06-11-2008 11:04 AM - edited 07-03-2021 04:00 PM
Hello there - Does anybody have any links or pointers that could help me out? What I'm trying to do is make our wireless a little more secure. Currently we are using WPA2 PSK for access to our wireless network mainly for Cisco IP phones (7920) but more folks are starting to connect using laptops and cellular phones/PDA's. I am trying to come up with a plan to possibly keep the current SSID and VLAN the same so that it will not affect the 7920 phones and create a new VLAN and SSID for laptops and other things like smart phones. I have been reading through the documentation and posts here but it has become a little confusing and I cannot find anything that looks like my issue so I need some assistance. Is there any way that we can set it up to make the users login (and check those credential against our AD) before they are allowed onto the network but still keep one SSID up using WPA2 PSK for things like the 7920 phones? I realize that it may not be the most secure but I don't really know how you would install a certificate onto something such as a smart phone or PDA, let alone users that bring in their own laptops but are not added to the domain. Just to give an idea of our environment, we only have 6 AP's, one of which is setup as a WDS for roaming and we also have a Cisco ACS server for authentication. The ACS server gets it's users from our domain controllers and dynamically maps them. If anybody has any ideas or links or suggesstions I am all ears.
06-11-2008 04:19 PM
You are correct by seperating Voice. Create another SSID & VLAN. Your security level depends on what kind of clients you will service on your WLAN. Obviously not all clients support WPA2, etc. If you want something secure, and your clients support it, go with WPA2/AES + EAP using your existing ACS server w/ Active Directory. If you still need to service less security-enabled devices (PDA, smartphones), you could always create another SSID/VLAN w/ WEP or TKIP, etc. and set up some sort of filters/ACLs so that their traffic cannot reach sensitive areas on your network.
06-11-2008 06:53 PM
Dan is correct. Here are some links to docs that might help you out:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080810880.shtml
http://www.cisco.com/en/US/docs/wireless/technology/7920/design/guide/7920DG.html#wp180728
06-13-2008 06:22 AM
Thanks for the response and the links. Would you possibly have any links that show how to set it up without using a WLC? We currently don't have one and I can't see us getting one anytime soon. Thanks for the links, I had not see a couple of them but they have some really good information.
06-13-2008 06:24 AM
Thank you for the advice.
06-13-2008 09:49 AM
Try this link:
http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13ssid.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide