recomendation for securing Wireless AP

j.arthur · ‎04-28-2005

I have run into a "how to" problem that I haven't been able to find help on.

We are a School Administration site and on occassion we have Administrators from other districts from through-out the state come in for meetings.

My administration would like to provide wireless access for this purpose. The problem is allowing these administrators access, when they are not

part of our domain and do not have the certificates necessary for authentication. We would also like to keep the set-up/administration of the

visiting administrators computers to a minimum.

Within a test lab we have configured PEAP, but it requires a server certificate to be on each client machine. We have looked into EAP-Fast, but

ran into issues with having to have ACU installed on the client machines. Tried LEAP, but had issues with it being proprietary.

We have an ACS server 3.3 and 1200 AP 12.3(2).

We are looking to do this in the most secure way and are open to any suggestions or solutions. Thanks,

jkemery · ‎04-28-2005

I suggest setting up an seperate VLAN on your network. Use ACL's at your router to control access to and from this VLAN. Then trunk your AP's to your switches and create a new SSID on this new VLAN. Under this SSID you can setup standard WEP and just do MAC authentication with your ACS server. Have the administrators give you their wireless MAC and you give them the SSID and WEP keys in return.

This is the most secure you can get without EAP and keep those associated (non-trusted) pc's off your production network.

Make sure you don't broadcast the SSID and don't use VLAN 1 or the new VLAN as the native vlan on the switchport and WAP. Set your management VLAN (hopefully it's not VLAN 1) as the native vlan.

Hope that helps.