Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
2
Replies

Confused with security options

Go to solution
tilconny1
Community Member

‎02-22-2008 08:12 AM - edited ‎07-03-2021 03:26 PM

We are going to implement a 4402 WLC and light-weight APs on our network. Our network is basic with windows servers and windows XP clients. The wireless network will be used by our users for local resources and our guests for access to a broadband service for which we are setting up a separate SSID and VLAN. I'm comfortable with the WLC and AP deployment. For guest access I've been researching the WLC guest login/authentication page option.

For our local users I'm really confused on all the security and authentication options. I know the options are: WPA, WEP, TACACS, MAC address, PKI, 802.11, Layer 1, Layer 2, Layer 3, EAP, TKIP, RADIUS, but I'm really confused which to use for our local users and how to configure the right option. Our security needs are not that great as we are not passing government secrets but I know WEP is not an option for us. I would greatly appreciate if someone can point me in the direction to understand the security options and which would best suit our needs.

Thank you,

Jeff

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scottmac
Level 11
Level 11

‎02-23-2008 07:22 AM

For link security, if all of your clients support it, use WPA (WPA2 if possible) with AES encryption.

If some clients don't support AES, it's possible to offer TKIP as well.

For client authentication, as usual, it boils down to what resources (human and processing) are available, budget, and administrative pain (coupled to how dynamic your user population tends to be).

If you have a small number of employees / hosts / devices, and they tend to not be a high turnover group, the shared key ("WPA-PSK" or "WPA-Personal") works ok. It is strongly recommended that you use a fairly long and complex key (you only have to enter it once during configuration of each client).

If your group changes, and / or it's a larger group, then consider using an "Enterprise" authentication, like PEAP, LEAP, or EAP-FAST which can be tied to your domain server / Microsoft authentication credentials by was of a RADIUS server (like Microsoft IAS, which you probably already have available).

Security-wise, completely rule out MAC filtering (useless, easily defeated), non-broadcast SSID (useless, no security impact, creates problems with many MS Windows clients), and anything using static WEP.

TACACS+ is very good for authentication, but may be overkill for your scenario. Cisco ACS and TACACS+ offer a lot of options, but if you don't need all the options, then it's just adding complexity.

It gets easier when you remember that the link security and encryption (WPA, WPA2) are separate from the user authentication (802.1x delivered via userlist, RADIUS, TACACS+ by way of EAP methods).

The Planet3 book for CWNA published by Osborne is an excellent reference and training guide and covers the essentials (and more) of how all of this fits together and common / best practice implementations.

Good Luck

Scott

View solution in original post

0 Helpful
2 Replies 2

Go to solution
scottmac
Level 11
Level 11

‎02-23-2008 07:22 AM

For link security, if all of your clients support it, use WPA (WPA2 if possible) with AES encryption.

If some clients don't support AES, it's possible to offer TKIP as well.

For client authentication, as usual, it boils down to what resources (human and processing) are available, budget, and administrative pain (coupled to how dynamic your user population tends to be).

If you have a small number of employees / hosts / devices, and they tend to not be a high turnover group, the shared key ("WPA-PSK" or "WPA-Personal") works ok. It is strongly recommended that you use a fairly long and complex key (you only have to enter it once during configuration of each client).

If your group changes, and / or it's a larger group, then consider using an "Enterprise" authentication, like PEAP, LEAP, or EAP-FAST which can be tied to your domain server / Microsoft authentication credentials by was of a RADIUS server (like Microsoft IAS, which you probably already have available).

Security-wise, completely rule out MAC filtering (useless, easily defeated), non-broadcast SSID (useless, no security impact, creates problems with many MS Windows clients), and anything using static WEP.

TACACS+ is very good for authentication, but may be overkill for your scenario. Cisco ACS and TACACS+ offer a lot of options, but if you don't need all the options, then it's just adding complexity.

It gets easier when you remember that the link security and encryption (WPA, WPA2) are separate from the user authentication (802.1x delivered via userlist, RADIUS, TACACS+ by way of EAP methods).

The Planet3 book for CWNA published by Osborne is an excellent reference and training guide and covers the essentials (and more) of how all of this fits together and common / best practice implementations.

Good Luck

Scott

0 Helpful

Go to solution
tilconny1
Community Member
In response to scottmac

‎02-26-2008 11:57 AM

Thank you for the reply as your information was a big help. I bought the book you recommended and it has been a great help with understanding the security confusion.

Thanks again,

Jeff

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card