12-09-2004 01:59 PM - edited 07-04-2021 10:14 AM
Problem:
I currently have a contractor that has presented several solutions regarding a WLAN project Im working on, though not with a great level of clarity. I dont feel that Im getting complete information so Im hoping you may offer a generalist some help.
I m currently trying to secure several Cisco 1200APs that are located at remotes sites via a WAN connection. These devices will be connecting to sensitive information that will require encryption residing on both back-end application servers on Novell and Windows platforms. We currently have RSA-SecurID system running that is receiving user information from Novell through LDAP. Novells E-Directory is our primary directory services. We are not running DHCP in our current environment.
Our contractor has recommended that we need an ACS 3.3 appliance, to provide Radius services, for our roaming wireless users. Additionally, our vendor has recommended that we utilize Cisco Pix 501s on each remote location, for DHCP and VPN services.
We want wireless users to utilize VPN tunnels and RSA tokens for any connections via wireless
Questions:
Can we run LEAP within a Novell Network; our vendor is telling us that we must run Microsofts AD? Reason I have been given to date is that MS-CHAP is needed for LEAP, though I have found forum entries that contradict this statement.
Do I need a Cisco PIX at each remote location entry point for DHCP? I have also seen references to the 1200s ability to provide DHCP services, though this is not an automatic setting.
Doesnt the Cisco ACS 3.3 appliance offer the Radius services that are needed to support LEAP? The ACS box can be configured to use LDAP to access E-Directory information.
12-09-2004 02:00 PM
Follow-up question?
Since are WLAN environment is complete Cisco is it not better for us to run LEAP vs. PEAP? Our contractor wants to implement PEAP instead of LEAP, because we are not using Active Directory.
12-10-2004 03:31 PM
I totally agree that you can configure ACS to use a LDAP. If you do not want to use Active Directory, I suggest you to think twice before implement PEAP (MS-CHAP v2).
I attach EAP-FAST Deployment Guide. Table 1 shows capability of different 802.1x types.
I would like to mention LEAP is subject to dictionar attack. If you choose LEAP, please implement strong password.
AP1200 does not have DHCP capability. I do not know enough on PIX to comment on the PIX question.
12-09-2004 02:09 PM
We use the ACS and are using PEAP which allows use to authenticate against our Novell. Two issues: 1st On the PC you need to setup PEAP and set to GTC. In XP this is easy and is a software and not a hardware thing; 2nd You will have to use an Microsoft Certificate Authority because Novell's CA is missing an enhancement that Microsoft CA has and is required by the ACS.
12-10-2004 03:17 PM
I am interested in your post regarding the Novell CA and Microsoft CA. I have been having problems getting PEAP MSchapv2 to work. I am using a netware generated certificate, organiazational CA on the ACS. Could you provide more detail on the differences with a microsoft CA or a link with the info? Thanks
12-10-2004 08:33 AM
Perhaps this would work for you:
Since you are communicating via VPN, go with something like WPA-PSK at the remote sites (relieves the burden of RADIUS / CA). As long as the Pre-Shared Key is complex the chances of break-ins are very low (dictionary / brute force attacks). Worse case: put VPN software on each client.
If you need to bump the security a little higher, replace your remote switches with something that supports 802.1x and / or MAC security.
Use the VPN gateway as your barrier into the network. Then you can continue to use the SecureID and back-end authentication for your ultimate security system (basically, keep what you have, add the APs with WPA-PSK).
You didn't mention how many users at each site, or the type of clients, or the level of traffic you'll have to accommodate ... but the Pix501 is a pretty solid little unit and can handle a fair number of users, especially as a site-to-site VPN.
Because we have some users with with NICs that won't do WPA, we've added a second, open / no auth VLAN to our Lab system. The users must then use a VPN client to get into the system through a VPN concentrator. So far, the system has been working well for us (one WPA VLAN, one Open connection via VPN).
If you add to the system something like a WLSE, you can monitor the radio and client activity at each site and use it to manage the APs remotely, do firmware updates, watch for rogue clients, etc.
Just another alternative ... it works for us.
FWIW
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide