What is the best security config. for point-to-point APS

Unanswered Question
Jan 29th, 2008

We are impementing 2 aironet 1400's as a link to a different building. The AP's

are connected to our switch....and users on our local LAN will utilize them to access data between buildings.


We have no authentication or security servers in our network currently.


No other users should be accessting the wireles direclty from a wireless card.


What can I confgiure to lock security between the two AP's so only they speak to each other?


I have WEP generated on one. I will have

to configure WEP on the other. But

will i need to configure more WEP keys so there is two way traffic? What other options do I have to make this secure

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
manjesin Tue, 01/29/2008 - 18:20

Hi,


After WEP .. WPA is a good security but cannot done on BR1400 ..

here is a link for your reference:-

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml



Therefore, next we can go for Leap authentication making Root bridge as radius server..


Here is a link for your reference on BR1300 ...it is done in the same way on 1400


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058f53e.shtml


Here is one more link about leap

http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764f1_ps5279_Products_Q_and_A_Item.html


Thanks,


Rate if these helps so that other can take benefit of this forum ..


manjesin Fri, 02/01/2008 - 08:56


Hi,


WPA-PSK is supported .... which define shared secret between the devices ..


WPA2 is no supported the link which i refered ..


You can configured WPA-PSK between the bridges..

nygenxny123 Fri, 02/01/2008 - 12:00

great..now ive had a heck of a time trying to configure this.


As I said we have no servers-would this work in the same manner as a WPA at home.


I would simply configure a passphrase on

one bridge and the same on the other and they should authenticate?

manjesin Fri, 02/01/2008 - 12:37


Yes, WPA-PSK will be configured as you define in your note..


In future, if you plan to change the security then you can jump to Leap with local authentication server means making Root bridge as server for authentication.


Thanks :)

nygenxny123 Fri, 02/01/2008 - 22:16

thanks mangesin,


but everytime i attempt to change one of the

bridges to root and the other non root. I lose

complete association and I dont understand why.


They are configured with the same ssid, basic wep but for some reason i still cant get association up.

manjesin Sat, 02/02/2008 - 06:13

Hi,



Try these steps:-


* Open the GUI of Root bridge


Go to Security/SSID Manager/create SSid/map it to the radio


* Under Client Authentication setting

Check the box Open authentication with no Addition ..


* Then click Apply


* Go to Ecryption Manager page

Under Ecryption Modes

Select Cipher ---TKIP

Under Encryption Keys

Select Encryption Key 2 ------Don't put any key ... Leave the box blank and key size be 128bit

Then click Apply


* Come back to SSID Manager page

Under Client Authenticated Key Management ..

Select Key Management:- Mandatory

Check the box:- WPA

Under WPA Pre-shared Key:- Type atleast 8 character key..


Click Apply:-



* Then we need to repeat the same settings on Other bridge except the station role will be non-root.



Now to troubleshoot...


* First make Bridge are able to talk to each when there is on security setup

* Set a simple Pre-shared Key ... example 1234567890 on both bridge .. Bridge will not associate if key mismatch..


Hope this will work for you.

nygenxny123 Sun, 02/03/2008 - 06:43

great I will try that...as I said currently we have WEP set up...Im going to see if this works..If I create the new ssid as you stated...will the ssid that is using WEP still be active?


also, if these are set up as root and non root bridges...does this mean that clients, such as a laptop will not be able to direclty connect any of the two bridges? Ideally we do not

want users or somebody off the street to directly connect to any of the two bridges

Actions

This Discussion