Best authentication method for controlling access to wlan

Similar Messages

• Best authentication method for controlling DEVICE access to wlan

  Hello,
  I have a similar question to this thread ( https://supportforums.cisco.com/message/3927713 ) but I'm interested about device control on top of user control. Just like that thread, we are using WPA2-AES Enterprise with PEAP MSCHAPv2, which allow users to log on with their domain credentials. We wanted something simple for our users, so MSCHAPv2 with "single sign on" was optimal to us.
  Problem is, we have a new requirement and we need to implement it yesterday. We would like to allow only mobile devices and computers of our choice.
  Since we are using MSCHAPv2 which allow every domain user to connect using any device as long as their domain credentials are valid, is there a simple way to control this ?
  I guess we could go with MAC filtering, but we have about a thousand laptops. Not a big problem, we could do a regular MAC address inventory using SCCM. It's just that it looks like a brute force tactic to a simple problem. Would a Cisco ACE 4.1 RADIUS server tolerate well a MAC address table with a thousand entries ? What if it goes to two thousands ? Would this be easy to implement ? I'm a bit new to this, is there some documentation I could follow ?
  How do people usually do this in an elegant way ? How do you manage and control WLAN access to thousands of device ? I guess they go with TLS with certificates ?
  Thank you very much !
  Konnan

  Konnan,
  Just saw your PM:)
  Would it be possible to configure Access policies even if our Radius servers aren't joined to the domain ?
  > I really don't know... typically all my installs have the radius server joined to the domain.  I don't know what limitations you would have using the setup you currently are using.
  Still wondering if it would be a good path for us, because of the computer authentication issue where it happens only at logon in Windows if I read correctly and our users don't have the habit to log off frequently and we use only manual connection mode when the user already has his session open. I guess MAR will have to be set to a stupid high value... if it even works.
  > Well you need to sit down with everyone who is involved and really think out what works best for you.  Machine authentication works well, but then people wonder what happens if someone logs in that isn't authorized and that because the computer is a domain computer it automatically gets on the network.  Well your not going to get everything you want:)  So PEAP has issue because IT wants to limit the user to only be able to access using a company owned device... well, then ISE is your fix.  You can add a certificate that ISE can see and if that device has that or a registry value and the user is allowed to access the network, the authentication is allowed, or else it will not be.  EAP-TLS... well more work since you need a PKI infrastructure and both the radius and the clients need a cert...
  No matter what, you need to decide what works best and don't over complicate it with adding mac filter, etc.
  I'm wondering if EAP-TLS wouldn't be better for the long term, maybe with MAC Address restriction on the short term...
  > See above
  I'm also wondering if we could stay with PEAP MSCHAPv2 but use an NPS Radius server from Microsoft which allow to use complex policies instead of the Cisco ACS Radius server...
  > You need to know how to setup and configure the policies... either one will work, but if your on ACS 4.x, I would look at upgrading to 5.4.  ISE is replacing ACS as far as the radius portion, but tacacs isn't yet available on ISE.
  There's also the Cisco ISE, which seems to be equivalent to Microsoft NPS... a bit more costly OTOH.
  > ISE allows you to profile devices so you know what device is accessing your network.  Again, ISE is replacing ACS as far as the radius, but tacacs will soon be out and available for ISE.  If you really want to create crazy profiles, then ISE is the way to go.  You can specify that this user group is allowed wireless, but it has to be a domain computer.  The user isn't allowed access if its not a domain computer.  The same user group is allowed access with company iPads (certificate installed), but not have access with personal iPads, tablets or smartphones.
  Hope this helps.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Any best practice recommendations for controlling access to dashboards?

  Everyone,
       I understand that an Xcelsius dashboard compiled into a .swf file contains no means for providing access control to limit who can or how many times they can run the dashboard. Basically, if they have a copy of the .swf they can use it as much as they'd like. To protect access to sensitive data I'd like to be able to control who can access the dashboard and how many times or how long they can access it for.
       From what I've read it seems the simplest way to do this is to embed the swf file into a web portal that requires a user to authenticate before accessing the file. I suppose I can then handle how long they can access it from the back end.
       If I do this, is there anyway a user can do something like <right click - save as> on the flash file to save it on their local machine? Is there a best practice means for properly protecting the dashboard?
  Any advice would be appreciated,
  Jerry Winner

  Everyone,
       I understand that an Xcelsius dashboard compiled into a .swf file contains no means for providing access control to limit who can or how many times they can run the dashboard. Basically, if they have a copy of the .swf they can use it as much as they'd like. To protect access to sensitive data I'd like to be able to control who can access the dashboard and how many times or how long they can access it for.
       From what I've read it seems the simplest way to do this is to embed the swf file into a web portal that requires a user to authenticate before accessing the file. I suppose I can then handle how long they can access it from the back end.
       If I do this, is there anyway a user can do something like <right click - save as> on the flash file to save it on their local machine? Is there a best practice means for properly protecting the dashboard?
  Any advice would be appreciated,
  Jerry Winner

• Best cleaning method for i pad screen

  What are the best cleaning methods for the touch screen on the i pad /  Lot of fingerprints need to be removed.  Any special product recommendations?

  Personally I just use cleaning cloths such as those for camera lenses or glasses.

• Best method for controlling Office 365 updates

  Were looking for the best method for updating Office 365. We will be testing prior to releasing the version to the rest of the company.  We have a couple of methods we're contemplating but looking for any pros or cons for each.  We are also
  using SCCM 2012.
  1. Run setup.exe setting the version and internal install source in an .xml file run as an SCCM package using distribution points as the install source.
  2. Run click2runclient.exe with command lines setting the version and internal install source as an SCCM package using distribution points as the install source.
  3  Set the version through group policy and turn on automatic updates and don't specify an install source.
  Option 3 appears to be the most straight forward with the least administrative overhead.  Would it be possible to revert back to an earlier version using this method?
  I have read various articles but looking for any input as to what is working well  or not working for others.

  Hi,
  I would like to share this
  blog post with you, which provides an example how to implement a fully automated testing and deployment process of Office 365 updates. This deployment method provides you the ability to test updates before you approve them in my environment.
  The process might look like:
  Deploy Office 365 in your environment with Office Deployment Tool, configure the "Updates" element in the configuration.xml file so that updates are enabled and the "UpdatePath" attribute points to an internal source.
  Download the latest Office 365 build into a different internal source, configure your test machine to pick up builds from it.
  After testing the updates, copy the updates to the first internal source.
  You should be able to integrate the process with SCCM to reduce your administrative effort.
  Hope this helps.
  Regards,
  Ethan Hua
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Authentication method for JCo connection in XSS installation

  Hi All,
  I have a query which perplexes me.  I am implementing XSS (ESS/MSS) on SAP Portal EP6 SR1 with an ECC5 backend for prototype purposes.
  When I follow SAP's help steps to setup JCo connections, it states that for the metadata connection you should use a security authentication method of 'User/Password', but for the application data connection you should use a security authentication method of 'Ticket'.
  Does anyone know why the difference in methods here?  Is it possible to use 'User/Password' for both?  Any thoughts would be appreciated.

  Hi john,
  User -ID /Pwd method can be used to access the backend for both types of Data as per your scenario.
  User -ID /Pwd method and logon tickets both can be used to access data in backend.
  The difference lies in the scenario with which you are accessing the back-end.
  If all your portal users are same as backend users then you can select Logon ticket methods.
  If they are going to be different then you need User-ID /Pwd method .
  Check the following link to get a clear picture:
  <a href="http://help.sap.com/saphelp_ep50sp2/helpdata/en/4d/dd9b9ce80311d5995500508b6b8b11/frameset.htm">Scenario to use type of SSO</a>
  Hope it helps.
  Regards,
  Vivekanandan

• What's the best authentication model for a PRO*C process?

  We presently have a system where 5 or so PRO*C-based processes on remote nodes (HP OpenVMS) connect to a database (RH Linux) using Oracle Client and insert data. The current authentication method is for the C based program to read a connection string from a file and use that string to connect via an embedded sqlplus call.
  This works fine, however having the string contained in a file isn't all that great an idea, even with the protection we give it. It would be easy for a programmer to recompile & debug the process and read the string, so it's not really all that secure. It also just doesn't seem the best way to do this....
  I know this isn't much information to go on, but can anyone suggest a better model for this scenario that avoids putting connection strings and passwords in a file?
  Thanks in advance

  thanks for your helpfull evaluation.
  On the security question is it possible for you to use the Oracle Wallet ?
  http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10772/asowalet.htm
  Please ask more on that thread or post a question to the section : for security Questions/issues.
  Forum Home » Technologies » Security
  Hope this helps.
  Regards,
  Hub

• Best isolation method for Web Dynpr iViews ?

  I'm going to develop some Web Dynpro iView to be integrated into the SAP EP.
  THese iViews should work with KM APIs.
  I read into the HelpOnline it's possible to chose between Embedded or the URl isolation method.
  As far I know te web Dynpro tecnology offers the special client able to render just the changes and not the whole page....but i expect i have to set anyway an isolation method.
  I would like to know which in your opinion the best isolation settings method for the WebDynpro iView.
  regards and thanks in advance

  Hi Mauro,
      URL isolation method is better for several reasons:
  1. Performance: In Embedded Isolation method iView content is collected at the server side and sent to the client with the entire page, which obviously degrades performance.
  2. PageBuilder limitations: Page does not add scrollbars to iViews is one such limitation.
  3. A page may contain several form-type iViews. If the isolation method is set to Embedded, one iView may lose the information in its input fields when another form on the page is submitted.
  Regards,
  Satyajit.

