Re: Need help - security issue

johannf · ‎11-04-2004

Hello, we have a WLAN with 25 Cisco ap's. We use only a static wep and need to strengthen our security.

We have:

Cisco 350 and 1200 ap's

Cisco ACS 3.0 radius server

A lot of different client cards, most of then running XP sp1/sp2

We want to configure the clients as little as possible. Does anyone have a suggestion on how we can do things to increase the security ?

Regards

Johann Folkestad

dixho · ‎11-04-2004

I am not sure if I can give you an answer you would like. In general, you want to use one of the 802.1x for authentication. Then, you use WPA (TKIP) for key management.

The Cisco APs support almost all 802.1x types. The real problem is that not all clients support every 802.1x types.

LEAP and EAP-FAST are 802.1x types from Cisco. You either have Cisco wireless adapters (i.e. 350 and CB21AG, but CB21AG does not support EAP-FAST yet), CCXv1 complaint adapter for LEAP support, or CCXv3 complaint adapter for EAP-FAST. You also need to upgrade the ACS for LEAP or EAP-FAST support.

You can use PEAP MS-CHAP v2, but you need to install certificates on the ACS and make the wireless clients trust the CA issuing the certificate. On top of it, I do not think that low end wireless adapters support PEAP MS-CHAP v2.

I rule out EAP-TLS because you need to install certificate on every single PC.

Another possibility is PEAP-GTC. Only Cisco wireless adapter and CCX v2 complaint adapters support PEAP-GTC.

WPA-PSK is another possibility outside 802.1x and not as secured as 802.1x. However, not all wireless adapter support it. At least Cisco 350 wireless adapter does not support it.

In short, you need to find out what wireless adapter you want to support. Then, pick one of the above.