Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
969
Views
0
Helpful
6
Replies

Cisco Wireless Security

matt.austin
Level 1
Level 1

‎01-20-2005 06:31 AM - edited ‎07-04-2021 10:22 AM

I have a question regarding best practice recommendations for Cisco Wireless concerning Clients...

I have Cisco 1200 Series AP's with IOS Version 12.2(13)JA4. Currently I have Administrators authenticaing for Admin Access via TACACS+, for both http and command line, via Cisco ACS 3.2. I also have a group on the ACS Configured for RADIUS Access, which I want clients to use for authenticating to our Microsoft Database. My main question is what should I implement for the clients? LEAP was orginally mentioned, but due to inherent weaknesses with LEAP (dictionary attacks, Man in the Middle), I'd like to move to a different method. I have a plethora of laptops with various Wireless NIC's, and moving to a solely Cisco Wireless Adapter is out of the question. What methods can I use, that would be an alternative to LEAP, as in EAP-TLS (Although I don't have a CA Server, and implementing digital certificates would be cumbersome), PEAP??? If there is some documentation out there, that I failed to find, or if someone has some real-world implementation experience with this, please provide direction and assistance...

Thanks in Advance!

Matt

Labels:
0 Helpful
6 Replies 6

hnguyen1
Level 1
Level 1

‎01-21-2005 07:04 AM

You can deploy EAP-FAST

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_configuration_guide09186a0080262422.html

This does not work with Aironet 802.11a/b/g client adapters (PI21AG/CB21AG) yet.

Or LEAP with stronger password policy

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html#wp1002291

•A minimum of 10 characters

•A mixture of uppercase and lowercase letters

•At least one numeric character (0-9) or non-alphanumeric characters (example: !#@&)

•Use at least one special character within the password—not at the beginning or end

•No form of the user's name or user ID

•A word that is not found in the dictionary (domestic or foreign)

•Randomly generated passwords

Good luck!!!

0 Helpful

dfrance
Level 1
Level 1

‎02-02-2005 11:28 AM

We tested PEAP and TTLS. PEAP seems desirable though apparently Microsoft and Cisco implementations differ, but we got TTLS to work first.

We are using 1200's, 12.2(13)JA4, Macintosh and PC clients with TTLS. It is supported in Mac OS 10.3 and above. We successfully tested a Linksys supplied client and Alpha-Arris SecureW2 for Win2k and XP.

No client side cert involved with TTLS, although Radius cert is required.

We are not using TACACS however.

0 Helpful

matt.austin
Level 1
Level 1
In response to dfrance

‎02-02-2005 01:16 PM

Yeah, I actually already implemented Cisco LEAP. However, I will note that with TTLS, only a RADIUS cert is needed. It seems more secure, but the client didn't want to have to purchase any type of certs from the outside...Thanks

0 Helpful

gwcrook
Level 1
Level 1

‎02-03-2005 02:42 AM

ACS can issue a self signed certificate. Then you would have to instruct each client to trust that certificate.

If the client is using a microsoft domain it would be easier to have one of the DC'c issue the cert and once the cert is installed on the ACS box all domain clients would automatically trust it.

0 Helpful

matt.austin
Level 1
Level 1
In response to gwcrook

‎02-03-2005 05:09 AM

Is that available on version 3.2, or the more recent 3.3 version?

0 Helpful

matt.austin
Level 1
Level 1
In response to gwcrook

‎02-03-2005 05:09 AM

Is the self signed certificate available on version 3.2, or the more recent 3.3 version?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card