cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
721
Views
4
Helpful
2
Replies

Update WLAN Infrastructure

b.eman
Level 4
Level 4

I am looking for opinions on what the best practice would be for my WLAN infrastructure.

I will give a brief overview of our WLAN. Currently we have over 200 Cisco 1200 APs. Since our network has grown so rapidly we currently have no management solution in place for the WLAN. All our wireless clients, over 2,000, have a Cisco VPN client installed on there machine and use a 3030 VPN concentrator to gain access to the corporate LAN.

I am looking for direction on where we should go. Should I scrap the 3030's and use radius with LEAP or EAP?? Is there another solution? Currently right now I just don't have any control of my WLAN. I would like to become more proactive regarding intrusions, rouge APs ect..

Please give me your opinion. I have attached a quick Visio to explain.

Thanks,

1 Accepted Solution

Accepted Solutions

scottmac
Level 11
Level 11

Using a VPN concentrator over an open channel is a valid and secure solution. The only problem I see with it is that other rogues (intentional or accidental) can still associate with the AP, which reduces the resource for valid users. Whether they are moving traffic or not, the AP stilll has to maintain their association.

While it's "fer sher" a non-trivial task to move to another auth/auth system, I believe that you'd be better off moving to an encrypted (WPA/EAP) system.

For the transition, you could set up VLANs, one for open channel/VPN, one for the WPA/EAP clients. I use a similar system in our Lab (open VPN VLAN/WPA encrypted VLAN) to cover the scope of clients we get.

If you keep that system in-place, you can continue to use the 3030s while you pilot the WPA/EAP system and get the operational wrinkles ironed out, Once the WPA/EAP system is solid, keep the 3030s and install a captive portal for guests (use the portal to authenticate, then authorize them to pass through the VPN concentrators).

If you don't already have a RADIUS, then your best bet would probably be ACS for future use of things like 802.11 wireless voice (EAP-FAST).

If you have a decent server/desktop group, you could use EAP-TLS, which requires certificates on the clients, and have the certs pushed out with a Group Policy. Otherwise, PEAP is pretty solid, or EAP-FAST would do just as well.

The system will support multiple authentication / authorization systems, so you could use a mix ... it's just a little harder to support & maintain.

You should absolutely be using the WLSE to help manage a system of that size ... if only to update the IOS on that many APs.

If you're supporting seamless roaming, a WLSM system (Cat6500, Sup 720, WLSM blade) would be a Good Thing too. You can use an AP1200 for the WDS support, but it's limited as to how many devices it can maintain. The WLSM system is (practically) unlimited and expandable as necessary.

As a side note, you have to be careful with the rogue suppression - if you are supporting systems on higher floors, you'll see lots of rogues: all the other compaines using wireless in your neighborhood. If you turn on rogue / Ad-Hoc suppression, you could be causing the other company's clients to disconnect.

To avoid this scenario, a good site survey and proper antenna/power management will reduce the number of rogues you see, and reduce the number of "interference events" you're likely to experience (or cause).

I hope you find this helpful ....post some additional details as perhaps we can dial in a more specific recommendation.

Good Luck

Scott

View solution in original post

2 Replies 2

scottmac
Level 11
Level 11

Using a VPN concentrator over an open channel is a valid and secure solution. The only problem I see with it is that other rogues (intentional or accidental) can still associate with the AP, which reduces the resource for valid users. Whether they are moving traffic or not, the AP stilll has to maintain their association.

While it's "fer sher" a non-trivial task to move to another auth/auth system, I believe that you'd be better off moving to an encrypted (WPA/EAP) system.

For the transition, you could set up VLANs, one for open channel/VPN, one for the WPA/EAP clients. I use a similar system in our Lab (open VPN VLAN/WPA encrypted VLAN) to cover the scope of clients we get.

If you keep that system in-place, you can continue to use the 3030s while you pilot the WPA/EAP system and get the operational wrinkles ironed out, Once the WPA/EAP system is solid, keep the 3030s and install a captive portal for guests (use the portal to authenticate, then authorize them to pass through the VPN concentrators).

If you don't already have a RADIUS, then your best bet would probably be ACS for future use of things like 802.11 wireless voice (EAP-FAST).

If you have a decent server/desktop group, you could use EAP-TLS, which requires certificates on the clients, and have the certs pushed out with a Group Policy. Otherwise, PEAP is pretty solid, or EAP-FAST would do just as well.

The system will support multiple authentication / authorization systems, so you could use a mix ... it's just a little harder to support & maintain.

You should absolutely be using the WLSE to help manage a system of that size ... if only to update the IOS on that many APs.

If you're supporting seamless roaming, a WLSM system (Cat6500, Sup 720, WLSM blade) would be a Good Thing too. You can use an AP1200 for the WDS support, but it's limited as to how many devices it can maintain. The WLSM system is (practically) unlimited and expandable as necessary.

As a side note, you have to be careful with the rogue suppression - if you are supporting systems on higher floors, you'll see lots of rogues: all the other compaines using wireless in your neighborhood. If you turn on rogue / Ad-Hoc suppression, you could be causing the other company's clients to disconnect.

To avoid this scenario, a good site survey and proper antenna/power management will reduce the number of rogues you see, and reduce the number of "interference events" you're likely to experience (or cause).

I hope you find this helpful ....post some additional details as perhaps we can dial in a more specific recommendation.

Good Luck

Scott

Scott, you have been a great help. I like the idea of transitioning over form the 3030's to WPA/EAP using VLANs, Good idea!

I will also try to implement the WLSM blade in our 6509's for a more manageable solution.

Thanks for your help that is what I was looking for.

Review Cisco Networking for a $25 gift card