Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Confused with security options

We are going to implement a 4402 WLC and light-weight APs on our network. Our network is basic with windows servers and windows XP clients. The wireless network will be used by our users for local resources and our guests for access to a broadband service for which we are setting up a separate SSID and VLAN. I'm comfortable with the WLC and AP deployment. For guest access I've been researching the WLC guest login/authentication page option.

For our local users I'm really confused on all the security and authentication options. I know the options are: WPA, WEP, TACACS, MAC address, PKI, 802.11, Layer 1, Layer 2, Layer 3, EAP, TKIP, RADIUS, but I'm really confused which to use for our local users and how to configure the right option. Our security needs are not that great as we are not passing government secrets but I know WEP is not an option for us. I would greatly appreciate if someone can point me in the direction to understand the security options and which would best suit our needs.

Thank you,

Jeff

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Confused with security options

For link security, if all of your clients support it, use WPA (WPA2 if possible) with AES encryption.

If some clients don't support AES, it's possible to offer TKIP as well.

For client authentication, as usual, it boils down to what resources (human and processing) are available, budget, and administrative pain (coupled to how dynamic your user population tends to be).

If you have a small number of employees / hosts / devices, and they tend to not be a high turnover group, the shared key ("WPA-PSK" or "WPA-Personal") works ok. It is strongly recommended that you use a fairly long and complex key (you only have to enter it once during configuration of each client).

If your group changes, and / or it's a larger group, then consider using an "Enterprise" authentication, like PEAP, LEAP, or EAP-FAST which can be tied to your domain server / Microsoft authentication credentials by was of a RADIUS server (like Microsoft IAS, which you probably already have available).

Security-wise, completely rule out MAC filtering (useless, easily defeated), non-broadcast SSID (useless, no security impact, creates problems with many MS Windows clients), and anything using static WEP.

TACACS+ is very good for authentication, but may be overkill for your scenario. Cisco ACS and TACACS+ offer a lot of options, but if you don't need all the options, then it's just adding complexity.

It gets easier when you remember that the link security and encryption (WPA, WPA2) are separate from the user authentication (802.1x delivered via userlist, RADIUS, TACACS+ by way of EAP methods).

The Planet3 book for CWNA published by Osborne is an excellent reference and training guide and covers the essentials (and more) of how all of this fits together and common / best practice implementations.

Good Luck

Scott

2 REPLIES
Green

Re: Confused with security options

For link security, if all of your clients support it, use WPA (WPA2 if possible) with AES encryption.

If some clients don't support AES, it's possible to offer TKIP as well.

For client authentication, as usual, it boils down to what resources (human and processing) are available, budget, and administrative pain (coupled to how dynamic your user population tends to be).

If you have a small number of employees / hosts / devices, and they tend to not be a high turnover group, the shared key ("WPA-PSK" or "WPA-Personal") works ok. It is strongly recommended that you use a fairly long and complex key (you only have to enter it once during configuration of each client).

If your group changes, and / or it's a larger group, then consider using an "Enterprise" authentication, like PEAP, LEAP, or EAP-FAST which can be tied to your domain server / Microsoft authentication credentials by was of a RADIUS server (like Microsoft IAS, which you probably already have available).

Security-wise, completely rule out MAC filtering (useless, easily defeated), non-broadcast SSID (useless, no security impact, creates problems with many MS Windows clients), and anything using static WEP.

TACACS+ is very good for authentication, but may be overkill for your scenario. Cisco ACS and TACACS+ offer a lot of options, but if you don't need all the options, then it's just adding complexity.

It gets easier when you remember that the link security and encryption (WPA, WPA2) are separate from the user authentication (802.1x delivered via userlist, RADIUS, TACACS+ by way of EAP methods).

The Planet3 book for CWNA published by Osborne is an excellent reference and training guide and covers the essentials (and more) of how all of this fits together and common / best practice implementations.

Good Luck

Scott

New Member

Re: Confused with security options

Thank you for the reply as your information was a big help. I bought the book you recommended and it has been a great help with understanding the security confusion.

Thanks again,

Jeff

136
Views
0
Helpful
2
Replies
CreatePlease to create content