Business wireless questions...

[DriveX]

I have been charged with the feat of setting up a secure wireless network for our entire office. I have identified 5 common area locations where an AP would fit well.

Currently we have a test AP on our public switch (before the firewall) and users must log into our VPN after they associate with the AP in order to access any internal resources. However, they cannot access the internet. While this is the most secure, I think setting up a proxy to allow people to get back outside is sort of a hack.

What I want to do is set up these 5 APs through internal switches, enable MAC filtering, WPA2, put all the APs on their own subnet, and call it a day. I have access to all of the MAC addresses for every wireless device so after entering them all into a one AP, it would be nice to be able to export that config file and upload it to every other AP.

Is this the way most other companies implement a wireless solution? Are there better ways?

 

[nweaver]

We have Cisco 1231's with WPA2, Eap-Fast with AD Username/Password authentication (may . There will also be a second VLAN/SSID for customer/guest access. This will all be tied together with authentication timeouts and broadcast key rotation using the Cisco ACS server. 2 APs (A/G) and the ACS 4 software runs about 7K

 

[spidey07]

Originally posted by: nweaver
We have Cisco 1231's with WPA2, Eap-Fast with AD Username/Password authentication (may . There will also be a second VLAN/SSID for customer/guest access. This will all be tied together with authentication timeouts and broadcast key rotation using the Cisco ACS server. 2 APs (A/G) and the ACS 4 software runs about 7K

that is how I'm used to securing a business wireless.

 

[spyordie007]

We have Proxim AP600s doing dynamic WPA with 802.1x/PEAP (MS Chap v. 2 authentication against RADIUS). We intentionally do not support guests/customers on our wireless. We already have RAIDUS and a PKI so the only extra hardware cost for us was the AP's; our total cost was around $7500 for ~25 APs.

I dont get some of the cooler management features that you would get with a Cisco solution (i.e. the rogue AP detection maps) however my solution is more compatable with devices (i.e. we have Barcode reader/PPCs in our warehouses that use the WLAN). The major reason for going this way however was cost (we were looking at almost $40k for the Cisco solution).

I suggest against MAC authentication; management of it will become a headache.

Erik

 

[spidey07]

agree on the don't mess with mac authentication

the cisco and proxim solutions are probably the best out there. either way you'll be doing radius authentication (probably using windows id and password)

not to push cisco anymore as I try to stay vendor neutral (it's just where I have most of my experience) is their newer wireless solutions with light weight access points and a wireless controller are very slick and not very expensive.

 

[nweaver]

Cisco has great support for many barcode readers. Intermec has a whole line of stuff that is CCX Certified.

 

[spyordie007]

Originally posted by: nweaver
Cisco has great support for many barcode readers. Intermec has a whole line of stuff that is CCX Certified.

The barcode readers we were using at the time (older Symbol PPCs) didnt support LEAP; but our newer models probably do.

Erik

 

[FreshPrince]

I'm one of those people that will probably never implement wireless for my type of business. Which is why I can't speak about this topic as well as others here can.

however, I came across this product when I researched our hardware load balancers and it looks like a champ for implementing enterprise class wireless.

Foundry IronPoint

good reading material - even if you don't get the ironpoint, it has some good suggestions on how to implement enterprise class wireless.

Again, I'm not a foundry fanboi, but this product really caught my eye and almost convinced me to go wireless for my network.

 

[nweaver]

Originally posted by: spyordie007

Originally posted by: nweaver
Cisco has great support for many barcode readers. Intermec has a whole line of stuff that is CCX Certified.

The barcode readers we were using at the time (older Symbol PPCs) didnt support LEAP; but our newer models probably do.

Erik

Cisco AP's had a "mixed mode" setting so you could do leap/wep and unencrypted, or you could do a second SSID with lesser security.

 

[spidey07]

for those reading the thread - LEAP later became what we call WPA.

 

[spyordie007]

Originally posted by: spidey07
for those reading the thread - LEAP later became what we call WPA.

What? This doesnt make sense.

LEAP = a type of Radius EAP protocol (EAP type 17); it's used for authentication.
http://lists.cistron.nl/pipermail/cistron-radius/2001-September/002042.html

WPA = a way of securing wireless networks that replaces WEP (due to issues with it's security implimentation); it's used for encrypting the traffic.
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

You can (and typically do) use WPA with LEAP; LEAP authenticates the client and than the session gets secured using WPA. However WPA can also be used in conjunction with PEAP (as I'm doing in my implimentation). You can also use WPA with static keys much the same way as you can with WEP.

LEAP ? WPA; they are seperate protocols

 

[spidey07]

If you'll recall what was going on at the time (WEP not being good enough and no industry standard developed to fix it) Cisco came out with LEAP, and of course the rotating encryption keys.

They are of course separate protocols, but WPA took cisco's leap apprach and made it a standard.

 

[spyordie007]

Actually when LEAP was first introduced it used dynamic per-user, per-session WEP keys:
http://www.shis.uth.tmc.edu/helpdesk/FAQs/LEAP.cfm

It wasn?t until WPA had a broader base of support that Cisco gave the ability to do LEAP with WPA.

WPA has no more to do with LEAP than DNS has to do with DHCP. They are different protocols that carry out different functions, the only "association" between the two is that they frequently get used in conjunction with one another to secure wireless infrastructures.

I'm not trying to argue semantics here; just trying to clarify the protocols for the nice people

Erik

 

[nweaver]

Leap also offered (later) CKIP and CMIC options, that started stamping packets and vastly added to the LEAP+CKIP/CMIC/WEP security.

