Small office and Wireless security..which method is best?

Discussion in 'Cisco' started by rjmnyc, May 20, 2006.

  1. rjmnyc

    rjmnyc Guest

    I work for a small company (50 computers) and they purchased a Cisco
    aironet 1231AG. Only 5 laptops will be configured for wireless access
    to our LAN and to the Internet. We have server 2003 and the laptops
    will run windows 2000 and xp. I've read that EAP-TLS or PEAP-TLS offer
    the most security but it seems like a lot of work for 5 laptops. Is
    there an easier way to get a high level of security without
    certificates? or just an easier way in general?
     
    rjmnyc, May 20, 2006
    #1
    1. Advertisements

  2. rjmnyc

    Merv Guest

    Merv, May 20, 2006
    #2
    1. Advertisements

  3. rjmnyc

    Gary Guest

    Yes. I would suggest using WPA2 PSK (pre-shared key) aka WPA2 Personal. It
    uses a pre-shared passphrase that can be very long plus it uses AES
    encryption. I use this at home where I've got 3-5 mobile devices but at
    the office I've deployed PEAP with WPA2 for 50+ mobile users who can now
    sign on to the WLAN with their Active Directory credentials. We're using
    the former Airespace line of Cisco products but I'll assume that Cisco's
    other wireless gear includes WPA2 PSK in addition to a multitude of
    enterprise options.

    http://www.wi-fi.com/knowledge_center/wpa2/

    -Gary
     
    Gary, May 20, 2006
    #3
  4. rjmnyc

    Merv Guest

    So along with other poster suggestions, summary of options:

    1. MAC address filter
    2. WPA2 with pre-shared key with/without MAC address filter
    3. LEAP with local RADIUS authentication on AP
    4. EAP-FAST with local RADIUS authentication on AP
     
    Merv, May 20, 2006
    #4
  5. rjmnyc

    rjmnyc Guest

    First of all, thanks for the responses. I'm going into the office
    tomorrow to do this so I'm really glad I have some responses to get me
    started. I'm telneted into the Aironet via VPN right now and I'm
    looking at the settings for EAP-FAST. The only question I have now is
    which hardware and operating systems will support EAP-FAST. It sounds
    like it is built into Windows 2000 SP4 and Windows XP, but does that
    mean the wireless network adapter does not play a role in
    compatibility? or is EAP-FAST only supported by certain wireless
    adapters?

    Thanks
     
    rjmnyc, May 20, 2006
    #5
  6. rjmnyc

    Merv Guest

    If all of your adapters are not Cisco then go with WPA2-PSK wjht MAC
    filters for now
     
    Merv, May 21, 2006
    #6
  7. rjmnyc

    Gary Guest

    MAC filtering with WEP is advisable but I don't see the point with WPA --
    unless you use a weak passphrase or expect someone to guess your strong
    passphrase. Also, I believe that drivers for recent Intel chipsets support
    most of the Cisco extensions.

    -Gary
     
    Gary, May 21, 2006
    #7
  8. rjmnyc

    BG Guest

    I would recommend

    PEAPV0 with AES.



     
    BG, May 22, 2006
    #8
  9. rjmnyc

    rjmnyc Guest

    Thanks for the tips. I decided to go with EAP-TLS for many reasons but
    mostly because I would like the challenge and experience of deploying
    it. The problem is the lack of good documentation on exactly how to do
    it. I have MS IAS and a few Aironet 1232AG's. Most of the stuff I have
    read has discussed how it works but I have yet to find anything like a
    step by step guide with the exception of a word document for doing it
    in a lab which wasn't quite as good as I had hoped. If there is anyone
    out there who has done this and can help or provide links to resources
    I would really appreciate it.
     
    rjmnyc, May 22, 2006
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.