Wireless with no authentication but encryption

Answered Question
Jun 1st, 2010
User Badges:

Hello


I have some 871W. Is it possible to make wireless network open (no authentication, available for all) but with encryption ?

I've read somewhere i could do something like this using 802.1x, but could not find any cisco documentation for that.


I want to be sure that everybody can use wireless but the sniffing is not possible (or very difficult).


Is it possible ? If yes could you give me link to documentation ?


Best regards,

Correct Answer by Scott Fella about 6 years 10 months ago

Understood... but that is why the minimum protection is up to you to decide.  Again... with guest wireless, you can't force any type of encryption or else you will be supporting the users.  No matter what vendor you use, the outcome will be the same.  Encryption and Authentication is there for one to use if configured.  If you had a wired guest, how would you protect him or her?


Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fella Tue, 06/01/2010 - 03:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

You can setup encryption (WEP, WPA-PSK, WPA2-PSK) without using any type of authentication (802.1x).  Your best bet if you don't want to have devices or users authenticatate and make it difficult to break is use WPA2-PSK.


Scott

mlopacinski Tue, 06/01/2010 - 04:17
User Badges:

But for WPA2-PSK to work everybody needs to know shared key. And this is a problem. I do not want

to force people to know any passwords (it's public wifi).

How can i solve this problem ?


Thanx

Scott Fella Tue, 06/01/2010 - 04:47
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Public WiFi.... Well, nothing you can do there.  Leave it open and create an ACL to block guest traffic from accessing your other subnets.

mlopacinski Tue, 06/01/2010 - 04:55
User Badges:

That's very bad that i can not enable encryption for public wifi. This way any user can sniff any other user.

There should be a way to set a secure channel thru unsecured media (for example using Diffie-Hellman).


Why the cisco did not create such possibility ?



Thanx

Scott Fella Tue, 06/01/2010 - 05:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

On a WLC orA IOS AP, you can block P2P, you just have to see if your device supports that.

mlopacinski Tue, 06/01/2010 - 05:05
User Badges:

Hmmm, but i do not want to block any traffic.

I just wanted to provide guests some basic level of privacy thru encryption, so they could use for example internet banking.


Thanx

Scott Fella Tue, 06/01/2010 - 05:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

The thing with free public wifi, is that the users has to protect themselves not you.  Look at all the other hotspots... they use a username/password or just an accept to allow the users access to the wireless.  There is usually a Terms and agreement that protects the hotspot from any liabilities.  Most secure websites use SSL certificates to protect the users... so this is secure.


Scott

mlopacinski Tue, 06/01/2010 - 05:40
User Badges:

I don't trust SSL certificates. Many of them are validated only by email. And most browsers have very suspicious CA's in they keyring.

What about cisco layered model of protection ? Shouldn't be it implemented in all layers - no just one ? (which is weak in this case?).


Even professionals are often tricked - we can not leave users on their own. That's why i think cisco should try to provide at least minimum level of security....


I still do not understeand why it's not possible and why cisco can't do that...


Thanx

Correct Answer
Scott Fella Tue, 06/01/2010 - 05:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Understood... but that is why the minimum protection is up to you to decide.  Again... with guest wireless, you can't force any type of encryption or else you will be supporting the users.  No matter what vendor you use, the outcome will be the same.  Encryption and Authentication is there for one to use if configured.  If you had a wired guest, how would you protect him or her?


Scott

mlopacinski Tue, 06/01/2010 - 05:52
User Badges:

You are right, the same problem is with wired connections. But i feel uncomfortable giving them some security for usability (they have to remember shared key) while technically it's not necesary.


Anyway thanx!

Actions

This Discussion

 

 

Trending Topics - Security & Network