Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > LEAP & ACS Alternatives

Reply
Thread Tools

LEAP & ACS Alternatives

 
 
N. Hall
Guest
Posts: n/a
 
      05-27-2005
Hello,

We have a large installed base of Aironet 1200 Access Points at our main
locations, and we also have some smaller sites that also need wireless
access. These smaller sites are connected back to the main location via
VPN.

We are currently doing LEAP for security and we use Cisco ACS Solution
Engines for security. We use the ACS for user administration, and also for
restricting MAC addresses that are allowed on the network.

The question is, since I don't really want to be dependant upon the VPN
connection back to the main office to connect to the ACS to run these remote
wireless networks, are there any other reasonable alternative ways to
provide at least MAC lockdown security. I could obviously lock down each
access point individually to certain MAC's, but that becomes an
administration nightmare because assuming your users will roam, you would
have to put the MAC manually in every single AP.

Here are the ideas we have thought of so far:

1. Use the ACS for authentication (not preferred because we must also rely
on our VPN tunnel staying up for the wireless to work)
2. Use a 3rd Party ACS (probably not cost effective, plus it means running
an additional server at each site)
3. Possibly use Kiwi CatTools to script out the MAC lockdowns to each AP
(we already own CatTools, so it is free, but probably still a lot of
administration)

MAC lockdowns are the absolute minimum security we would need, obviously the
more the better. I am open to any other ideas.

Thanks for any advice.


 
Reply With Quote
 
 
 
 
Uli Link
Guest
Posts: n/a
 
      05-27-2005
N. Hall schrieb:


> The question is, since I don't really want to be dependant upon the VPN
> connection back to the main office to connect to the ACS to run these remote
> wireless networks, are there any other reasonable alternative ways to
> provide at least MAC lockdown security. I could obviously lock down each
> access point individually to certain MAC's, but that becomes an
> administration nightmare because assuming your users will roam, you would
> have to put the MAC manually in every single AP.


Starting with IOS 12.2(15)JA you can setup an AP as WDS and this one can
use it's local MAC authentication to all registered AP. So you'll only
need to put the MAC addresses on the WDS (and a backup WDS).

Works great as long as the number of addresses fits in startup-config

> MAC lockdowns are the absolute minimum security we would need, obviously the
> more the better. I am open to any other ideas.


MAC lockdown isn't really any security measure. An attacker will read
valid MACs from beacons and association/disassociation requests.

--
Uli
 
Reply With Quote
 
 
 
 
Erik Tamminga
Guest
Posts: n/a
 
      05-28-2005
Hi,

Recent IOS's support an internal radius database which you can use as a
fall-back mechanism. Configure the internal radius on one of the
access-points at the remote location so your users (or at least the most
important users) can have wireless access in case the VPN connection goes
doen. You only need to configure one (or two for redundancy) access-points
internal-radius on the remote location and point all other access-points to
use that access point in case the VPN fails.

Erik

"N. Hall" <nospam5857> wrote in message
news:42975ebb$0$3716$(E-Mail Removed).. .
> Hello,
>
> We have a large installed base of Aironet 1200 Access Points at our main
> locations, and we also have some smaller sites that also need wireless
> access. These smaller sites are connected back to the main location via
> VPN.
>
> We are currently doing LEAP for security and we use Cisco ACS Solution
> Engines for security. We use the ACS for user administration, and also
> for
> restricting MAC addresses that are allowed on the network.
>
> The question is, since I don't really want to be dependant upon the VPN
> connection back to the main office to connect to the ACS to run these
> remote
> wireless networks, are there any other reasonable alternative ways to
> provide at least MAC lockdown security. I could obviously lock down each
> access point individually to certain MAC's, but that becomes an
> administration nightmare because assuming your users will roam, you would
> have to put the MAC manually in every single AP.
>
> Here are the ideas we have thought of so far:
>
> 1. Use the ACS for authentication (not preferred because we must also
> rely
> on our VPN tunnel staying up for the wireless to work)
> 2. Use a 3rd Party ACS (probably not cost effective, plus it means
> running
> an additional server at each site)
> 3. Possibly use Kiwi CatTools to script out the MAC lockdowns to each AP
> (we already own CatTools, so it is free, but probably still a lot of
> administration)
>
> MAC lockdowns are the absolute minimum security we would need, obviously
> the
> more the better. I am open to any other ideas.
>
> Thanks for any advice.
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot login from ACS Admin -Cisco ACS 3.1 Sakirana Karabudak Cisco 5 12-16-2009 04:49 PM
LEAP & PEAP Emyeu Wireless Networking 1 10-15-2005 06:52 PM
AP340 LEAP and non-leap users nicklebon@netscape.net Cisco 1 04-02-2005 09:10 PM
MOving from LEAP to PEAP Sarbjit Singh Gill Wireless Networking 2 12-13-2004 12:01 PM
serial-to-IP with LEAP RandyB Cisco 0 02-18-2004 11:00 PM



Advertisments