Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Wireless Security change

Currently I am running WPA2 TKIP PSK on all on my WLANs, I was given the task of changing the preshared keys once a year. I have 5 WLAN's at each site. How would one go about doing this to make it as easy as possible? or should we change to somthing else?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Wireless Security change

Wow, if you have that many clients. You need to go radius. Do you realize the problem this will be ..?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
14 REPLIES

Wireless Security change

Sean,

I must say that is a royal pain in the buttocks, rotating keys. WPA2 with TKIP, thats interesting. Normally we see WPA2 AES.

So if you stick with the key rotation deal. I would use WCS to push the WLAN change so you know its consistent across your controllers. But thats the easy part. The hard part is touching all the clients.

If i were you and if you can, i would look at doing EAP. if you have a radius server. If you dont have a radius server, and you dont have a lot of clients do local radius on the controller or stand up a radius server.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Wireless Security change

yes it will be a pain, unfortunately we do not have a radius server in place. well configuring the WLANS will be easy but the thing about it is we have 5 WLAN's at 13 plus sites. Each site could have an upwards of 1000 plus clients. One thought was to move 1 WLAN each month, creating a new WLAN with a new key and then having desktop support push the new key out. 

Wireless Security change

Wow, if you have that many clients. You need to go radius. Do you realize the problem this will be ..?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Wireless Security change

Believe we know, I kinda figured radius would be the best option but I wanted to make sure.

Wireless Security change

I would forget about the "how" with the keys and move into the design of the radius. Rdaius is the way to go. Have it point back to a AD / LDAP which will make it very dynamic in the sense that you can control security by user and not by a psk key, which is weak anyway.

Talk a little bit about your set up today. We can offer some insight on a potnetial design.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Wireless Security change

Currently at most locations I have 5 WLANS, some sites have 6 or 7 because of H-REAP and other situations.

but 5 of the WLANS are comman at each location

WLAN 1 - IP phones

WLAN 2 - site devices, laptops, etc

WLAN 3 - Handheld devices, scanners printers

WLAN 4 - physicans wireless - completely separate from network

WLAN 5 - open public wireless ( no encryption) - completely separate from network

Some sites have 1 or 2 extra WLANS but these are the primary ones. The physician wireless most like will no change because they use there own personal devices.

the Physicans and public Wireless go out there own boardband conenction,

Hall of Fame Super Silver

Wireless Security change

The biggest issue you have devices that might not support 802.1x.  When using 802.1x, the device needs to be part of the domain or the user will need to be part of the domain.  The major thing is, areyou allowing employees to bring their own device and alowing them to use their AD credentials to log in to the wireless?  Looks like you will still need psk maybe for the printers and if your policy is to change it every year, well, it will be a manual change to each of those devices. 

-Scott
*** Please rate helpful posts ***
New Member

Wireless Security change

Scott,

You are right on the mark, we do have a number of devices that do not support 802.1x on several of the WLAN's.  We have a large number of different types of clients with more and more different types of devices be added to the wireless every year.  While we could implement radius in some instances, it would require creating a number of other WLAN's moving forward. 

Wireless Security change

Kevin,

I too work in a very large healthcare envioment. I will tell you, we are 100% radius (EAP-PEAP and EAP-FAST). Almost all newer devices will support radius. We have over 6,000 clients and all do radius. Thats not to say you wont come across some that do not. Even older devices, may need a firmware upgrade to support radius. But Scott is on target, you will need to see what devices can and can not.

As for adding more WLANS. I would caution you not to exceed 5 WLANs. As you add more, your network utilization will increase for managment overhead. All networks are deisgned differently, so it would be hard to say what impact yours might have. But I have seen some networks with 6 and 7 wlans produce 55% network utilization with no network traffic, it was all managment frames.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Wireless Security change

+5 Scott (i hope things are well).

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Wireless Security change

George,

I don't discount radius altogether and it is something to look to work towards.  One of my main concerns has been the number of WLAN's for the very reason you mentioned.  There is a lot of legacy equipment that we are working with and as we upgrade/replace those devices we are doing so with an eye to the future and our new infrastructure.

Thanks for your input.  You and Scott, as well as a number of other members of this board have been a great resource throughout the years that I have been involved in wireless networking.

Wireless Security change

Hey no worries. Just glad we can help. Cisco has a great Eco system and we all benefit from it! Stop back if you have any other questions and good luck to you!

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Silver

Wireless Security change

George... doing good so far:)

Kevin,

What you need to do is take a look at all your devices you have and place them in a group in which you can match the encryption method and your security policies.  For example... iphones and personal devices....  Heck... all this should be using the guest ssid  Like George mentioned, keep the SSID count to a minimum, especially in large environments.  If you look at it this way, Voice should be separated, and most of your data network can use the same SSID.  Of course you have the one off vendors that  want their own.  But if any device does not need internal access.... put them on guest and be done with it.  I could go on and on, but I have to go back to work:)

Good luck!

-Scott
*** Please rate helpful posts ***
New Member

Wireless Security change

Scott,

Without getting into too much detail, 5 WLAN's is the least we can currently deploy.  As we upgrade/replace devices moving forward, we will hopefully be able to shrink that number but I doubt it - video is beginning to enter the fray, and is posing challenges of its own, lol. 

We have a long term plan given the newness (approx 1 year) of the Cisco infrastructure.  My background is wireless (and primarily Cisco) but in the Distribution vertical.  Healthcare and its variety of devices/challenges (every specialty device seems to only use 2.4GHz) is providing a lot of learning experiences.  We'll get there, with time.

560
Views
5
Helpful
14
Replies
CreatePlease login to create content