How do you do wireless encryption with WGB? I.E. is there a way to implement the LEAP architecture with the Secure ACS? Or are you relegated to using WEP? I've got a large hotel looking to deploy boatloads of WGBs, and I'm not sure what to tell them regarding security.
With all the publicity, none of my customers want me to implement WEP if they can avoid it.
The 340 and 350 series WGB units both support EAP authentication to CiscoSecure ACS V2.6. To configure this you need to be running firmware 8.5.8 or newer on the WGB and EAP/LEAP supported FW on the AP. If you are using ACS you will need version 4.25.5 firmware on the AP.
The configuration of this feature on the WGB is done under the Configuration - Security area. You need a user name and password configured here, so each WGB should have its own user name in the ACS database.
Since this is configured from the console you will also need to use user name security to restrict access to the web interface of the WGB. Otherwise some yahoo will HTTP to the device and get a valid ACS account user name and password (not a good thing).
As an aside, how did you get the hotel interested in the wireless solution? I have found them to be very tight on capital projects like this in the past and they tended to drop the project when they found out the cost per room. (please e-mail me on this, firstname.lastname@example.org)
Sure you could do LEAP on the WGB. This equipment is essentially an Access Point in non-root repeater mode with one exception: it has an active Ethernet jack.
Any of your 8 hosts on the WGB side would logon as usual...the root AP talking to the WGB would receive this logon info and pass it on to your RADIUS server. If their credentials are valid then the AP would generate a dynamic WEP key and pass that on to the client on the other side of your WGB.
Also, you will still be using WEP with EAP or LEAP. WEP is just another name for encryption. Specifically, your customers don't want you to use shared or open encryption.
The EAP configuration does not provide authentication of the clients on the wired side of the WGB. The authentication used by the Aironet products will only be supported be an Aironet wireless device (Client adaptor, WGB, or AP). The WGB is manually configured with the user name and password to use for authentication. This does NOT provide any type of authentication for the wired client end nodes.
The end nodes do to directly participate on the wireless network and therefor do not have any need for dynamic WEP keys (or any WEP key for that matter).
This does leave the issue of the network behind the WGB as being a shared medium and all clients wired to the bridge can either see all traffic to and from all clients (of a hub is used), or all broadcast traffic (if a switch is used). This should not be an issue for most environments, however it could in a multi-tenent environment like a hotel.
One thing you need to keep in mind is with WGB firmware 8.58 the LEAP version is 8, and with all the wireless cards it's version 10 (firmware 4.25). So when setting up your Access Point you'll need to choose LEAP version 8 to make the WGB work, but your wireless card will not be to authenticate, unless they downgrade to firmware 4.23.
Hopefully Cisco will have a new firmware release for the WGB out soon.