Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Simple Plug and Play Secure Wireless?

I am trying to setup a simple way to have wireless users on our network be able to connect to our access points, authenticate to our ACS Server (Cisco Hardware ACS applicance) but without having to go through special configurations on the client. This needs to be secure too and not easily broken. We are using Cisco 1200 and 1300 802.11G AP's and the clients vary from having integrated wireless NIC's to running Cisco Wireless cards, to running other branded cards. We are currently using PEAP, but it is time consuming to configure and sometimes confusing to the users. I was thinking of switching to open authentication on a isolated subnet and using a Cisco BBSM (Building Broadband Service Manager) to securely connect to our network, but Cisco just made this device end of sale, end of life, so I'm hesitant to go this route. WPA/WPA2 or some of the other PEAP/EAP/LEAP are configuration intensive too. Any suggestions? Does cisco have anything to replace the BBSM? What about PPOE? Would this be an alternative? Can I use a router or firewall to terminate these connections or would I need a specialized server or other device? I really need a simple way to securly connect end users to our wireless network without any undue configuration on their end.

  • Security and Network Management
1 REPLY
Green

Re: Simple Plug and Play Secure Wireless?

Probably the easiest would be to keep the wireless communications open, and use a VPN concentrator running to an SSL VPN client on the laptops/pcs.

All they'd have to do is aim their browser that the VPN gateway, and allow the SSL client to be downstreamed to their computer.

Beyond that, use your BBSM proxy or provide user auth at the VPN concentrator.

Leave the SSID in broadcast mode ("guest").

With this system, most clients can find the wireless system (SSID broadcast), the encryption via the SSL VPN is very strong, and there'd be no real configuration for the clients. Just aim the browesr at the VPN gateway/concentrator and enter the username and password.

Also, make sure you enable "Public Secure Packet Forwarding" (PSPF) to prevent one client from attacking other clients on te wireless LAN.

Users that use the system on a regular basis could get / use certificates for authentication. If they're on the system a lot, then the minor grief of setup would be worth it.

The SSL client uses Java, I believe, so it should be fairly universal (i.e., not platform specific). I haven't tried te SSL client n any system other than MS Windows so I can't really comment on *nix or Mac.

The SSL gate ( 3000 series) that we use for our Lab access seems to work pretty well.

Good Luck

Scott

190
Views
0
Helpful
1
Replies