Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
0
Helpful
4
Replies

WLAN Design

Go to solution
bhoops
Level 1
Level 1

‎11-05-2008 07:04 PM - edited ‎07-03-2021 04:44 PM

I've inherited our current WLAN that consists of two identically configured 1121 APs in separate buildings. Authentication is WPA-TKIP PSK that requires manual configuration of all devices. Guest access is handled through a separate VLAN that has ACLs that restrict traffic from the rest of the network, authentication is WPA-TKIP PSK. The SSID determines what VLAN they connect to.

We also have a point-to-point connection using two 1310 bridges that is secured by WPA-AES CCM+TKIP and MAC authentication.

We recently purchased a Secure ACS Express 5.0 and will be purchasing 3 additional APs.

My question is, what is the best way to clean up our WLAN, increase security and manageability, and preferably provide 0-configuration wireless access to guests and employees? I'm guessing a WLC is going to be required, but since I have very little wireless design experience I want to have this done right.

The vast majority of our wireless clients are laptops using Window's wireless configuration, but we also have several smart-phones, several iPhones, a few MacBooks, and no Blackberries.

Network users should authenticate with their domain credentials, and guests should not have to authenticate (or cancel out of a prompt).

Thanks for any assistance you can provide.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jeff.kish
Level 7
Level 7

‎11-06-2008 07:11 AM

Upgrading to lightweight controllers is a great way to improve scalability of your network. They provide a single point of configuration for your APs and allow for Radio Resource Management, which dynamically adjusts your radios for optimum performance.

WLCs also allow for web authentication to the network, allowing them to simply agree to a disclosure or requiring that they submit a key provided for access. Normally, one doesn't worry about encrypting guest traffic, and keys (WPA or otherwise) are simply meant to restrict who can join. If you just want people to be able to join without a key for ease of management, then you'll be allowing anyone to connect who can receive a signal. Some people don't care about that, others do, it's a business decision to make.

As for security, consider upgrading to PEAP for ease of management. You do need to deploy a certificate to the machine, but that beats out having to update every single client if the WPA-PSK password needs to be changed for security purposes.

I hope that helps!

View solution in original post

0 Helpful

Go to solution
jeff.kish
Level 7
Level 7
In response to bhoops

‎11-06-2008 12:59 PM

The bridges are great. Using WPA with AES encryption is rock-solid. I would consider disabling the TKIP though, no real need to have it when both sides support AES. The two bridges are likely defaulting to AES anyway, so it might not make a difference.

Just so you know, bridges aren't supported in a lightweight solution, which just means that they'll remain autonomous. No need to plan on upgrading them if you decide to go that route.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jeff.kish
Level 7
Level 7

‎11-06-2008 07:11 AM

Upgrading to lightweight controllers is a great way to improve scalability of your network. They provide a single point of configuration for your APs and allow for Radio Resource Management, which dynamically adjusts your radios for optimum performance.

WLCs also allow for web authentication to the network, allowing them to simply agree to a disclosure or requiring that they submit a key provided for access. Normally, one doesn't worry about encrypting guest traffic, and keys (WPA or otherwise) are simply meant to restrict who can join. If you just want people to be able to join without a key for ease of management, then you'll be allowing anyone to connect who can receive a signal. Some people don't care about that, others do, it's a business decision to make.

As for security, consider upgrading to PEAP for ease of management. You do need to deploy a certificate to the machine, but that beats out having to update every single client if the WPA-PSK password needs to be changed for security purposes.

I hope that helps!

0 Helpful

Go to solution
bhoops
Level 1
Level 1
In response to jeff.kish

‎11-06-2008 10:23 AM

Thank you for the additional information regarding the APs. For the 1310 bridges, do you recommend making any changes, or do you consider the encryption and security adequate?

Thanks.

0 Helpful

Go to solution
jeff.kish
Level 7
Level 7
In response to bhoops

‎11-06-2008 12:59 PM

The bridges are great. Using WPA with AES encryption is rock-solid. I would consider disabling the TKIP though, no real need to have it when both sides support AES. The two bridges are likely defaulting to AES anyway, so it might not make a difference.

Just so you know, bridges aren't supported in a lightweight solution, which just means that they'll remain autonomous. No need to plan on upgrading them if you decide to go that route.

0 Helpful

Go to solution
bhoops
Level 1
Level 1
In response to jeff.kish

‎11-07-2008 05:32 AM

Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card