I am trying to setup a simple way to have wireless users on our network be able to connect to our access points, authenticate to our ACS Server (Cisco Hardware ACS applicance) but without having to go through special configurations on the client. This needs to be secure too and not easily broken. We are using Cisco 1200 and 1300 802.11G AP's and the clients vary from having integrated wireless NIC's to running Cisco Wireless cards, to running other branded cards. We are currently using PEAP, but it is time consuming to configure and sometimes confusing to the users. I was thinking of switching to open authentication on a isolated subnet and using a Cisco BBSM (Building Broadband Service Manager) to securely connect to our network, but Cisco just made this device end of sale, end of life, so I'm hesitant to go this route. WPA/WPA2 or some of the other PEAP/EAP/LEAP are configuration intensive too. Any suggestions? Does cisco have anything to replace the BBSM? What about PPOE? Would this be an alternative? Can I use a router or firewall to terminate these connections or would I need a specialized server or other device? I really need a simple way to securly connect end users to our wireless network without any undue configuration on their end.
Probably the easiest would be to keep the wireless communications open, and use a VPN concentrator running to an SSL VPN client on the laptops/pcs.
All they'd have to do is aim their browser that the VPN gateway, and allow the SSL client to be downstreamed to their computer.
Beyond that, use your BBSM proxy or provide user auth at the VPN concentrator.
Leave the SSID in broadcast mode ("guest").
With this system, most clients can find the wireless system (SSID broadcast), the encryption via the SSL VPN is very strong, and there'd be no real configuration for the clients. Just aim the browesr at the VPN gateway/concentrator and enter the username and password.
Also, make sure you enable "Public Secure Packet Forwarding" (PSPF) to prevent one client from attacking other clients on te wireless LAN.
Users that use the system on a regular basis could get / use certificates for authentication. If they're on the system a lot, then the minor grief of setup would be worth it.
The SSL client uses Java, I believe, so it should be fairly universal (i.e., not platform specific). I haven't tried te SSL client n any system other than MS Windows so I can't really comment on *nix or Mac.
The SSL gate ( 3000 series) that we use for our Lab access seems to work pretty well.
We are moving! Please use WLCCA Forum for updates and discussions
[toc:faq] Wireless LAN Controller (WLC) Config Analyzer Download Click
here to Download To request access, send an e-mail to
firstname.lastname@example.org. Please include your Cisco.com userna...
[toc:faq] IntroductionHere is the step by step process that we have to
take care of while converting LWAPP to IOS and then vice versa..LWAPP to
IOSThe hardware used = 1141 AP (make sure we are using the right
[toc:faq] Introduction AnyConnect Secure Mobility Client 3.0: Network
Access Manager & Profile Editor on Windows Summary Use the Cisco
AnyConnect Network Access Manager Profile Editor to build custom
profiles for the AnyConnect Secure Mobility Client. App...