Deploying a secure internal wireless network
Hi, We've got a 5508 WLAN controller with about 200 WAPs currently deployed for guest access only. We would now like to deploy wireless for our internal network as well and would like for this to support voice as well. I'm reviewing the various options that are available and trying to figure out which one is the best. I've narrowed it down to EAP-TLS and PEAP with MS-CAHPV2 with Windows based certificates. Our management wants us to use Microsoft RADIUS servers instead of ACS. Just wanted to get some feedback to see if someone has done this in their environment before and the pros and cons of choosing one authentication method over another.
Thanks in advance for you valuable input!
Lets be clear...
You can only do EAP-PEAP or EAP-TLS with WZC. This is not a limitation of ISE, rather its a limitation with WZC. Take a peek at the EAP options and you will see.
ISE can be used as a radius server or you can proxy to another radius server, for example ACS. ISE allows all types of EAP types PEAP,LEAP,TLS, etc. If you use ISE as a radius server, you can also take advantage of the RADIUS probe.
One problem is CoA and WZC. If a CoA has to happen after a device is already connected, it most likely will not work with WZC. Let me give you an example.
Lets say you need to do a vlan move for a user from vlan 200 to vlan 300. ISE may not properly identify the device until after it has a IP. The users HTTP traffic is then analyze and its "hay this guy needs to move from 200 to 300". The WLC will make that move after being instructed by ISE, but your WZC is still on vlan 200 (ip address) wise. The CoA will happen on the WLC, but the WZC client will sit and spi becuase of the ip/vlan mismatch.
Suppose, if you used Cisco anyconnect wireless client. If a CoA happens like the above exmaple, the anyconnect client will detect the traffic is not passing and it will re-ip automagically.
Does that make sense?
Similar Messages
-
Windows phone security on wireless networks
I am a post-doc at large medical center, and requested access to our secure wireless network due to the nature of my work. I was told by our IT support desk analysts that Windows
Phone is not supported at our medical center (at all), because Windows phones are "too insecure to put on our network." Because of this, I either have to get rid of my brand new Windows Phone to get an android or I will never be allowed to have access
to the secure Wi-Fi as necessary for my job. Any thoughts or suggestions? This seems to be a serious limitation of Windows Phone.Your support desk is outright lying to you. There is no issue with Windows Phone security on wireless networks, they just don't want to support your phone. It might be possible that Windows Phone doesn't support the particular kind of wireless encryption
that your org uses, but I'm pretty sure that was all solved with Windows Phone 8.
In fact, Windows Phone is more secure in some ways because unlike iOS and Android, you cannot override security certificate problems. -
Unable to Access My "secure" home wireless network
Airport works fine when finding unsecure networks requiring no password to log on, such as in public areas. But it won't work thru my secured wireless network. I use a D Link wireless router. Air port "sees" the network, but it requires a log on to gain access for the first time. I'm positive I have the right password. I've spent a lot of time with the ISP here in Kuwait, and granted, MAC isn't their strong suit, but they keep pointng back to the problem being with the computer. I can plug into the router with a cable and everything is fine and I can access my neighbors unsecure network thru his router...thanks neighbor. Any suggestions?
Mac Book Pro 17" Mac OS X (10.4.10)I was having similar problems few things.
1. Check to make sure drivers are up to date for Dlink. I would double check your settings for your router.
2. This is more of a question. Do you have a lot of people that come over to your place and use your appartment? I was having problems with my Linksys Router and I decided to setup a Mac filter instead.
3. Hard reset the router.
4. Check D-links website see if the have any information regarding router problem. -
Securing my wireless network slowed me down
Hello,
I have just secured my wireless home network (WEP). I am not really concerned about advanced hackers - I just do not want curious neighbors getting into my shared files. I have two wireless laptops and one wired desktop. The network works great in that I get excellent signal strength. But now websites are not loading well. Especially technical sites (like linksys or email). Craigslist, say, loads fine and quick. It is the same with my desktop - this is curious to me. My unsecured network is still ghost-ing and when I connect to it - the pages load just fine. Then when I connect back to the secured network - its slow. I switched to WPA - same thing. I switched back to unsecure network - same thing. I have run virus software - it seems i'm clean.
