https://community.cisco.com/t5/wireless/need-help-security-issue/m-p/339533#M22729 <HTML><HEAD></HEAD><BODY><P>I am not sure if I can give you an answer you would like. In general, you want to use one of the 802.1x for authentication. Then, you use WPA (TKIP) for key management.</P><P></P><P>The Cisco APs support almost all 802.1x types. The real problem is that not all clients support every 802.1x types.</P><P></P><P>LEAP and EAP-FAST are 802.1x types from Cisco. You either have Cisco wireless adapters (i.e. 350 and CB21AG, but CB21AG does not support EAP-FAST yet), CCXv1 complaint adapter for LEAP support, or CCXv3 complaint adapter for EAP-FAST. You also need to upgrade the ACS for LEAP or EAP-FAST support.</P><P></P><P>You can use PEAP MS-CHAP v2, but you need to install certificates on the ACS and make the wireless clients trust the CA issuing the certificate. On top of it, I do not think that low end wireless adapters support PEAP MS-CHAP v2.</P><P></P><P>I rule out EAP-TLS because you need to install certificate on every single PC.</P><P></P><P>Another possibility is PEAP-GTC. Only Cisco wireless adapter and CCX v2 complaint adapters support PEAP-GTC.</P><P></P><P>WPA-PSK is another possibility outside 802.1x and not as secured as 802.1x. However, not all wireless adapter support it. At least Cisco 350 wireless adapter does not support it.</P><P></P><P>In short, you need to find out what wireless adapter you want to support. Then, pick one of the above.</P></BODY></HTML> Thu, 04 Nov 2004 20:23:38 GMT dixho 2004-11-04T20:23:38Z https://community.cisco.com/t5/wireless/need-help-security-issue/m-p/339532#M22728 <P>Hello, we have a WLAN with 25 Cisco ap's. We use only a static wep and need to strengthen our security.</P><P></P><P>We have:</P><P></P><P>Cisco 350 and 1200 ap's</P><P>Cisco ACS 3.0 radius server</P><P>A lot of different client cards, most of then running XP sp1/sp2</P><P></P><P>We want to configure the clients as little as possible. Does anyone have a suggestion on how we can do things to increase the security ?</P><P></P><P></P><P>Regards </P><P></P><P>Johann Folkestad</P> Sun, 04 Jul 2021 17:08:11 GMT https://community.cisco.com/t5/wireless/need-help-security-issue/m-p/339532#M22728 johannf 2021-07-04T17:08:11Z https://community.cisco.com/t5/wireless/need-help-security-issue/m-p/339533#M22729 <HTML><HEAD></HEAD><BODY><P>I am not sure if I can give you an answer you would like. In general, you want to use one of the 802.1x for authentication. Then, you use WPA (TKIP) for key management.</P><P></P><P>The Cisco APs support almost all 802.1x types. The real problem is that not all clients support every 802.1x types.</P><P></P><P>LEAP and EAP-FAST are 802.1x types from Cisco. You either have Cisco wireless adapters (i.e. 350 and CB21AG, but CB21AG does not support EAP-FAST yet), CCXv1 complaint adapter for LEAP support, or CCXv3 complaint adapter for EAP-FAST. You also need to upgrade the ACS for LEAP or EAP-FAST support.</P><P></P><P>You can use PEAP MS-CHAP v2, but you need to install certificates on the ACS and make the wireless clients trust the CA issuing the certificate. On top of it, I do not think that low end wireless adapters support PEAP MS-CHAP v2.</P><P></P><P>I rule out EAP-TLS because you need to install certificate on every single PC.</P><P></P><P>Another possibility is PEAP-GTC. Only Cisco wireless adapter and CCX v2 complaint adapters support PEAP-GTC.</P><P></P><P>WPA-PSK is another possibility outside 802.1x and not as secured as 802.1x. However, not all wireless adapter support it. At least Cisco 350 wireless adapter does not support it.</P><P></P><P>In short, you need to find out what wireless adapter you want to support. Then, pick one of the above.</P></BODY></HTML> Thu, 04 Nov 2004 20:23:38 GMT https://community.cisco.com/t5/wireless/need-help-security-issue/m-p/339533#M22729 dixho 2004-11-04T20:23:38Z