If you want awsome stuff, check out cisco's CCKM fast roaming.

 

[randal]

Unfortunately, I know not so much about hardcore wireless engineering, only long-range ISP style wireless.

Hope it isn't on the CCIE exam here in a few years.

* <--- knows it will be and sighs*

 

[spidey07]

Originally posted by: randal
Unfortunately, I know not so much about hardcore wireless engineering, only long-range ISP style wireless.

Hope it isn't on the CCIE exam here in a few years.

* <--- knows it will be and sighs*

have fun with voice, hardcore QoS, wireless, mpls

*sigh*

 

[randal]

Originally posted by: spidey07

Originally posted by: randal
Unfortunately, I know not so much about hardcore wireless engineering, only long-range ISP style wireless.

Hope it isn't on the CCIE exam here in a few years.

* <--- knows it will be and sighs*

have fun with voice, hardcore QoS, wireless, mpls

*sigh*

Well, voice, QoS & MPLS and a bazillion routing protocols are things I deal with daily. Unfortunately, we don't have a single access point anywhere in our datacenter. OH wait, that's not true, we have one in our breakroom/lounge that allows port 80 w/ SPI and has like WEP-64.

If it's not Motorola Canopy, Redline, Alvarion, Proxim etc. long-range wireless, I am F'd. Time to buy more books and to spend some company money on wireless things.

It seems like it never ends. How does anyone keep up without living in a lab?

 

[spyordie007]

It seems like it never ends. How does anyone keep up without living in a lab?

Never ends is about right. I probably spend 15% of my time training, researching and testing in the lab :roll:

 

[spyordie007]

CKIP

Wait dont tell me, Cisco's version of TKIP?

Why does Cisco always have to create their own version of protolcols?

 

[nweaver]

Originally posted by: spyordie007

CKIP

Wait dont tell me, Cisco's version of TKIP?

Why does Cisco always have to create their own version of protolcols?

1. CKIP is preTKIP, solving the exact problems solved by TKIP. They also support TKIP, but they had a solution in the game for their customers before a solution was turned into a standard.

And Cisco creates their own versions to solve problems. Many of Cisco's priopriatary soulutions find (at least part) a permant home in the standards. Cisco is (imho) pushing the envelope on wireless right now. With the integratin of NAC and CAC stuff in their systems, and required for CCX compatablity certs, they are moving the entire industry forward.

 

[imported_pak9rabid]

Originally posted by: nweaver

Originally posted by: spyordie007

CKIP

Wait dont tell me, Cisco's version of TKIP?

Why does Cisco always have to create their own version of protolcols?

1. CKIP is preTKIP, solving the exact problems solved by TKIP. They also support TKIP, but they had a solution in the game for their customers before a solution was turned into a standard.

And Cisco creates their own versions to solve problems. Many of Cisco's priopriatary soulutions find (at least part) a permant home in the standards. Cisco is (imho) pushing the envelope on wireless right now. With the integratin of NAC and CAC stuff in their systems, and required for CCX compatablity certs, they are moving the entire industry forward.

Yea, I totally agree that a lot of Cisco's priopriotary solutions find homes in the standards.
Correct me if I'm wrong, but didn't Cisco also create IPSec, which is a required part of IPv6?

 

[spidey07]

Originally posted by: spyordie007

CKIP

Wait dont tell me, Cisco's version of TKIP?

Why does Cisco always have to create their own version of protolcols?

A lot of times (most) there is a need in the industry that a standard doesn't exist for. Vendors create their own way of doing things and then sit on the commitees and argue for their way of doing things is the way to go/standardize. All the networking companies have proprietary protocols.

If you look at the RFCs however you'll notice that cisco engineers have written the lion's share of them. They're heavy in the IEEE as well. Their market share and pool of talent allow them to shape and move the industry. Similar to what microsoft and oracle do.

That being said, I don't like proprietary anything but will use it if I have to.

 

[DriveX]

Well, after lots of research, playing with an AD server, and getting a demo access point, here's where I finally ended up.

Cisco 1231 APs using WPA2 key management, AES encryption, PEAP authentication to RADIUS on our AD server with MS-CHAP v2, all on their own subnet.

The reason I'm using PEAP is because that's the only thing that the XP wireless client can use. I am still debating going with EAP-FAST, but I've heard some issues with it. I'd also have to use the Intel PRO Wireless client that is installed on many of our Dell Latitude laptops and import a profile.

I have one more question off the top of my head... can I use the same SSID for all of the APs and the clients will just connect to the one with the highest signal strength? I found a section in the Cisco web interface that says "Set Infrastructure SSID" and "Force Infrastructure Devices to associate only to this SSID." Is this what I'm looking for so that all of the APs appear as one SSID to our users?

Thanks!!

PS: Does this sound like a reasonable approach to a wireless solution?

 

[DriveX]

Originally posted by: nweaver
We have Cisco 1231's with WPA2, Eap-Fast with AD Username/Password authentication (may . There will also be a second VLAN/SSID for customer/guest access. This will all be tied together with authentication timeouts and broadcast key rotation using the Cisco ACS server. 2 APs (A/G) and the ACS 4 software runs about 7K

I'm not sure how to set up my AD/Server2k3 to work with EAP-FAST. Do I need certificate services installed?

 

[spidey07]

you'll need to setup WDS (search cisco) and have all SSIDs the same.

this will allow your clients to roam seamlessly between access points and not lose a connection. The one stipulation is all the APs need to be on the same layer2 network (ip subnet). If you want to roam across layer3 boundaries you need another piece of equipment (depending on if you're doing IOS or LWAPP)