Re: Suggestions for Locking Down a WPA1 WLAN?

Matthew Martin · ‎06-05-2019

Hello All,

We have disabled WPA1 on all of our WLANs except for one. This one WLAN is for wireless printers only, and we have a bunch of old wireless printers that don't appear to have WPA2 as a security option.

We were thinking of possibly creating an ACL on the switch level that would only allow internal endpoints (*like PCs and Servers) to be allowed to talk to this Vlan.

Also, this SSID is a hidden network, not broadcasting its SSID.

Would doing something like that be helpful, or adding MAC Filtering, or anything along those lines..? Or is there no way to safely secure a wireless network that uses WPA1?

Thanks in Advance,

Matt

balaji.bandi · ‎06-05-2019

yes agree some clients not compatable with latest trends and they need to be part of network.

if you know all the list MAC address, then add them to list of MAC filter to protect more granular.

below guide help to setup one for the legacy printers and medical devices.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ammahend · ‎06-05-2019

you can apply ACL at WLAN level on WLC itself.

-hope this helps-

Matthew Martin · ‎06-07-2019

Thanks for the replies.

I'll think about doing the Mac filtering, since it can be a bit of a pain the way printers are swapped in and out so often now-a-days. But, I'll definitely apply an ACL.

Any benefit one way or the other applying the ACL at the WLC or Switch level?

Thanks Again,
Matt

Scott Fella · ‎06-08-2019

Not broadcasting the SSID isn’t really protecting you. Mac filter seems to be like everyone’s last alternative and it’s a pain to manage. Just act the vlan so that it only has access to what ever resources. I wouldn’t get overly worried about this as it seems like it’s only old legacy devices. Even ACLs can be a pain if you have to allow something, but that something now has access to your secure networks.

-Scott
*** Please rate helpful posts ***

Matthew Martin · ‎06-10-2019

Thanks for the reply Scott.

Yes, I agree. Someone can easily see an SSID that's not broadcasting with simple tools/Apps you can download, like Wi-Fi Analyzer.

I also understand that Mac Filtering can also be somewhat misleading to be considered a secure feature, in that someone could easily spoof a Mac Address of someone that's already connected...

Seems that the only decent option is to apply an ACL to that Vlan.

Thanks Again,

Matt

patoberli · ‎06-12-2019

I also suggest going the ACL on VLAN solution. That way you can block the "printers" from talking to your internal network and the other way around. Those printers also probably don't need internet, so I would block that too. That way the SSID will get very boring for other uses.

Matthew Martin · ‎06-12-2019

Thanks for the reply. Yes, I agree.

What do you think this ACL should look like.? I know internal client PCs will need to talk to the printers (*10.0.0.0 and some 192.168.0.0). Would there be any need for printers to talk back to those clients, for example, to access the web gui of a printer..?

-Matt

patoberli · ‎06-14-2019

Depends on what you want to use and what printing protocols you want to use. I would probably also do an ACL only in one way direction granular, in the other direction fairly open.