Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Security for Autonomous AP1142

I have very limited experience with wirless.  We just purchased the 1142 AP.  No need to have a WLC right now.  I have it up and running with TKIP-WPA2 just fine.  That's about where I stop.  I was looking at the Windows 2008 R2 server this morning trying to figure out how to perform some sort of authentication.

What is the best option for securing the network on an autonomous ap?  Is it best practice to not broadcast the ssid even if I'm using 802.1x for authentication?  How should I configure encryption?  I'd like to authenticate company owned devices by MAC, but allow for guest access if authentication fails.  The guest vlan is a layer 2 vlan that defaults to the external firewall.  I do have a radius server as a resource.  Am I on the right track?  Is there a good document out there that explains how to "easily" (kind of relative there I know) set up a radius server on Windows 2008 R2 to work with the AP1142?

Thanks.             

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Security for Autonomous AP1142

Andrew,

A few items you might want to consider to add to your list:

1 - VLAN segmentation: You would want to truck at the swicth port, then add and bridge on the access point the multi vlans you will want to carry; exmaple you mentioned guest and production

2 - Turning off the SSID is little to no real protection. Some wireless clients will have issues if its NOT broadcasted

3 - TKIP/WPA2 -- I might suggest sticking with the standard WPA/TKIP or WPA2/AES.

4 - Not a fan of MAC auth only becuase its a pain in the butt

Basic Wireless Access Point Config Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008055c39a.shtml

EAP Auth With Radius Server

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

Peap / IAS

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml#chap2

Youtube Video on PEAP and IAS

http://www.youtube.com/watch?v=g-0MM_tK-Tk

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: Security for Autonomous AP1142

For the internal devices you should go with WPA2/AES/802.1x (PEAP) only need the server side certificate.

As for BYOD, I'd leave that ssid open, but put them on a VLAN that can only reach the Internet.

I have seen customers that do a PSK for the guest network, but I don't see the need myself.

Now if they want to bring their BYOD onto your network then you should look into a MDM solution so that you have some control over them.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
13 REPLIES

Re: Security for Autonomous AP1142

Not broadcasting the SSID isn't a 'security' measure, as the client(s) will probe for the SSID in clear text.  So if someone is actively trying to intrude into your network they can find the SSID easy enough.

For the encryption I'd go with WPA2/AES.  This is the most secure L2 encryption available currently, and allows for teh 802.11n speeds to be achieved.

As for 802.1x on MS Servers...

http://technet.microsoft.com/en-us/library/ff919513%28v=ws.10%29.aspx

and here is the AP side.

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Security for Autonomous AP1142

Thanks for the post and thanks for serving.

Security for Autonomous AP1142

Andrew,

A few items you might want to consider to add to your list:

1 - VLAN segmentation: You would want to truck at the swicth port, then add and bridge on the access point the multi vlans you will want to carry; exmaple you mentioned guest and production

2 - Turning off the SSID is little to no real protection. Some wireless clients will have issues if its NOT broadcasted

3 - TKIP/WPA2 -- I might suggest sticking with the standard WPA/TKIP or WPA2/AES.

4 - Not a fan of MAC auth only becuase its a pain in the butt

Basic Wireless Access Point Config Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008055c39a.shtml

EAP Auth With Radius Server

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

Peap / IAS

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml#chap2

Youtube Video on PEAP and IAS

http://www.youtube.com/watch?v=g-0MM_tK-Tk

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Security for Autonomous AP1142

Thanks for the post.  I did forget to mention that I have the wired connection trunked to my switch.  I have 3 vlans right now: 1 for management, 1 for company (inside), 1 for guest.

Hall of Fame Super Gold

Security for Autonomous AP1142

Something to give everyone sleepless nights ... Is WPA2 Security Broken Due to Defcon MS-CHAPv2 Cracking?

Apparently, this hack was done without any encapsulation of MS-CHAPv2.

Pleasant dreams ... BWA, HA, HA, HA, HA ...

Security for Autonomous AP1142

Leo,

Who do you know that uses EAP-MsChapv2 for security ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Gold

Security for Autonomous AP1142

Who do you know that uses EAP-MsChapv2 for security ?

I know we don't but you do wonder ... Or do you want to?

New Member

Re: Security for Autonomous AP1142

Nobody panic just yet. Moxie's cracking was done using LEAP from my understanding. With a properly implemented PEAP config you are still reasonably secure. Check this post from Andrew VonNagy for some more details http://revolutionwifi.blogspot.com/2012/07/is-wpa2-security-broken-due-to-defcon.html

Sent from Cisco Technical Support iPhone App

Re: Security for Autonomous AP1142

Correct LEAP uses MsChapv2. We have nothing to worry about.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Security for Autonomous AP1142

Ok.  I guess I'm a bit thick.  I've read through everything posted here.  I think someone's going to need to spoon feed it to me.  Lets start simple and think high level first.  I've got an 1142 autonomous AP, Microsoft NPS server, iPads, laptops, Androids, and blackberry devices.  Some of these devices are company owned and some are BYOD.  How should I secure access to the wireless network?  I ONLY want to understand how I should configure authentication and encryption through the AP for each of these devices.  I somewhat understand the Microsoft documentation for securing Windows devices that are on a domain.  There is a lot to understand about certificates.  What is conventional wisdom behind securing all of those other devices in the list?  Thanks to all for your help.

Andrew

Re: Security for Autonomous AP1142

For the internal devices you should go with WPA2/AES/802.1x (PEAP) only need the server side certificate.

As for BYOD, I'd leave that ssid open, but put them on a VLAN that can only reach the Internet.

I have seen customers that do a PSK for the guest network, but I don't see the need myself.

Now if they want to bring their BYOD onto your network then you should look into a MDM solution so that you have some control over them.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Security for Autonomous AP1142

I went back through and configured per your suggestion (with the help of the youtube Video on PEAP and IAS http://www.youtube.com/watch?v=g-0MM_tK-Tk ).  I was able to authenticate the laptop then the user.  Very nice!  Thanks for your help.  I'm not sure what my next step will be.  BYOD is something that is coming quickly.  I can place these devices on a VLAN, but I'm not sure exactly how I want to secure access to internal resources.

Andrew

Security for Autonomous AP1142

Andrew Im gald the video and extra info helped. If you would be so kind to mark that reposnse as answered it will help others to find a resolve as well.

Thanks

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
1228
Views
0
Helpful
13
Replies