cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
521
Views
0
Helpful
3
Replies

Some advice required on security upgrade ideas.

Adam Watts
Level 1
Level 1

Hi all,

I currently manage a wireless network which has over 200 users per day, it’s a windows based environment with a bit of VoIP and Other stuff thrown in for good measure. We currently run several SSID’s for different applications. I am currently looking at the expanding client base on our main Data network and I want to expanded the security allowances to make it easier to manage and allow non-windows devices to use the network. E.g. IPads and Android tablets.

At the moment we uses a Cisco ACS server to manage the access and this ties in to Microsoft AD for authentication using PEAP. We also use L2 Mac based Authentication on the Wlan to only allow the approved devices.

What I want is to see is if there is a better method to set up security on the network. The key requirement is that we only allow the approved devices to use the wireless and block Jo Bloggs from using his personal IPhone just because he has a valid username and password. Any solution would need to work with various different operating systems.

At this stage I’m just trying to gather some ideas how I can move forward.

Thanks,


Adam

1 Accepted Solution

Accepted Solutions

Scott Fella
Hall of Fame
Hall of Fame

That is pretty tough to do depending on what devices are approved. Usually I see companies that will do machine authentication or EAP-TLS for their domain computers. This might work if all the approved devices are on the domain. If not, then that makes it tough to do using the above Now if a user has an iPad, tablet, etc that needs I be on the wireless, I have seen companies just use WPA2-PSK, but the catch is the user has to bring in their device to get it setup. This works okay until the user looses their device or leaves the company. Then you would have to change the key and reconfigure all the approved devices again. If there is not many devices to manage, then doing peap with Mac filtering is probably your best bet. Mac filtering as you know isn't secure and is a management nightmare, but in your case, it's probably your only way. You could import a certificate to these mobile devices, but that can be a nightmare also especially if a certain device doesn't support EAP-TLS.

ISE wouldn't even help in your case just because you might allow some users access with their iPad and other not.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

View solution in original post

3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

That is pretty tough to do depending on what devices are approved. Usually I see companies that will do machine authentication or EAP-TLS for their domain computers. This might work if all the approved devices are on the domain. If not, then that makes it tough to do using the above Now if a user has an iPad, tablet, etc that needs I be on the wireless, I have seen companies just use WPA2-PSK, but the catch is the user has to bring in their device to get it setup. This works okay until the user looses their device or leaves the company. Then you would have to change the key and reconfigure all the approved devices again. If there is not many devices to manage, then doing peap with Mac filtering is probably your best bet. Mac filtering as you know isn't secure and is a management nightmare, but in your case, it's probably your only way. You could import a certificate to these mobile devices, but that can be a nightmare also especially if a certain device doesn't support EAP-TLS.

ISE wouldn't even help in your case just because you might allow some users access with their iPad and other not.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Thanks for the replay scott,

yes mac address filtering is a nightmare but might still be the way forward.

Adam,

Sometimes you can't avoid that, but it is painful:)

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: