Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
417
Views
0
Helpful
1
Replies

Simple Plug and Play Secure Wireless?

NPT_2
Level 2
Level 2

‎02-08-2006 03:55 PM - edited ‎07-04-2021 11:37 AM

I am trying to setup a simple way to have wireless users on our network be able to connect to our access points, authenticate to our ACS Server (Cisco Hardware ACS applicance) but without having to go through special configurations on the client. This needs to be secure too and not easily broken. We are using Cisco 1200 and 1300 802.11G AP's and the clients vary from having integrated wireless NIC's to running Cisco Wireless cards, to running other branded cards. We are currently using PEAP, but it is time consuming to configure and sometimes confusing to the users. I was thinking of switching to open authentication on a isolated subnet and using a Cisco BBSM (Building Broadband Service Manager) to securely connect to our network, but Cisco just made this device end of sale, end of life, so I'm hesitant to go this route. WPA/WPA2 or some of the other PEAP/EAP/LEAP are configuration intensive too. Any suggestions? Does cisco have anything to replace the BBSM? What about PPOE? Would this be an alternative? Can I use a router or firewall to terminate these connections or would I need a specialized server or other device? I really need a simple way to securly connect end users to our wireless network without any undue configuration on their end.

Labels:
0 Helpful
1 Reply 1

scottmac
Level 10
Level 10

‎02-08-2006 06:40 PM

Probably the easiest would be to keep the wireless communications open, and use a VPN concentrator running to an SSL VPN client on the laptops/pcs.

All they'd have to do is aim their browser that the VPN gateway, and allow the SSL client to be downstreamed to their computer.

Beyond that, use your BBSM proxy or provide user auth at the VPN concentrator.

Leave the SSID in broadcast mode ("guest").

With this system, most clients can find the wireless system (SSID broadcast), the encryption via the SSL VPN is very strong, and there'd be no real configuration for the clients. Just aim the browesr at the VPN gateway/concentrator and enter the username and password.

Also, make sure you enable "Public Secure Packet Forwarding" (PSPF) to prevent one client from attacking other clients on te wireless LAN.

Users that use the system on a regular basis could get / use certificates for authentication. If they're on the system a lot, then the minor grief of setup would be worth it.

The SSL client uses Java, I believe, so it should be fairly universal (i.e., not platform specific). I haven't tried te SSL client n any system other than MS Windows so I can't really comment on *nix or Mac.

The SSL gate ( 3000 series) that we use for our Lab access seems to work pretty well.

Good Luck

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card