We are designing a wireless infraestructure and we are now thinking about security. We have 350 Series Lan Adapters in clients, 350 Series in Access Points, and two ACS 3.1 for authentication. We have read a lot about WEP keys, LEAP, etc, and we are a bit confused about encryption, keys, etc. What is the most secured solution with the equipments we have?
The most secured solution is to deploy a VPN-based one.
Said that, you can get a high level of security with your equipment.
Regarding the authentication component, the most straightforward solution is to use LEAP with user/password authentication through the ACS Servers. Just beware that this is a Cisco proprietary solution, so you are going to be bound to them. With this kind of solution you must check:
- That exist LEAP supplicants for all the OSs of your clients.
- Where are your users defined (Windows NT domain, ODBC database, LDAP directory, ...) Not all cases are supported.
Another authentication option is to use a more standard EAP method, like EAP-TLS, EAP-SIM or PEAP. Nowadays, the main problem with all of them is that are only supported on Windows XP.
As for the encryption, use 128 bits WEP keys with the Cisco TKIP extensions : Message integrity check (MIC), Per-packet keying and Broadcast key rotation.
Because you are speaking about a most secured solution, also think about the placement of the APs in your network. You can put them on a DMZ outside your firewall and filter the traffic properly.
Our case is not as secret as the ARMY, what we mean is that we have the most secure option but being practical.
Can you specify the configuration we have to do to get cisco Leap? We have configured leap without problems, but we don't know if we have to configure some wep keys (static or dinamic) to make the connection more secure. We think that leap is secure about authentication and wep is secure about encryption of the communication. Is that correct?
The most secured implementation at this time is LEAP, using your ACS to store either a manual database of users authentication details or configuring it to work with Microsoft NDS, until the release of the PEAP tools are available, which is slated for the Q3 of next year.
You could go overboard and implement over VPN but this method although very secure does not scale well and roaming functionality is lost in this type of implementation. However, it all depends on what you want to achieve. If security is your priority then at this time VPN is the way to go, but if you are looking at functionality and flexibility, which I believe is what wireless is all about then I would stick with LEAP.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...