topic Re: best security method to use for authentication and encryptio in Wireless

best security method to use for authentication and encryption

jorge.s — Sun, 04 Jul 2021 18:57:14 GMT

Hi,

we have implemented a Cisco ACS, and have a Microsoft Active Directory implementation.

I would like to know what is the best security method to use for authentication and encryption

without the need to buy any Certificate or client software?

We would like to use the standard Microsoft Windows XP features, without installing any WLAN Clients.

Thanks

Jorge Sousa

Re: best security method to use for authentication and encryptio

tahequivoice — Thu, 29 Jun 2006 22:03:55 GMT

WPA-PSK is what you are looking for, but it does not use AD. For that you will probably need to use a third party client. I have yet been able to get any of my cards, including the Cisco ABG card to work using username and password against AD using the XP client, but works like a charm with the Cisco client software. I can connect quickly and easily with the XP client using WPA-PSK though.

Re: best security method to use for authentication and encryptio

Scott Fella — Thu, 29 Jun 2006 23:05:35 GMT

You can use Microsoft CA to generate a free cert. Then you can configure the ACS for PEAP that is compatible with XP. Depending if your XP users support WPA2 AES or WPA TKIP, Either one will be secure, of course WPA2 would be the better choice. I know if xp doesnt have the WPA2 option, there is a hotfix out ther for that. You then crate a policy on the ACS to authenticate users to AD. There is a lot of information on how to set this up int ACS or even Microsoft IAS...

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

Re: best security method to use for authentication and encryptio

tahequivoice — Fri, 30 Jun 2006 11:27:20 GMT

Isnt the WPA2 or AD authentication card dependant? Some cards dont support AES, or WPA for that matter.

Re: best security method to use for authentication and encryptio

Stephen Rodriguez — Fri, 30 Jun 2006 13:54:18 GMT

Go with PEAP and WPA. Users can authenticate against the AD adn be done with it. As for what, the native Windows Client will do PEAP, and if you find a client that can't do WPA, upgrade the drivers. WPA is a standard and should be there. WPA2 on the other hand is not standard yet, but with WPA2 you get a stronger encryption, WPA you get rotating key. I'd personally go with rotating key, any encryptio can be broken given enough time.

my 2cents

Re: best security method to use for authentication and encryptio

Darren Ramsey — Sat, 01 Jul 2006 02:49:07 GMT

Well, IEEE ratified 802.11i in June 2004 and the WIFI alliance started certifying WPA2 devices in September 2004, so there is plenty of support for WPA2. Just got back from Networkers 2006 and they were recommending WPA2 in the following order:

Platinum - WPA2-AES

Gold - WPA-TKIP

Lead - WEP

The big player's (Cisco, Intel, Broadcom) AG cards will do WPA2-AES and CCX3 or better just fine with the latest drivers. Don't forget the MS WPA2 patch KB893357 if you are going to use the MS PEAP client. IAS or ACS will work equally well, just don't forget the MS fast reconnect patch when used with ACS.

WPA2 provides better encryption and PMK caching, which is a standards based fast roaming similar to Cisco CCKM. The only drawback that I know is WPA2 XP client configuration is not yet available to be pushed out via AD group policy.