Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Security Advice


We are thinking of installing two aironet AP's for a small group of people here. The management does not want to setup any additional boxes(radius, etc). I have read that WEP alone is akin to swiss cheese in terms of security and that more secure methods require additional hardware(LEAP, etc). How secure can I get with only an AP and OS security features? Are there any AP's that have additional security built in? TIA


New Member

Re: Security Advice

The standard secure approach begins with:

- Anonymous SSID

- MAC filters


- APs on an isolated VLAN using a separate subnet (no DHCP) connected through a Firewall

There's a company called Colubris that has RADIUS built into the AP, but the overall effect would not be any simpler to manager than a separate RADIUS server.

As for the 'Swiss Cheese' perspective, it takes time and deliberate effort to crak a proper 128-bit WEP key. If you were to install four keys on each device and manually rotate them at the AP, (as opposed to LEAP's automatic rotation), you would make a hacker's job four times as hard.

If that level of security is insufficient, your management has no excuse for refusing to install a third party box.

Matthew Wheeler

Blue Modal

Cisco Employee

Re: Security Advice

My opinion on how to secure you network is this;

Much of the hype about wireless insecurity was based on;

a) Customers that did not enable the security features that were available

b) Vendors that did not implement wireless security well

That being said, WEP was/is broken. The IEEE is working on standards to mitigate the cryptographic problems with WEP.

Cisco has released the “Cisco Wireless Security Suite” which is a suite of software for APs and client stations that provide a pre-standards implementation of these fixes.

With these enhancements to WEP, there is no known way to break it; the Airsnort tool will not succeed in determining the WEP key or decrypting traffic.

A good general article about the enhancements is available here;

Specific assistance on downloading and configuring the new software is available at these links;

With these fixes to WEP encryption, key management becomes the major problem. Key management is the issue that Cisco’s EAP-Cisco (AKA LEAP) implementation tackles.

With static WEP, keys should be rotated periodically, this involves configuring every client NIC and AP in the network with a complex 26digit string. If one laptop/NIC card goes missing, every client and AP in the network needs to be changed. If one person with knowledge of the key leaves, every client and AP in the network needs to be changed.

Cisco-EAP (AKA LEAP) removes the key management burden. A unique, dynamic session WEP key is generated every time a client access the wireless network. In addition, the key can be automatically (and transparently to the user) changed after a set time period.

EAP-Cisco (AKA LEAP) key management does need an external RADIUS server (from Cisco, on one of a few external vendors that support EAP-Cisco/LEAP)

So for your network, if its small enough that you can deal with the key management issues, static WEP **may** be sufficient.

EAP-Cisco LEAP is a much better solution for most deployments.

A few other opinions;

I do not believe the SSID should be treated as part of the security solution (IEEE never intended it to be). The SSID is supposed to be the **name** of your network. A meaningful name will help non-technical clients be assured they are connecting to the correct network (especially when choosing from a list with a windows XP type interface.). Call your SSID whatever you like and rely on security mechanisms (WEP/EAP/VPN) to provide the security.

Don’t use MAC filters (if you have the WEP enhancements). MAC filters are insecure (easily spoofed) and needlessly complicate your security deployment.

Put your APs on a separate subnet/VLAN in each wiring closet. This will help keep the broadcast domain small. By putting the APs on a separate subnet you can also identify any traffic to or from wireless clients, this may help with network management. I believe that the EAP-Cisco (LEAP) and the WEP enhancements provide for secure wireless LAN deployments and additional firewalling of the WLAN is unnecessary.

Please check out the WLAN design guides available under “related links” on the right-hand side of this page for more WLAN design/security guidance

New Member

Re: Security Advice

Bruce - while SSID and MAC filters are not a reliable means of securing a WLAN, I think that they are certainly worth paying attention to.

An SSID of 'FinanceINC' or 'MedicalRecords' would be far too tempting to anyone out War Driving, thus the recommendation to use an anonymous SSID (other than ANY, DEFAULT, TSUNAMI, etc.).

A MAC address filter is easily hacked by intentional effort, but helps eliminate unintentional effects - such as users buying their own WLAN card. For some companies this is not a concern, others I think are very nervous about such a liability.

I am always interested in your well informed opinions.

Matthew Wheeler

Blue Modal

New Member

Re: Security Advice

Thanks a ton, Your replies really helped. Our WLAN rollout should be under 30 people, so I believe manual key rotation would work, But I going to recommend using the Cisco Radius. Does any one have a link to some good documentation on Cisco's Radius server? Thanks


Cisco Employee

Re: Security Advice

Glad to hear it.

the RADIUS server is called ACS, and there is lots of information on the links on this page;

Please also check out the WLAN design guide linked to on the right had side of this page; the "Small Stand Alone Office" design sounds very similar to your environment.

Let me know if you need more specific information that this.