What would be the recommended advice for deploying WLAN at enterprise scales today? Taking into consideration the following:
Security: VPN over wireless or EAP
EAP: EAP-TLS, LEAP or other variation of EAP
Radio: Stick with 2.4Ghz or wait for 5Ghz products?
Future: New 802.11 standards, (e,g,h,i etc) and AES encryption
I am finding issues with wireless pretty confusing at the moment i.e. invest now and have older an older technology or wait for next generation products?
Wireless is like any technology, the longer you wait, the better it gets. We decided to deploy 802.1b Cisco Wireless as a secondary network for the convenience security and mobility it offers. Everyone still has a network port on their desk, many don't even use it. We could have waited too, but when do you stop waiting and jump in? Our network is much better off today for having deployed wireless. BTW, we use leap authentication with 128 bit WEP and directional antennas with fine tuned radio's to cover our campus properly while eliminating off-campus hot spots. Your Cisco SE can design something for you to consider in your environment.
If you have any devices other than full-blown portables, you will want .11b - even if you also have .11g or .11a
Devices such as iPaq or SpectraLink's wireless VoIP phones won't support the higher data rates. If you think you need more than the 6Mbps (max. actual throughput) of .11b for some applications, you may want to consider either:
1. Hybrid implementation (.11b for distance and handhelds + .11g or .11a for throughput - which is 20-35Mbps in the "54" and "108" Mbps modes)
2. Citrix (or one of the alternatives) so that users will have desktop-equivalent performance - even with 100 users per .11b cell.
This is what I do for a living, so I am going to be an advocate of hopping right in to the Wi-Fi world. But let me justify why; 802.11b is a tried and true standard in almost any product line and since 802.11a is not backwards compatible with other products and costs are high, I don't see it as a viable solution right now. However 802.11g will be backwards compatible with 802.11b and 802.11 equipment for years to come. And the big kicker is once the radio design is complete (site survey), you won't have to redesign for 802.11g. You will however have to redesign for 802.11a if you already have 802.11b or 802.11 equipment in place.
As for encryption, Cisco's LEAP or Light Extensible Authentication Protocol works great with 128bit WEP. Remember that nothing is totally secure and a good design will go further than buying loads of security hardware and software. Hope I helped.
Go for it. If nothing else you will gain the experience of working with the wireless infrastructure, VPN, encryption and so on and your users will gain appreciation of being able to move around to offices, conference rooms, etc. and be support for future upgrades.
802.11b will be here for a while. The speeds, roughly 4-5Mhz actual, is adequate for todays typical apps which are email and web browsing. Going to something like wireless videoconferencing would obviously not be advisable with current wireless technology.
Once a newer technology comes around you will have actual hands-on experience, an authorization design in place, security issues will become very obvious, and you will have an overall understand how things work. Upgrading at that point would include probably only AP and WLAN PC card reissues. Perhaps go to a 802.11a/802.11b combination card for the remote workstations.
Most current industry analysts say to stick with .11b as it has a strong foothold and will likely be around for a while, especially with the advent of .11g. As for .11a, there aren't any enterprise scale products available at this point. For most organizations contemplating WLAN deployment the best solution is .11b and, if needed, pockets of .11a for users with higher bandwidth needs.
As for security, as you know, you have many options. If a proprietary solution is not a problem then Cisco's LEAP architecture will provide adequate security in most scenarios. If a standards based solution is a must, you may want to look to third party products or VPN solutions.
All of the security solutions have trade-offs. For example a VPN will only work with PC's or PDA's for which a compatible client is available.
I would go with 802.11g b/c it is backwards compatible with other standards. For securing the WLAN make sure you place your AP's in the DMZ zone of your newtork, and use VPN or AAA servers for encryption. If you email at firstname.lastname@example.org ; subjest cisco WLAN. I can forward you some good resources for securing the WLAN enviroment. Good luck
Wireless is good, if you've got a reason to use it.
Wait until the new Cisco 1200 AP's are released, and buy them with the 2.4GHz modules.
At the end of the year when the 5GHz modules are released, you can run 5GHz in areas where you need higher bandwidth - most handheld devices will use 2.4GHz as the power requirements are much lower.
When 802.11g becomes a standard (another year or two?), Cisco might release an 802.11g module for the 1200 AP's.
Use whatever encryption suits the implementation - if it needs to be totally secure (bank transactions, etc) then a VPN is a good option. If it's mostly web browsing, then EAP/LEAP should keep people out of your network.
If I was you I would first read up on WLANs and get a good understanding of WLAN security and design. A good place to began is the following article.
Securing your WLAN depends on the users and there needs, and how much money your customer is wiling to spend. A Radius server with LEAP and with a VPN solution I believe is a good start to securing your LAN. Also make sure your AP's are placed in the DMZ zone. How users authenricate to your corporate services is up to you. In any case, you want to makes sure that rogue users users do not gain access to your servers.
I would choose a Cisco AP device that is backwards compatible with 802.11a, again you are going to have to do some additional reading, and make sure you have a good understanding of the different WLAN standards.
Thank you all for you help...
It looks like the EAP/RADIUS method is the way to go...
Although it is not as secure as the VPN method, it does not have the problems of addional cost for a internal VPN gateway and allows users to roam across subnets without having to reauthenticate.
The issue now is what variation of EAP?
LEAP - Proprietory and only for Cisco NICs!
EAP-TLS - Requires the set up of CA infrastructure!
EAP-TTLS - Ideal solution that supports OTPs, but not yet available in Cisco ACU? Any news on timescales?
EAP-PEAP - Not yet available in Cisco ACU? Any news on timescales?