what I recommend. You can do an internal cert on the radius server if you like but that may be a pain depending on the clients you have so a public one is more flexible.

If you're already doing machine auth then stick with that unless you have a compelling reason to do user auth. I recommend machine auth but some people don't want to mess with it or have other security requirements.

Next up is roaming. If you're running IOS APs then you'll need layer2 adjacency and setup WDS. If no L2 adjacency then move to lightweight APs and get a controller or two. I've been really impressed with the 1252 APs, the only gotcha is the power requirements are too much for PoE and you need to use an injector.

 

[Cooky]

We use WPA2/AES w/ PEAP, and support computer auth (for wired like experience as you've pointed out).

We have 50 Lightweight Aironet 1131AG's that support roughly 400-500 users in our headquarters.
That comes down to about 10 users per AP.

I can't guarantee the same setup makes the most sense for your environment, but we've been fairly happy w/ our wireless so far.
Also, I wouldn't worry too much about XP clients not supporting WPA...

From what I gather, you're looking for best practice.
If the best practice mandates those XP clients to get updates, then you'll just need to get them updated one way or the other (GPO, Altiris, or whatever method you manage your hosts).

 

[cpals]

Originally posted by: spidey07
I was referring that clients many times are not laptops. PEAP is very secure, you just need a public cert for your radius server. It's probably also the most widely supported and what I recommend. You can do an internal cert on the radius server if you like but that may be a pain depending on the clients you have so a public one is more flexible.

If you're already doing machine auth then stick with that unless you have a compelling reason to do user auth. I recommend machine auth but some people don't want to mess with it or have other security requirements.

Next up is roaming. If you're running IOS APs then you'll need layer2 adjacency and setup WDS. If no L2 adjacency then move to lightweight APs and get a controller or two. I've been really impressed with the 1252 APs, the only gotcha is the power requirements are too much for PoE and you need to use an injector.

I don't mean to drag this on, but we are not using machine auth right now. We are currently only using user auth and I'm thinking of adding machine authentication also for like Cooky described below.

I'm not sure what the Layer 2 adjacency you describe is so I'll have to read up on that.

 

[spidey07]

L2 adjacency = same L2 broadcast domain. aka subnet.

 

[cpals]

They're all on their own subnet... we pretty much have five IDFs and one AP per IDF (for now) and each IDF is on it's own subnet. Will what you were describing not work?

 

[spidey07]

It will work, but you won't have seamless roaming between the access points. The client will have to reauthenticate each time it roams and do DHCP. You might really want to start looking at getting a controller. The 12 access point controllers are under 10 grand.

 

[Cooky]

They have a model that supports 6 AP's, but you won't be able to support ether-channel for redundancy.

 

[cpals]

Originally posted by: spidey07
It will work, but you won't have seamless roaming between the access points. The client will have to reauthenticate each time it roams and do DHCP. You might really want to start looking at getting a controller. The 12 access point controllers are under 10 grand.

Ah... crap. Don't know where my mind is, but the APs are on their own subnet. We have each IDF on their own subnet as I said above, but the access points are broken off into a different VLAN that is shared amongst all the IDFs.

I've been meaning to try out the Cisco Wireless Control System (which I think is different than the controller you speak of above, is one just software and the other hardware?) but I haven't had time... will be looking into it pretty soon as Wireless is going to be a big part of our company in the future.

 

[spidey07]

Ok if they are on the same subnet just setup WDS and you'll have seamless roaming. WCS is management software specifically for the lightweight/controller solution. You don't need it for a lightweight install but it is very nice and highly recommended if you do.

 

[cpals]

Originally posted by: Cooky
We use WPA2/AES w/ PEAP, and support computer auth (for wired like experience as you've pointed out).

We have 50 Lightweight Aironet 1131AG's that support roughly 400-500 users in our headquarters.
That comes down to about 10 users per AP.

I can't guarantee the same setup makes the most sense for your environment, but we've been fairly happy w/ our wireless so far.
Also, I wouldn't worry too much about XP clients not supporting WPA...

From what I gather, you're looking for best practice.
If the best practice mandates those XP clients to get updates, then you'll just need to get them updated one way or the other (GPO, Altiris, or whatever method you manage your hosts).

Yep, I hear you totally. We're going to be doing a massive update of all our laptops (800+) within this year so I'll make sure we have SP3 on all the laptops and then my master plan can come into effect.

Also, I just want to clarify this, because it's how my system worked when I tested the computer auth. When I'm using computer authentication that means the user has the wired-experience as we spoke of earlier and the user can log into the computer wirelessly. However, once the user is logged into the computer the wireless NIC then tries to authenticate via the user authentication and uses that.

That's at least how ours seems to work. Can you ever have it just use machine authentication? It wouldn't seem to make sense to do it that way, but I was curious.

 

[cpals]

Originally posted by: spidey07
Ok if they are on the same subnet just setup WDS and you'll have seamless roaming. WCS is management software specifically for the lightweight/controller solution. You don't need it for a lightweight install but it is very nice and highly recommended if you do.

So WCS would manage the controller if you bought one, but it can also work independently from a controller?

How would you manage the controller if you didn't have WCS; does it have a mgmt interface, just not as robust as the WCS?

 

[spidey07]

The controllers don't need WCS, they use a web interface. But WCS makes troubleshooting a lot nicer and you get great reporting and statistics (graphs of client SNR, manage rogues or attack them, heatmaps, etc)