cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1682
Views
5
Helpful
4
Replies

Most secure way to allow IOT devices that require WPA?

aeccles
Level 1
Level 1

Our org just acquired 2 sets of IOT devices that wouldn't connect to our existing SSIDs. 

 

The first SSID "Employee" has the following settings:

Layer 2 Security: WPA + WPA2

WAP2 Policy

WPA2 Encryption - AES

PSK

FT PSK

 

The second SSID "Guest" is open with no security.  It is segmented and routed out a different internet connection.  There is no access between this network and the rest of my network.

 

There are 3 other SSIDs but those have specific network/routing scenarios and cannot be used.

 

After playing around with settings, I found that the devices will connect to an SSID when I enable WPA Policy &  WPA Encryption - AES.  And after talking to the manufacturer, found that the IOT devices cannot connect to SSIDs that do not have passwords.  So, this explains why they won't connect the these two SSIDs.  Unfortunately, I need them to connect

 

The IOT devices need to be accessible to/from my enterprise network - basically, devices connecting to my "Employee" SSID need to be able to interact with them.  Creating another SSID would be simple, but I want to be mindful of security issues AND I am also trying to limit the number of SSIDs I have since I'm already at 5.  So.... the question is, what is the best way to allow an SSID with only WPA and WPA Encryption, and allow those devices access to/from devices on my Employee SSID (which has a great deal of network access)? 

 

Thank you

 

4 Replies 4

JPavonM
VIP
VIP

Create separate SSIDs and whatever configuration mode you are using (local or flexconnect) map Employees and IoT SSID to the same VLAN.

HTH

-Jesus

Wouldn't that effectively be the same as adding WPA support to my existing Employee SSID?

from an IP address perspective, yes. From a wlan perspective, no. You would be able to keep the one-off settings for IoT separate from your employee wlan. You could implement any other security type measures on the IoT wlan (mac filtering, acls, etc) without worry about hosing your employees

Leo Laohoo
Hall of Fame
Hall of Fame

@aeccles wrote:

So.... the question is, what is the best way to allow an SSID with only WPA and WPA Encryption, and allow those devices access to/from devices on my Employee SSID (which has a great deal of network access)? 


That is one very dangerous IoT (Internet of Trash) client.  I would keep that away from any network devices as possible.  If it "has to" be in, then firewall it in it's own little subnet with one way out.  

Ransomware crew can easily find this device chatting to the internet and can, without any difficulties, use it as an ingress point.  

Review Cisco Networking for a $25 gift card