10-29-2014 04:09 AM - edited 07-05-2021 01:50 AM
Hi,
We have two Cisco 2602i devices installed in our network and around 90+ users are simultaneously connected over the network. In order to tighten the network with loop holes need to configure some features on these standalone devices.
1. Configure WPA-Enterprise with TKIP / AES
2. Disable WPS
3. MAC Address filtering so that no mobile device is connected over the network for security reasons.
What is the best method to achieve all the three points in order to avoid WEP Encryption, Password Cracking, Traffic Interception, MAC Filtering Bypass.
Since we also have ACS 5.4 but not very well versed with it.
10-29-2014 12:30 PM
Hi
Refer this & you would find it useful
http://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/
HTH
Rasika
*** Pls rate all useful responses ***
10-30-2014 04:23 AM
the suggested link only showing WPA2 configuration, what if WPA-Enterprise is required to be configured and how can we do so there is no WPA-Enterprise option in 2602i
Secondly, anyone can connect over the network with Wi-fi password whereas only selected laptops are required to be connected or other authorized personnel only.
If we don't enable PEAP, it means that no mobile user will be connected what so ever brand is
Since I am not familiar with ACS, will the specified steps can setup required security measure as in my first post. What else is prerequisite ACS before setting up WPA-Enterprise
have to manually create all users can we bind users with mac address ??
I dont have TLS certificate, can it be bypassed ??
What is the difference between internal /customized identity store
Don't we require to add AP IP Address in ACS ??
10-30-2014 08:43 PM
suggested link only showing WPA2 configuration, what if WPA-Enterprise is required to be configured and how can we do so there is no WPA-Enterprise option in 2602i
WPA2-Enterprise, mean you use RADIUS server & use 802.1X/EAP for wireless connectivity. Given reference post use ACS 5.2 as RADIUS & PEAP as EAP method for wireless client authentication.
WPA2-PSK, is without RADIUS server, you configure a preshared key (PSK), which is not ideal for an enterprise as everyone has to use same PSK.
I dont have TLS certificate, can it be bypassed ??
You have to have certificate on server side for PEAP. Both server & client certs required for TLS. EAP-FAST which is not certificate based, but it is not that secure.
have to manually create all users can we bind users with mac address ??
You can create user locally on RADIUS server or you can configure RADIUS server to query Active Directory (AD). If you want to use MAC address as username/password, then you need to configure ACS for host authentication & still MAC address list to be populated
Don't we require to add AP IP Address in ACS ??
Given post, I have used "Default Network Device" option where it will allow any device configured with that shared secret to communicate with ACS.
HTH
Rasika
**** Pls rate all useful responses ****
10-31-2014 12:30 AM
is PEAP mostly used for mobile access over the network ??
do i have to purchase TLS certificate or we can generate it by installing CA services on Windows 2008 Domain Controller and generate certificate from there which can be imported in ACS
which points should be kept in mind for generating the certificate with above method
but the authenticity and expiration of certificates is still beyond my limits
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide