Security and Management of Wireless Access Points

dss2 · ‎01-07-2003

We have a network of eight (8) Cisco 350 Access Points.

We would like to enable security through WEP and designating specific MAC (Hardware) addresses.

Please advise as to the most efficient manner of inputting hardware addresses into all of our access points and managing many access points.

derwin · ‎01-07-2003

Entering all of the MAC address can be very time consuming depending on how many clients you have.

A better method is MAC based Authentication, this requires a radius sever but means you only have to enter the addresses into the radius server and not every AP

The details can be found here

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm#1029067

If you have all Cisco clients then I would strongly recommend LEAP over Mac based authenication, you will find the details on LEAP on the same link

David

bbenton · ‎01-07-2003

We went with LEAP, and also wanted to use MAC-based auth as well... but... using MAC-based authentication means the mac address is the userid and the mac address is also the password in the ACS server. Not a very smart move if you're concerned at all about security.

derwin · ‎01-07-2003

From a clients point of view it should be LEAP or MAC based authentication not both at the same time.

Yes MAC based authentication is a step down on the the security level from LEAP but is also a step up from just static WEP.

My recommendation is for Cisco Clients use LEAP and if you have to provide support to some non Cisco clients then use MAC based authentication only for them.

Check out the whitepaper on WLAN security it will go through the advanatges and disadvantages of each method.

http://www.cisco.com/warp/public/102/wlan/nextgen.html

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm

damien.wildgoose · ‎01-08-2003

In a setup I recently worked on, we used LEAP as it was 100% Cisco, but we also had Cisco Access Control Server available which can provide MAC address filtering. Not quite the same as MAC based authentication, but it works very well.

bbenton · ‎01-08-2003

We wanted the same thing, but couldn't get passed the mac address filtering needing a userid and password being the same as the real mac address. How do you get passed that? Newer version of ACS? We're running ACS v2.6.1.

damien.wildgoose · ‎01-08-2003

We were running ACS v3.0 - im not sure if it would be the same in 2.6.1 but under Group Settings on the main screen, you can edit settings for the particular group of users, in the edit settings screen there is a Network Access Restrictions section - the bottom half of that is headed Define CLI/DNIS based access restrictions. 3 fields headed Port, CLI and DNIS respectively are here, if no port restrictions are in place for the MAC address enter an asterix (*), put the MAC addy in the CLI field and an asterix in the DNIS field.

Enter the info into the table and select the checkbox to activate the restrictions, then select Permitted calling/point of access location. As far as I know its intended for remote connections - but can be used for MAC filtering, or at least it appears to work nicely :)

Hope that helps.

rsumpter · ‎01-14-2003

According to the Cisco TAC they are recommending that you turn on the "Separate CHAP/MS-CHAP/ARAP" password within TACACS and set that password to a strong random password, 20 plus char. Once this is selected you cannot use the MAC address and MAC password (which are the same if using MAC authentication) as a LEAP user login. Of course if someone figures out the strong random password then they could use the MAC userid and strong password as the LEAP login.

jkennedy · ‎01-09-2003

I agreee, LEAP would definately be the best choice. As far as MAC Address filtering, Wavelink Mobile Manager allows you to manage all your access points as well as set up a VLACL (Very Large Access Control List). This makes it much easier to distribute MAC filters to all of your Access Points at one given time. If you incorporate this with LEAP it would be much more secure. But it could be pricey if you plan on growing your wireless network. The license for Mobile Manager is sold on a per Access Point basis.

ED CARMODY · ‎01-14-2003

Hmmm....all these replies, with good information, and no one answered your question!

You can't cut and paste a list of MACs into a Cisco AP (how come, I don't know). What you need to do is enter one MAC address. Then download a non-default config file out of the AP. Then find the lines that changed, and you have your template for adding MAC address lists in one fell swoop. I made a little excel spreadsheet to let me paste in a list of MACs, then spit out the config file lines that you can add as an "additional configuration file" via the web gui.

You could also add the list via SNMP.

There's also an import utility in the cli for the ACS server that will let you suck in MAC addresses.

Hope this helps.

Just remembered, the APs for some reason convert the hex format of a MAC into dotted decimal. So, when you paste your list in, you need to convert it from hex to dotted decimal, produce your config lines with those, and then shoot those config lines to the AP. I couldn't find anyone in the TAC that could explain why adding a list of MACs was such a chore.