LEAP & ACS Alternatives

Discussion in 'Cisco' started by N. Hall, May 27, 2005.

  1. N. Hall

    N. Hall Guest

    Hello,

    We have a large installed base of Aironet 1200 Access Points at our main
    locations, and we also have some smaller sites that also need wireless
    access. These smaller sites are connected back to the main location via
    VPN.

    We are currently doing LEAP for security and we use Cisco ACS Solution
    Engines for security. We use the ACS for user administration, and also for
    restricting MAC addresses that are allowed on the network.

    The question is, since I don't really want to be dependant upon the VPN
    connection back to the main office to connect to the ACS to run these remote
    wireless networks, are there any other reasonable alternative ways to
    provide at least MAC lockdown security. I could obviously lock down each
    access point individually to certain MAC's, but that becomes an
    administration nightmare because assuming your users will roam, you would
    have to put the MAC manually in every single AP.

    Here are the ideas we have thought of so far:

    1. Use the ACS for authentication (not preferred because we must also rely
    on our VPN tunnel staying up for the wireless to work)
    2. Use a 3rd Party ACS (probably not cost effective, plus it means running
    an additional server at each site)
    3. Possibly use Kiwi CatTools to script out the MAC lockdowns to each AP
    (we already own CatTools, so it is free, but probably still a lot of
    administration)

    MAC lockdowns are the absolute minimum security we would need, obviously the
    more the better. I am open to any other ideas.

    Thanks for any advice.
    N. Hall, May 27, 2005
    #1
    1. Advertising

  2. N. Hall

    Uli Link Guest

    N. Hall schrieb:


    > The question is, since I don't really want to be dependant upon the VPN
    > connection back to the main office to connect to the ACS to run these remote
    > wireless networks, are there any other reasonable alternative ways to
    > provide at least MAC lockdown security. I could obviously lock down each
    > access point individually to certain MAC's, but that becomes an
    > administration nightmare because assuming your users will roam, you would
    > have to put the MAC manually in every single AP.


    Starting with IOS 12.2(15)JA you can setup an AP as WDS and this one can
    use it's local MAC authentication to all registered AP. So you'll only
    need to put the MAC addresses on the WDS (and a backup WDS).

    Works great as long as the number of addresses fits in startup-config

    > MAC lockdowns are the absolute minimum security we would need, obviously the
    > more the better. I am open to any other ideas.


    MAC lockdown isn't really any security measure. An attacker will read
    valid MACs from beacons and association/disassociation requests.

    --
    Uli
    Uli Link, May 27, 2005
    #2
    1. Advertising

  3. Hi,

    Recent IOS's support an internal radius database which you can use as a
    fall-back mechanism. Configure the internal radius on one of the
    access-points at the remote location so your users (or at least the most
    important users) can have wireless access in case the VPN connection goes
    doen. You only need to configure one (or two for redundancy) access-points
    internal-radius on the remote location and point all other access-points to
    use that access point in case the VPN fails.

    Erik

    "N. Hall" <nospam5857> wrote in message
    news:42975ebb$0$3716$...
    > Hello,
    >
    > We have a large installed base of Aironet 1200 Access Points at our main
    > locations, and we also have some smaller sites that also need wireless
    > access. These smaller sites are connected back to the main location via
    > VPN.
    >
    > We are currently doing LEAP for security and we use Cisco ACS Solution
    > Engines for security. We use the ACS for user administration, and also
    > for
    > restricting MAC addresses that are allowed on the network.
    >
    > The question is, since I don't really want to be dependant upon the VPN
    > connection back to the main office to connect to the ACS to run these
    > remote
    > wireless networks, are there any other reasonable alternative ways to
    > provide at least MAC lockdown security. I could obviously lock down each
    > access point individually to certain MAC's, but that becomes an
    > administration nightmare because assuming your users will roam, you would
    > have to put the MAC manually in every single AP.
    >
    > Here are the ideas we have thought of so far:
    >
    > 1. Use the ACS for authentication (not preferred because we must also
    > rely
    > on our VPN tunnel staying up for the wireless to work)
    > 2. Use a 3rd Party ACS (probably not cost effective, plus it means
    > running
    > an additional server at each site)
    > 3. Possibly use Kiwi CatTools to script out the MAC lockdowns to each AP
    > (we already own CatTools, so it is free, but probably still a lot of
    > administration)
    >
    > MAC lockdowns are the absolute minimum security we would need, obviously
    > the
    > more the better. I am open to any other ideas.
    >
    > Thanks for any advice.
    >
    >
    Erik Tamminga, May 28, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sarbjit Singh Gill

    MOving from LEAP to PEAP

    Sarbjit Singh Gill, Dec 10, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    1,125
    Sarbjit Singh Gill
    Dec 13, 2004
  2. Emyeu

    LEAP & PEAP

    Emyeu, Oct 15, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    5,190
    James McIllece [MS]
    Oct 15, 2005
  3. RandyB

    serial-to-IP with LEAP

    RandyB, Feb 18, 2004, in forum: Cisco
    Replies:
    0
    Views:
    401
    RandyB
    Feb 18, 2004
  4. Replies:
    1
    Views:
    580
    Uli Link
    Apr 2, 2005
  5. Sakirana Karabudak

    Cannot login from ACS Admin -Cisco ACS 3.1

    Sakirana Karabudak, Dec 14, 2009, in forum: Cisco
    Replies:
    5
    Views:
    2,934
    Chino
    Dec 16, 2009
Loading...

Share This Page