securing wireless

Unanswered Question
Jun 11th, 2008

Hello there - Does anybody have any links or pointers that could help me out? What I'm trying to do is make our wireless a little more secure. Currently we are using WPA2 PSK for access to our wireless network mainly for Cisco IP phones (7920) but more folks are starting to connect using laptops and cellular phones/PDA's. I am trying to come up with a plan to possibly keep the current SSID and VLAN the same so that it will not affect the 7920 phones and create a new VLAN and SSID for laptops and other things like smart phones. I have been reading through the documentation and posts here but it has become a little confusing and I cannot find anything that looks like my issue so I need some assistance. Is there any way that we can set it up to make the users login (and check those credential against our AD) before they are allowed onto the network but still keep one SSID up using WPA2 PSK for things like the 7920 phones? I realize that it may not be the most secure but I don't really know how you would install a certificate onto something such as a smart phone or PDA, let alone users that bring in their own laptops but are not added to the domain. Just to give an idea of our environment, we only have 6 AP's, one of which is setup as a WDS for roaming and we also have a Cisco ACS server for authentication. The ACS server gets it's users from our domain controllers and dynamically maps them. If anybody has any ideas or links or suggesstions I am all ears.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
dgroscost Wed, 06/11/2008 - 16:19

You are correct by seperating Voice. Create another SSID & VLAN. Your security level depends on what kind of clients you will service on your WLAN. Obviously not all clients support WPA2, etc. If you want something secure, and your clients support it, go with WPA2/AES + EAP using your existing ACS server w/ Active Directory. If you still need to service less security-enabled devices (PDA, smartphones), you could always create another SSID/VLAN w/ WEP or TKIP, etc. and set up some sort of filters/ACLs so that their traffic cannot reach sensitive areas on your network.

mpozorski Fri, 06/13/2008 - 06:22

Thanks for the response and the links. Would you possibly have any links that show how to set it up without using a WLC? We currently don't have one and I can't see us getting one anytime soon. Thanks for the links, I had not see a couple of them but they have some really good information.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode