Segment using multiple SSID's vs. multiple WEP keys

srokusek · ‎08-12-2004

We are a small university campus that has approximately 23 Cisco 1200 access points. Until now the wireless portion of the network has been completely open. We are trying to implement WEP (40 bit) on the AP's. We know that this does very little to "secure" the network, but for now, this is what we are choosing to do. I am trying to segment the campus by students, staff & faculty, and a test segment. I have tried using 1 SSID with 3 WEP keys, unable to get that working (UNLESS the client has Aironet Client Utility installed so all 3 keys can be entered. But since our client devices are not all Cisco, this won't work). Also tried 3 SSID's with a different WEP key for each. At first, for each SSID I had the WEP key on channel 1, thinking that may be what's causing the problem, I changed that. I put the wep key for SSID 1 on channel 1, SSID 2 on channel 2, SSID 3 on channel 3. Still not able to get all devices working on all the SSID's. If I am not mistaken, you can only broadcast 1 SSID?

If anyone has any suggestions, I would GREATLY appreciate them!

Thanks-

chris.houston · ‎08-12-2004

Just to clear things up for me, you want to implement a minimal security setup using static WEP, but want to have 3 levels of access? I am assuming you plan to pass the WEP key out to the specific users. I also assume that you are not going to use any user authentication or infrastructure authentication, other than the static WEP key. Your use of the term “channels” is confusing, I am guessing you mean WEP keys entries, as channels apply to the radio’s.

Here are some suggestions to safeguard your network. Configure all of your 1200 APs (and any other Cisco AP’s for WDS. Pick 1 or 2 of them and use those for the WDS services. This will help protect your infrastructure, and help you keep rogue AP’s to a minimum. Instead of using WEP, why not use WPA-PSK (pre-shared key), on the AP it is Cipher-TKIP. This is more secure and you can do more stuff with it. You do not need additional servers to do this, the 1200’s have this as a function. You will need to configure one or two of them for the RADIUS servers for this. Use VLANs to separate the users, which will allow separate SSIDs for each type of user, and allow for different WPA-PSK’s! Since not all clients will have Cisco cards, be sure to uncheck the Cisco Aironet Extensions box on each AP. Below are some links that should help. Good luck.

To configure the RADIUS server on the AP:

http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802091b1.html#wp1034782

A good link for security definitions:

http://www.cisco.com/en/US/customer/netsol/ns340/ns394/ns348/ns386/networking_solutions_white_paper09186a008009c8b3.shtml

How to configure the different security measures on the AP:

http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a87.html

How to configure WDS on the AP’s: (You can ignore the ACS part, since you are not using it)

http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml

srokusek · ‎08-12-2004

Thank you for your suggestions. They are GREATLY appreciated! My hands are tied as far as what I need to get configured on the wireless. My manager wants the campus segmented into those 3 groups and he wants it done either by 1 SSID and 3 WEP keys or 3 SSID's each with it's own WEP key. I tried suggesting RADIUS, but was quickly corrected.

Yes, we will be providing the key to specific users, yes again to the channels being WEP keys.

As far as the user authentication, my manager is going to use VMPS? He is going to head that project up so I don't know much about it. Maybe that is why he is not wanting to do anything with RADIUS? I am going to say that there will be about 300 students that will be using wireless on campus & the timeline is short. We ideally will have this implemented before school starts at the end of the month.

chris.houston · ‎08-13-2004

If you are limited to what you can do, then the easiest way to do this would be to have 3 SSID's with their own WEP keys. This will use seperate VLANS for each SSID. Check the links below. Be sure to have the latest IOS version on your AP's.

How to configure VLANs:

http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802091ba.html

Overall information for configuration:

http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_guide_book09186a00801ea410.html

robertcrabbe · ‎08-20-2004

You say that "you will need to configure one or two of them for the RADIUS servers for this."

If you mean WPA-PSK, then this is incorrect. WPA-PSK does not require a RADIUS/AAA/ACS server.

WPA does require a RADIUS server, because now you are not sharing a key, you are using EAP for authentication.

I too would recommend WPA-PSK instead of WEP. If you have an ACS server, I would probably go further and recommend WPA.

One caveat: WPA tends to work best if you have Windows XP for clients. Windows 2000 does not have WPA support, no matter how current you are with patches or service packs. With Windows 2000, you are completely at the mercy of the wireless adapter vendor and the software configuration utility that is available for the card.

Also, it is important to have the latest drivers for your adapter and the WPA patch.

robertcrabbe · ‎08-20-2004

Just to be clear, the WPA patch is available only for XP, not for Windows 2000.