Re: EAP and static WEP

mbaschieri · ‎01-22-2005

Hi,

does anyone knows if the 1200 series cisco access points support eap authentication with fixed wep keys? I've got a customer of mine with 500+ brand new field PCs, with no pcmcia nor pci slots and however no wireless hardware embedded. Now he wants to go wireless with the highest degree of security, but the only choice we have is to plug a wireless adapter out of the Ethernet interface. However no wireless adapter does support dynamic wep keys, so the customer says it should be enough security applying an eap method with static wep keys, but in our labs we wasn't able to make it working with a 1230 cisco ap and ios 12.3(2).

Tnx,

Massimo Baschieri

dsidley · ‎01-22-2005

Absolutely.

The following is from one of my 350 AP's...

The 802.11b int (D0) has it's encryption set to mandatory WEP with a static key in slot 1..

The first service set (ssid noeap) is for a couple of old legacy wlan adapters with no EAP support.

The second sevice set works for both EAP/PEAP and EAP/EAP-FAST.... authenticating through a RADIUS server.

It's just my personal opinion, but I would dump 12.3(2) and stay with 12.2(15)XR2

On the clients I use Funk's Odyssey clinet which allows me to setup login/network profiles.

I have the RADIUS re-keying every 30 minutes or so and am of the opinion that this would be a reasonably secure WLAN setup.

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption key 1 size 128bit xxx transmit-key

encryption mode wep mandatory

!

ssid noeap

authentication open

accounting acct_methods

!

ssid eapPEAP eapEAP-FAST

authentication open eap eap_methods

authentication network-eap eap_methods

accounting acct_methods

mbaschieri · ‎01-23-2005

Hi David, tnx for your reply.

My setup is almost identical the yours except that I'm working on a 1230 with 12.3(2) and I'm using vlans, this is my setup

encryption key 1 size 128bit xxxx transmit-key

!

encryption vlan 1 mode wep mandatory

!

ssid tsunami

vlan 1

authentication open eap eap_rad

authentication network-eap eap_rad

And this is what receive from the ap:

Jan 24 08:54:59.622: %DOT11-7-AUTH_FAILED: Station 0000.8661.2192 Authentication

failed

Jan 24 08:55:04.964: AAA/BIND(0000000F): Bind i/f

I've tried to get rid of vlans without any luck.

Bye,

Max

paddyxdoyle · ‎01-24-2005

Hi,

Sounds like these are non-cisco cards.

Have you tried turning off Aironet extensions?

-----

Issues with NON Cisco clients trying to associate

Aironet extensions are enabled by default to detect the capabilities of Cisco Aironet client devices for features such as load balancing, MIC, TKIP, Repeater Mode, World Mode and Limiting the power level on an associated device, see:

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_installation_and_configuration_guide_chapter09186a008014868c.html - 1038065

This can also affect the ability for NONE Cisco clients to associate with the AP

To turn off Aironet extensions:

interface dot11radio 0

no dot11 extension aironet

HTH

PD

mbaschieri · ‎01-24-2005

Hi Patrick, tnx for your reply.

Yes, it's not a cisco card, more precisely is an ethernet-to-wireless adapter from axis, at the moment is the only one I have.

I've tried a cisco card but it doesn't allow me to configure a static wep key when I enable .1x auth.

Anyway aironet extensions are disabled.

Tnx again,

Max.

bm_5789 · ‎01-25-2005

Would you happen to know of any free client software?

mbaschieri · ‎01-25-2005

In fact I'm trying with WinXP EAP-PEAP and EAP-TLS native client, I'm waiting for an odyssey license, are you saying that will make the difference?

Tnx,

Max.

dsidley · ‎01-25-2005

your encryption statements are incorrect...

In your example it appears that you are missing the vlan parameter for your encryption key slot 1...

encryption vlan 1 key 1 size 128bit, etc, etc

Either add the above to your RF interface or remove the

encryption vlan 1 mode wep mandatory

and replace with

encryption mode wep mandatory

They have to match.

Don't enable vlans unless you plan on using multiple ssid's

DaveFromPeg