02-06-2012 01:06 AM - edited 07-03-2021 09:31 PM
Hi all,
I currently manage a wireless network which has over 200 users per day, it’s a windows based environment with a bit of VoIP and Other stuff thrown in for good measure. We currently run several SSID’s for different applications. I am currently looking at the expanding client base on our main Data network and I want to expanded the security allowances to make it easier to manage and allow non-windows devices to use the network. E.g. IPads and Android tablets.
At the moment we uses a Cisco ACS server to manage the access and this ties in to Microsoft AD for authentication using PEAP. We also use L2 Mac based Authentication on the Wlan to only allow the approved devices.
What I want is to see is if there is a better method to set up security on the network. The key requirement is that we only allow the approved devices to use the wireless and block Jo Bloggs from using his personal IPhone just because he has a valid username and password. Any solution would need to work with various different operating systems.
At this stage I’m just trying to gather some ideas how I can move forward.
Thanks,
Adam
Solved! Go to Solution.
02-06-2012 01:36 AM
That is pretty tough to do depending on what devices are approved. Usually I see companies that will do machine authentication or EAP-TLS for their domain computers. This might work if all the approved devices are on the domain. If not, then that makes it tough to do using the above Now if a user has an iPad, tablet, etc that needs I be on the wireless, I have seen companies just use WPA2-PSK, but the catch is the user has to bring in their device to get it setup. This works okay until the user looses their device or leaves the company. Then you would have to change the key and reconfigure all the approved devices again. If there is not many devices to manage, then doing peap with Mac filtering is probably your best bet. Mac filtering as you know isn't secure and is a management nightmare, but in your case, it's probably your only way. You could import a certificate to these mobile devices, but that can be a nightmare also especially if a certain device doesn't support EAP-TLS.
ISE wouldn't even help in your case just because you might allow some users access with their iPad and other not.
Thanks,
Scott Fella
Sent from my iPhone
02-06-2012 01:36 AM
That is pretty tough to do depending on what devices are approved. Usually I see companies that will do machine authentication or EAP-TLS for their domain computers. This might work if all the approved devices are on the domain. If not, then that makes it tough to do using the above Now if a user has an iPad, tablet, etc that needs I be on the wireless, I have seen companies just use WPA2-PSK, but the catch is the user has to bring in their device to get it setup. This works okay until the user looses their device or leaves the company. Then you would have to change the key and reconfigure all the approved devices again. If there is not many devices to manage, then doing peap with Mac filtering is probably your best bet. Mac filtering as you know isn't secure and is a management nightmare, but in your case, it's probably your only way. You could import a certificate to these mobile devices, but that can be a nightmare also especially if a certain device doesn't support EAP-TLS.
ISE wouldn't even help in your case just because you might allow some users access with their iPad and other not.
Thanks,
Scott Fella
Sent from my iPhone
02-28-2012 12:47 AM
Thanks for the replay scott,
yes mac address filtering is a nightmare but might still be the way forward.
02-28-2012 01:27 AM
Adam,
Sometimes you can't avoid that, but it is painful:)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: