Security for Autonomous AP1142

Answered Question
Aug 20th, 2012

I have very limited experience with wirless.  We just purchased the 1142 AP.  No need to have a WLC right now.  I have it up and running with TKIP-WPA2 just fine.  That's about where I stop.  I was looking at the Windows 2008 R2 server this morning trying to figure out how to perform some sort of authentication.

What is the best option for securing the network on an autonomous ap?  Is it best practice to not broadcast the ssid even if I'm using 802.1x for authentication?  How should I configure encryption?  I'd like to authenticate company owned devices by MAC, but allow for guest access if authentication fails.  The guest vlan is a layer 2 vlan that defaults to the external firewall.  I do have a radius server as a resource.  Am I on the right track?  Is there a good document out there that explains how to "easily" (kind of relative there I know) set up a radius server on Windows 2008 R2 to work with the AP1142?

Thanks.             

I have this problem too.
0 votes
Correct Answer by Stephen Rodriguez about 1 year 6 months ago

For the internal devices you should go with WPA2/AES/802.1x (PEAP) only need the server side certificate.

As for BYOD, I'd leave that ssid open, but put them on a VLAN that can only reach the Internet.

I have seen customers that do a PSK for the guest network, but I don't see the need myself.

Now if they want to bring their BYOD onto your network then you should look into a MDM solution so that you have some control over them.

Steve

Sent from Cisco Technical Support iPhone App

Correct Answer by George Stefanick about 1 year 8 months ago

Andrew,

A few items you might want to consider to add to your list:

1 - VLAN segmentation: You would want to truck at the swicth port, then add and bridge on the access point the multi vlans you will want to carry; exmaple you mentioned guest and production

2 - Turning off the SSID is little to no real protection. Some wireless clients will have issues if its NOT broadcasted

3 - TKIP/WPA2 -- I might suggest sticking with the standard WPA/TKIP or WPA2/AES.

4 - Not a fan of MAC auth only becuase its a pain in the butt

Basic Wireless Access Point Config Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008055c39a.shtml

EAP Auth With Radius Server

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

Peap / IAS

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml#chap2

Youtube Video on PEAP and IAS

http://www.youtube.com/watch?v=g-0MM_tK-Tk

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Stephen Rodriguez Mon, 08/20/2012 - 11:50

Not broadcasting the SSID isn't a 'security' measure, as the client(s) will probe for the SSID in clear text.  So if someone is actively trying to intrude into your network they can find the SSID easy enough.

For the encryption I'd go with WPA2/AES.  This is the most secure L2 encryption available currently, and allows for teh 802.11n speeds to be achieved.

As for 802.1x on MS Servers...

http://technet.microsoft.com/en-us/library/ff919513%28v=ws.10%29.aspx

and here is the AP side.

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

Correct Answer
George Stefanick Mon, 08/20/2012 - 11:54

Andrew,

A few items you might want to consider to add to your list:

1 - VLAN segmentation: You would want to truck at the swicth port, then add and bridge on the access point the multi vlans you will want to carry; exmaple you mentioned guest and production

2 - Turning off the SSID is little to no real protection. Some wireless clients will have issues if its NOT broadcasted

3 - TKIP/WPA2 -- I might suggest sticking with the standard WPA/TKIP or WPA2/AES.

4 - Not a fan of MAC auth only becuase its a pain in the butt

Basic Wireless Access Point Config Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008055c39a.shtml

EAP Auth With Radius Server

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

Peap / IAS

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml#chap2

Youtube Video on PEAP and IAS

http://www.youtube.com/watch?v=g-0MM_tK-Tk

andrewdours Mon, 08/20/2012 - 12:37

Thanks for the post.  I did forget to mention that I have the wired connection trunked to my switch.  I have 3 vlans right now: 1 for management, 1 for company (inside), 1 for guest.

Leo Laohoo Mon, 08/20/2012 - 16:05
Who do you know that uses EAP-MsChapv2 for security ?

I know we don't but you do wonder ... Or do you want to?

crvallance Mon, 08/20/2012 - 16:14

Nobody panic just yet. Moxie's cracking was done using LEAP from my understanding. With a properly implemented PEAP config you are still reasonably secure. Check this post from Andrew VonNagy for some more details http://revolutionwifi.blogspot.com/2012/07/is-wpa2-security-broken-due-to-defcon.html

Sent from Cisco Technical Support iPhone App

andrewdours Thu, 10/11/2012 - 20:00

Ok.  I guess I'm a bit thick.  I've read through everything posted here.  I think someone's going to need to spoon feed it to me.  Lets start simple and think high level first.  I've got an 1142 autonomous AP, Microsoft NPS server, iPads, laptops, Androids, and blackberry devices.  Some of these devices are company owned and some are BYOD.  How should I secure access to the wireless network?  I ONLY want to understand how I should configure authentication and encryption through the AP for each of these devices.  I somewhat understand the Microsoft documentation for securing Windows devices that are on a domain.  There is a lot to understand about certificates.  What is conventional wisdom behind securing all of those other devices in the list?  Thanks to all for your help.

Andrew

Correct Answer
Stephen Rodriguez Thu, 10/11/2012 - 20:09

For the internal devices you should go with WPA2/AES/802.1x (PEAP) only need the server side certificate.

As for BYOD, I'd leave that ssid open, but put them on a VLAN that can only reach the Internet.

I have seen customers that do a PSK for the guest network, but I don't see the need myself.

Now if they want to bring their BYOD onto your network then you should look into a MDM solution so that you have some control over them.

Steve

Sent from Cisco Technical Support iPhone App

andrewdours Mon, 10/15/2012 - 12:11

I went back through and configured per your suggestion (with the help of the youtube Video on PEAP and IAS http://www.youtube.com/watch?v=g-0MM_tK-Tk ).  I was able to authenticate the laptop then the user.  Very nice!  Thanks for your help.  I'm not sure what my next step will be.  BYOD is something that is coming quickly.  I can place these devices on a VLAN, but I'm not sure exactly how I want to secure access to internal resources.

Andrew

George Stefanick Mon, 10/15/2012 - 12:29

Andrew Im gald the video and extra info helped. If you would be so kind to mark that reposnse as answered it will help others to find a resolve as well.

Thanks

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Actions

Login or Register to take actions

This Discussion

Posted August 20, 2012 at 11:45 AM
Stats:
Replies:13 Avg. Rating:5
Views:997 Votes:0
Shares:0

Related Content

Discussions Leaderboard