• ACE Best Sticky Method for SSL Traffic

  Hi, With ACE 4710 running serverfarms primarily running SSL traffic, what is the best method for configuring stickiness. Here are some parameters:
  1) low volume sites, 2 real servers
  2) ACE _will not_ do SSL offloading
  3) Balancing HTTPS requests
  4) Many versions of HTTP clients
  5) Currently running ACE A1 code
  I am thinking of:
  1) TCP Header | HostID inspection
  2) SSL-session ID (not good if re-key often though)
  3) Any suggestions?
  many thx,
  WR

  Hi Will,
  You can see a comple configured example for your perusal in this regard for
  Configure ACE Module for End to End SSL Termination
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  And Many more here regarding
  Data Center Application Services Configuration Examples:
  http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples
  Hope these configuration examples will be useful to you.
  Sachin Garg

• Best Encoding method for decent quality but low file size

  Been trying to encode some mountain bike helmet cam footage which is fairly fast moving and looking for the best method for encoding at a decent quality without to much pixelation occuring. videos will be on my website so want file size to be kept quite low. website is www.extremesportsfilms.com if anyone is interested.
  Cheers

  Thank you, Harm !
  This is the first time in my carreer, that I've seen a qualitysetting that doesn't inflict on filesized
  I went in to set the bitrate diffently, but the field is grey'd out - it's not possible for me to change.
  It seems to be locked no matter what quicktime-format I choose. If I choose h.264 format insted, I CAN change bitrate, but I need to deliver in XDcam for this client.
  Is there no way for me to make the XDcam files smaller, then? They end up 5-7GBs for each show and with my upload-speed, it takes me 6-7 hours to upload and I would like to speed this up by decreasing the file sizes a little, if possible?
  Thanks

• What is the best method for controlling a data switch of 20x20 ports, with local and remote requests?

  I'm using booleon control boxes for 'source' ports - to be connected to 'customers' ports. Am not sure of choosing between arrays, clusters, case, etc.

  Thanks, however, I simply meant my boolean 'ports' to mean a 'yes/no' control box of a 'data source', which, when selected, would signify a 'source' that could then be connected to a 'customer' port or 'receiving box'. Perhaps instead of port, I should have said input/output box.
  My main question is simply about a data switch matrix of 20 inputs and 20 outputs. Should I attempt to manage the switching of data lines via cases, for loops, sequence, or what! I believe I will need to set up arrays, but controlling the matrix is ???. Thanks.

• Which is the best authentication method?

  Okay; I'm asking this question a little late as I've already done my implementation and made my choices.
  Still; It seemed to me the most secure form of authentication for my small ~100 user wireless network was EAP-TLS. My requirements needed me to simply authenticate the machine to the network so a simple certificate based authentication using the same for the encryption seemed the best route. Also the others seemed to have less actual security in them from what I read.
  What other options are there that might be simple and rely on a user/pass combination rather than the certificate and are they truely better?
  My boss really liked the certificate method as it gave us what he felt was hard controls.
  Of course the cert management is a bit of a pain...

  Eap-TlS is also good
  Try this link
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

• Authentication methods for BYOD senario?

                    I am in charge of setting up a 2500 wireless controller and a slew of 1142n APs as well coming up with a method to authenticate devices. This is a bring your own device senario so I do not have admin access to the devices. I would think that using MAC address filtering and a WEP key for authentication is the simplest and most cross platform method. Is there a way that I can capture the MAC addresses from the devices from lets say one of my APs and then add the MACs to the filter database? The person that will be adding the devices and the device owners themselves (high school students) might have a hard time finding the MAC of the devices, not to mention the possibility of entering them incorrectly. I was thinking that I can have an AP near the person that the users go to for setting up access that is setup to only use a WEP key to authenticate and then capture the MAC address of the authenticated devices to add to the MAC filter database used for the rest of the APs on the campus.
  Thanks in advance!

  The limit is indeed on the WLC. You can only have 2048 records. These records can be account logons, mac addresses etc. They all pull from the same pull.
  If you are only managing a few macs then it may not be so bad. If you are doing 50+ it will be a pain. Also it adds little value. Anyone can spoof a mac address get around mac filtering.
  Does that help ?
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Best Authentication Library for Windows Phone 8.1 & Windows Desktop 8.1 Windows Store apps using Open Connect 1.0

  What's the best go forward framework (Web Authentication Broker, WPF, other) to use when authenticating against an Open Connect 1.0 authentication server (that's OpenID + oAuth v2.0)?  My developer says that Web Authentication Broker is not supported
  in Windows Desktop 8.1 (so if you can confirm this that would be great also).
  We've created a universal app to support Windows Destkop, Tablet, Phone (8.1 and up) and plan to add support for iOS and Android via Xamarin later.
  Your feedback is appreciated.
  Jacob Hall [email protected]

  Hi Jacob,
  This is not the correct forum for your question, I'll move it to [where is this forum for...] forum, where the moderator may direct you to the correct forum.
  Thanks for your understanding.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Best thread method for a chat server

  What would be the best way to thread a chat server in Java? I understand threads, but I'm new to java. I'm just looking for links to the appropriate classes not code. I already have the send/receive methods planed, but I'm interested in the best ways to pool the clients once connected.

  class: Thread
  interface: Runnable
  The two items above are what you need.