Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
9
Replies

Wireless Bridges - Security Recommendations?

Go to solution
estein
Level 1
Level 1

‎03-05-2007 01:54 PM - edited ‎07-03-2021 01:44 PM

We are going to set up some Cisco 1310 wireless bridges at a few sites - a Root Bridge outside a main building, and a Workgroup Bridge at a remote trailer that provides ethernet connection to a switch within the trailer.

We're debating what wireless security to use for the point-to-point wireless connection, with WPA-PSK at the top of the list. Our laptop users use WPA.

I'm wondering - what have other folks deployed in this scenario, and what have your experiences been with it? Any input / suggestions are much appreciated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
srosenthal
Level 4
Level 4

‎05-02-2007 07:47 AM

I would go with WPA-PSK and use AES encryption as the cipher. Be sure to pick a very strong PSK +10 characters, alpha numeric and special character.

While there is some overhead, it is worth the security of the data.

An 802.11g network will have total effective throughput of about 20Mbps after encryption is added.

This may seem low, but remember that 802.11 is half duplex.

Of all the sites that I have setup with this exact configuration, no one has complained of slowness.

Seth Rosenthal CWNE #55

View solution in original post

0 Helpful
9 Replies 9

Go to solution
akemp
Level 5
Level 5

‎03-06-2007 03:49 AM

Why make things more complicated than need be ? I'd suggest that root to client bridge be secured by mac to mac filtering. It imposes little overhead and relies on no external authentication.

0 Helpful

Go to solution
Rutger Blom
Level 1
Level 1
In response to akemp

‎05-01-2007 11:11 PM

Ehmmm....this is not a good answer. mac filtering is maybe covering the authentication part but certainly not encrypting the traffic. With wireless networks encryption is an absolut must!

Rutger

0 Helpful

Go to solution
srosenthal
Level 4
Level 4

‎05-02-2007 07:47 AM

I would go with WPA-PSK and use AES encryption as the cipher. Be sure to pick a very strong PSK +10 characters, alpha numeric and special character.

While there is some overhead, it is worth the security of the data.

An 802.11g network will have total effective throughput of about 20Mbps after encryption is added.

This may seem low, but remember that 802.11 is half duplex.

Of all the sites that I have setup with this exact configuration, no one has complained of slowness.

Seth Rosenthal CWNE #55

0 Helpful

Go to solution
mdcole
Level 1
Level 1
In response to srosenthal

‎05-16-2007 12:40 PM

Are there any special considerations when implementing these changes on production equipment?

Obviously I'll need to make the change on the remote side (non-root) first.

Are these changes something that can be done remotely without fear of being disconnected, or will I need physical access? Last time I tried making changes remotely I got kicked out, rebooting did not fix, and I ended up having to drive 100 miles to the site to get it back up.

0 Helpful

Go to solution
Rutger Blom
Level 1
Level 1
In response to mdcole

‎05-16-2007 12:54 PM

If possible you could connect the console-cable to a local PC at the remote site(s) and fix some kind of remote access to that PC.

I understand this might not be possible, but it was the first thing I got to think of.

Rutger

0 Helpful

Go to solution
mdcole
Level 1
Level 1
In response to mdcole

‎05-17-2007 01:57 PM

What steps would I take to change the bridge from the current settings of static WEP to WPA-PSK with AES?

I see that via the web browser the settings are on 2 different screens - previous work has shown me that once I apply 1 change I will most likely get kicked out.

Is it better to create a new config and upload it (via web interface), or is it better for me to be on-site?

I only ask because the equipment is in a locked room and I'll have to work with building management to get access. I'll also have to plan for an outage to give me enough time to travel between sites (100 yards or so) to make the changes on both bridges.

Thanks for any help - last time a bridge flaked out on me I spent 3 hours with TAC trying to get it back up!

0 Helpful

Go to solution
mdcole
Level 1
Level 1
In response to srosenthal

‎05-18-2007 12:12 PM

Is it even possible to use AES with WPA?

According to the configuration guide (http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a008041593d.html#wp1053188):

Matching Cipher Suites with WPA

If you configure your access point/bridge to use WPA authenticated key management, you must select a cipher suite compatible with the authenticated key management type. Table 9-3 lists the cipher suites that are compatible with WPA.

Table 9-3 only lists TKIP.

0 Helpful

Go to solution
srosenthal
Level 4
Level 4
In response to mdcole

‎05-25-2007 06:44 AM

Using AES with WPA actually makes it WPAv2.

Seth Rosentha, CWNE #55

0 Helpful

Go to solution
simonstoll
Level 1
Level 1
In response to srosenthal

‎05-25-2007 09:20 AM

Hi Seth

Can you provide me with your config as I have trouble setting up a point-to-point configuration on two 1231G AP, one in WGB mode and one in AP mode. The only config I got to work was with static wep keys, but I would like to make it work with WPA PSK and AES.

best regards

Simon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card