Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address your Wireless Security concerns with Cisco expert Sangita Patel. Sangita is a Mobility Solutions Manager at Cisco. As a Solutions Manager, Sangita is responsible for the marketing strategy of Cisco Mobility Solutions with an emphasis on articulating the business value of wireless security as well as the unified wired and wireless approach to enterprise-wide mobility. She has over 15 years of networking industry experience. Prior to joining Cisco, Sangita served as a Product Manager at Symbol Technologies / Motorola and was responsible for some of their flagship Wireless LAN infrastructure and management portfolio. Sangita holds a B.S. in Computer Science from San Jose State University and M.S. in Engineering Management from Santa Clara University.
Remember to use the rating system to let Sangita know if you have received an adequate response.
Sangita might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 25, 2009. Visit this forum often to view responses to your questions and the questions of other community members.
I was wondering how to setup a network between to separate buildings on the same property, yet both have their own DSL circuit from AT&T. No underground conduit is available to connect the two buildings. I would like to use (2) Cisco WRVS4400N Gigabit Security Routers to do this, because both buildings want wireless networking plus wired networking available. The main building already has a small "home" network created between (8) PC and their OS is Win XP Pro.
Sure would appreciate the help!
Thanks for the response.
Yes, I figured the ADSL lines coming in both modems would need to be bridged to the Cisco WRVS4400 routers on both sides, I'm just not sure what to do from there. How will computers from the second building access the file server and join the one network located in the main building? Is there more of a step-by-step instruction manual I can get for these routers or the procedure I'm trying to setup between both buildings?
Sure appreciate the feedback!
I meant configure two Access Points as Bridges.
Wireless Bridges Point-to-Point Link Configuration Example
Access Point as a Workgroup Bridge Configuration Example
Hope this helps.
I'm trying to configure cisco aironet 1250N, but I can not get a rate faster than 54mbps, which is passing, I have a linksys WMP300N wireless card, someone could help me?
Hi Rod - so there could be few things happening. I will try and provide some information but if this doesn't help you might want to contact TAC and do further troubleshooting. Assuming your controller is at 4.2.x or later maker sure that have configured the radios for bonded channel configuration. n order for your clients to be able to realize 11n rates, necessary WLANs need to be enabled for WMM (either 'allowed' or 'required', depending on your needs and client support).
Also, you should have AES cryptography on all encrypted links. You should haveo have WPA2 AES enabled (with either PSK or back-end AAA) or that WLAN won't work at all for 11n rates. You can go for a mixture (WPA with TKIP or AES and WPA2 with TKIP), just so long as you have WPA2 with AES enabled.
The easiest way to make sure that your clients are connected at these rates (after you make sure your WLAN config set per recommendation) is to check the client records in the WLC GUI or via WCS.
Hi thanks for the post. Overall this is more a general deployment topic and you would be best suited to work with a Sales Engineer and do a design session so that you can design optimal network for the applications you are deploying.
Thanks for the opportunity to open this topic. A significant number of the forum experts are unhappy as to the implications and solutions to the recently announced vulnerability of OTAP that was first discovered by Jerome Henry and made public by AirMagnet.
According to some, even when OTAP is disabled (by default) the details of the WLC's IP and MAC address are still being advertised in the open.
Hope to hear from you soon, Sangita.
Hi thanks for the message. Yes the OTAP vulnerability is known and is going to be completely disabled in a 6.0.x patch. Having said that there are ways to apply best practices for your WLAN to help minimize security risk.
Below are good references on understanding OTAP and detecting Rogues.
Useful References for customers:
1. IntelliShield alert
2. Tech Note - âUnderstanding OTAPâ
3. Whitepaper - âRogue Detection under Unified Wireless Networksâ
4. PSIRT HOT Page
5. Safeguard with LSC - Locally Significant Certificates on Wireless LAN Controllers Configuration Example
The patch release is coming soon though I do not have a specific release date. Again there is very little risk if OTAP is not being used and rogue detection and other wireless security best practices are in place.
Thanks for your response. Me and my team members agree with your response, however, we must respond to the Paranoid Team (aka IT Security). And they haven't taken their hourly dose of Prozac. This is why I'm asking for the release date of the 6.0.X just to calm them down.
I can understand the paranoia. Our team is currently working on the patch and testing so it should be coming soon.
Hi Sangita. Can you please help me or point me in the correct direction. I want to find out more about Cisco's Virtual Service Provider Model - what it is, how it works, how to implement it, etc. Please help.
Hello there. So VSP is more a SMB and a Service Provider solution and I am not best suited to answer you questions as I am in the Enterprise Wireless group. I would suggest contact your local Cisco rep. You can find the Cisco offices by visiting Cisco Website at http://www.cisco.com/web/EA/index.html
Hi! I'm trying to find information about LDAPS support for WLC 5.2 and how to configure LDAPS (Port 636) on WLC/WISM 5.2. LDAP works just fine but when I configure LDAPS, actually just by configure Portnumber 636, it doesn't work. What more needs to be configured?
Hi thanks for the posting. Your posting seems to be about very specific scenario and may not be best resolved on this forum. This should be worked through with the support organization. (http://www.cisco.com/cisco/web/support/index.html)
Can you clarify the use of validating the certificate for PEAP?
My original understanding was that a certificate was REQUIRED in order to properly authenticate against an ACS Radius server. However, after many Iphone and other handheld devices have proven, only 802.1x AD credentials are required to get on a Wlan secured by PEAP.
I believe I understand that windows machines that are validating the certificate are more securely PEAPing than those that are not by encrypting the original handshake - but is there a way to enforce the use of a certificate to authenticate with PEAP?
I am trying to install a certificate on my WiSM controller (Running 6.0) so that my Guest clients do not get the certificate error while redirected to the 188.8.131.52 login page.
I added DNS Host Name under the controller -> interfaces ->virtual so that the redirect will go to a more meaningful name. i.e. wirelessguest.company.com
Added an A record in my DNS server for wirelessguest.company.com to resolve to 184.108.40.206 (not sure if this is needed or not.)
I used the following document to generate the certificate on my CA server and am going to upload this afternoon.
Is there anything I am missing? Will this certificate work for my purpose or do I have to purchase a cert from Verisign or RapidSSL? I am really try to avoid purchasing a cert but if that is the only option then I will.
In order to resolve this error on a guest wlan, you can disable the https management on both your local and anchor controllers, reboot them - and the certificate warning will no longer come up.
This is due to the clients not trusting the self signed cert on the WLC when they are attempting to go to the virtual IP address.
Brian thanks for providing input. Everyone should always follow the security best practices and not take and short cuts unless aware of the risks.
Hi, it seems that more troubleshooting is needed and would be best for you to work with our Technical Support folks http://www.cisco.com/cisco/web/support/index.html. Thanks for your post.
If your clients automatically trust the certificate you generated (because they already trust the CA that issued the certificate), then you should be in business.
If your clients do NOT trust the certificate, then you should either manually install the certificate (without the private key) on all the clients, or you should generate/install a 3rd Party certificate for your WLC that comes from a vendor that is already trusted by your clients (and, if necessary, update the DNS Host Name entry on the virtual interface to match the CN on the certificate).