Standalone AP 2602i + WPA Enterprise

srsiddiqui2007 · ‎10-29-2014

Hi,

We have two Cisco 2602i devices installed in our network and around 90+ users are simultaneously connected over the network. In order to tighten the network with loop holes need to configure some features on these standalone devices.

1. Configure WPA-Enterprise with TKIP / AES

2. Disable WPS

3. MAC Address filtering so that no mobile device is connected over the network for security reasons.

What is the best method to achieve all the three points in order to avoid WEP Encryption, Password Cracking, Traffic Interception, MAC Filtering Bypass.

Since we also have ACS 5.4 but not very well versed with it.

Rasika Nayanajith · ‎10-29-2014

Hi

Refer this & you would find it useful

http://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/

HTH

Rasika

*** Pls rate all useful responses ***

srsiddiqui2007 · ‎10-30-2014

the suggested link only showing WPA2 configuration, what if WPA-Enterprise is required to be configured and how can we do so there is no WPA-Enterprise option in 2602i

Secondly, anyone can connect over the network with Wi-fi password whereas only selected laptops are required to be connected or other authorized personnel only.

If we don't enable PEAP, it means that no mobile user will be connected what so ever brand is

Since I am not familiar with ACS, will the specified steps can setup required security measure as in my first post. What else is prerequisite ACS before setting up WPA-Enterprise

have to manually create all users can we bind users with mac address ??

I dont have TLS certificate, can it be bypassed ??

What is the difference between internal /customized identity store

Don't we require to add AP IP Address in ACS ??

Rasika Nayanajith · ‎10-30-2014

suggested link only showing WPA2 configuration, what if WPA-Enterprise is required to be configured and how can we do so there is no WPA-Enterprise option in 2602i

WPA2-Enterprise, mean you use RADIUS server & use 802.1X/EAP for wireless connectivity. Given reference post use ACS 5.2 as RADIUS & PEAP as EAP method for wireless client authentication.

WPA2-PSK, is without RADIUS server, you configure a preshared key (PSK), which is not ideal for an enterprise as everyone has to use same PSK.

I dont have TLS certificate, can it be bypassed ??

You have to have certificate on server side for PEAP. Both server & client certs required for TLS. EAP-FAST which is not certificate based, but it is not that secure.

have to manually create all users can we bind users with mac address ??

You can create user locally on RADIUS server or you can configure RADIUS server to query Active Directory (AD). If you want to use MAC address as username/password, then you need to configure ACS for host authentication & still MAC address list to be populated

Don't we require to add AP IP Address in ACS ??

Given post, I have used "Default Network Device" option where it will allow any device configured with that shared secret to communicate with ACS.

HTH

Rasika

**** Pls rate all useful responses ****

srsiddiqui2007 · ‎10-31-2014

is PEAP mostly used for mobile access over the network ??

do i have to purchase TLS certificate or we can generate it by installing CA services on Windows 2008 Domain Controller and generate certificate from there which can be imported in ACS

which points should be kept in mind for generating the certificate with above method

but the authenticity and expiration of certificates is still beyond my limits