New to Wireless Please Help

j-foote · ‎01-19-2005

We just purchased several 1310's to connect buildings together. The users will connect thru lan interface on each AP. There will not be any wireless users. The only wireless access should be the AP's. Our question is what is the best way to configue security and authentication? We want to authenticate each AP against Windows IAS server, using EAP if this is this possible. We are setting each end point with a 1721 router to do GRE tunneling to protect user traffic, so I don't know if this is overkill in wanting to implement authentication. We will still use radius authentication for ssh connection to AP's and routers. Any help would be greatly appreciated in pointing us in the right direction.

mchin345 · ‎01-26-2005

Before a wireless client device can communicate on your network through the access point, it must authenticate to the access point using open or shared-key authentication. For maximum security, client devices should also authenticate to your network using MAC-address or EAP authentication, authentication types that rely on an authentication server on your network.For more information please refer ther folllowing link :

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802085c7.html

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802091b1.html

dixho · ‎02-01-2005

I assume that you use the 1310s as either point to point bridges or point to multipoint bridges. If this is the case, the best you can do is AES+WPA+LEAP. There is a radius server coming with 12.3(2)JA software. You can use that for authentication. Microsoft IAS does not support LEAP.

The next best solution is to use AES+WPA-PSK. Please remember to disable concentenation when enable AES.

j-foote · ‎02-01-2005

Thanks for replying. Do you know links to set your recomendations up?

dixho · ‎02-07-2005

As we recently add AES support, we do not have any link yet. It is very similar to setting up TKIP:

http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_example09186a00801c40b6.shtml

Select AES+CCMP instead of TKIP in Encryption Manager.

You also need to configure EAP user name in the non-root bridge (i.e. SSID Manager).

Finally, you need to set up local radius server:

http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml

j-foote · ‎02-08-2005

Thank you for the information; however I'm unable to view the webpages. It promts for my CCO username and password and when I enter my information, it goes to the Message #401: Authorization Required/Forgotten Password page. Can you send me the info via email? My email is jfoote@vctx.org. Thank you very much.

travis-dennis_2 · ‎02-08-2005

Just change the word "partner" in the link to "customer" and you should be good.

j-foote · ‎02-08-2005

Could you please clarify the EAP username. I'm assuming it will also need to be set up in the local radius server on the root bridge. Looking at the show run on the root bridge, I see it created several usernames with the mac address of the non-root bridges as the name. Can I use the same scheme and just create new users with mac address as name and new password?

dixho · ‎02-11-2005

You do not configure EAP username on SSID Manager. You create the same username on the root under "radius-server local". If you access the link "LEAP Authentication with Local RADIUS Server", it is step # 5.

j-foote · ‎02-14-2005

I'm sorry, but it's not working when I follow the steps. When I get to LEAP authentication and select WEP encryption, a message appears telling me to set the 'Authenticated Key Management' to 'None' before changing Ciper. It seems that if you configure WPA on the radios, you cannot configure LEAP authentication as outlined on the web site.

Still scatching my head