Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

best security settings for AP1220

hello ,

I have purchased 2 aironet 1220 , (upgraded to IOS ) AP's & a few 350 PCMCIA cards , I was hoping to set up WPA , sadly the although the AP is WPA ready the APU for the 350 PCMCIA cards do not support it yet.

I want to make the wireless network as secure as I can ( dont we all ) So my question is , what is the best security optionsI can use . My set up is the following

2x 1220 AP's one as root the other in repeater mode. ethernet connected to Broadband router

1 x350 PCMCIA card

I only have 1 client , that does not need to roam other wireless networks & a radius server is not an option.

at the moment I have the following

open authentication with mac address authentication . then use the TKIP+128bit WEP Cipher for encrpytion .

is this ok?

also how do I check that the encrption is working correctly ?

please advise , I have to get it set up yesterday , & am fairly to the 1200 hardware

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: best security settings for AP1220

Hi Darren,

You have serveral options with the hardware you have.

First off you need to asses the real risk against the cost.

This white paper will take you through this

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm

For only one client card do you really need to use much more that static WEP with TKIP and MIC this combination will elimnate the real weaknesses in WEP of weak IV's that the common attacks using things like wepcrack etc rely on.

If you wanted to step up from there you could add local MAC filters to only alow your clients (dont forget to include the repeater in this filter) but as your network grows it can become a pain.

Using this combination then a hacker would need to use brute force on the key not likely with 128 bit wep and mac adress spoofing.

A new feature in 12.2(11)JA is local authentication.

You can now run EAP for a limited number of clients and use the AP instead of a AAA server. Here is how to

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i12211ja/i12211sc/s11local.htm

This would be my choice.

Other things to think about,

If the unauthorized client can not receive the signal then they can not attack only use as much Tx power as needed to cover the area.

Repeaters will reduce your throughput by 50% if you have the option to run utp out to where your repeater is now then do that and set them both up as AP's then roam between the 2 a much better design.

1 REPLY
Cisco Employee

Re: best security settings for AP1220

Hi Darren,

You have serveral options with the hardware you have.

First off you need to asses the real risk against the cost.

This white paper will take you through this

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm

For only one client card do you really need to use much more that static WEP with TKIP and MIC this combination will elimnate the real weaknesses in WEP of weak IV's that the common attacks using things like wepcrack etc rely on.

If you wanted to step up from there you could add local MAC filters to only alow your clients (dont forget to include the repeater in this filter) but as your network grows it can become a pain.

Using this combination then a hacker would need to use brute force on the key not likely with 128 bit wep and mac adress spoofing.

A new feature in 12.2(11)JA is local authentication.

You can now run EAP for a limited number of clients and use the AP instead of a AAA server. Here is how to

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i12211ja/i12211sc/s11local.htm

This would be my choice.

Other things to think about,

If the unauthorized client can not receive the signal then they can not attack only use as much Tx power as needed to cover the area.

Repeaters will reduce your throughput by 50% if you have the option to run utp out to where your repeater is now then do that and set them both up as AP's then roam between the 2 a much better design.

282
Views
0
Helpful
1
Replies
CreatePlease login to create content