Please - any help would be great!
ThanksWhats the model number of your Router ? Assuming you have a G series router.
I think you need to make some changes on your Router, Follow the setups below and i think once all the changes have been made on your Router i think it will work perfectly fine.
Open an Internet Explorer browser page on your wired computer(desktop).In the address bar type - 192.168.1.1 and press Enter...Leave username blank & in password use admin in lower case...
For Wireless Settings, please do the following : -
Click on the Wireless tab
- Wireless Network mode should be mixed...
- Provide a unique name in the Wireless Network Name (SSID) box in order to differentiate your network from your neighbours network...
- Set the Wireless channel to 11-2.462GHz...Wireless SSID broadcast should be Enabled and then click on Save Settings...Please make a note of Wireless Network Name (SSID) as this is the Network Identifier...
For Wireless Security : -
Click on the Sub tab under Wireless > Wireless Security...
Change the Wireless security mode to WEP, Encryption should be 64 bit.Leave the passphrase blank, don't type in anything...
Under WEP Key 1 type in any 10 numbers please(numbers only and no letters eg: your 10 digit phone number) and click on save settings...
Please make a note of WEP Key 1 as this is the Security Key for the Wireless Network...
Click on Advanced Wireless Settings
Change the Beacon Interval to 75 >>Change the Fragmentation Threshold to 2304, Change the RTS Threshold to 2304 >>Click on "Save Settings"...
Now see if you can locate your Wireless Network and attempt to connect... -
Secure AX wireless network. How do I do it?
How can I check if my AX wireless network is secure and if it is not how do I go about securing same?
To set up wireless security on the AirPort Express Base Station (AX), either connect to the AX's wireless network or temporarily connect your computer directly (using an Ethernet cable) to the Ethernet port of the AX, and then, using the Airport Admin Utility, check these settings:
Change Wireless Security
o Wireless Security: WPA Personal or WPA2 Personal
o Password: <enter your desired network password or phrase>
o Verify Password: <re-enter your desired network password or phrase>
o Encryption Type: WPA and WPA2
o Click "OK"
Base Station Options - WAN Ethernet Port
o Enable SNMP Access (unchecked)
o Enable Remote Configuration (unchecked)
o Enable Remote Printer Access (unchecked) -
Securing a wireless network with 802.1x + WPA
I'm currently in the process of designing a new wireless network and am looking to do both authorization from a RADIUS server (Active Directory) and encryption using WPA. Rather than setting a pre-shared key and distributing it to all the users I would rather have the AP automatically distribute the encryption key after the user has authenticated. Is this possible? If so, which Cisco AP's support this functionality?
I don't think you can do that. You might want to think about the following (if you have all Windows clients)
- Use PEAP machine authentication and push out the config (over the wire) via GPO
- Configure a domain controller with PKI (Certificate Services) and machine auto-enrollment. Use EAP-TLS for authentication, and push out the wireless config via GPO
- Use WPA with PSK and push out the config via GPO.
The only problem is that your wireless client config would need to be pushed out over the wire (not wireless) via GPO. This also assumes that your wireless supplicant is Wireless Zero Config (and not the Intel PROset or Cisco Aironet stuff).
I'm afraid you're going to have to touch the machines one way or the other, but you can touch them remotely (via GPO) or touch the manually to configure the wireless settings. -
Re: Enabling Security on Wireless Network w/ Windows XP (SP2) laptop?
Currently, security is not enabled on my home network. My wife's Dell is running Windows XP (SP2).
I'm not sure whether to use WPA/WPA2 Personal or just WPA2 in the Wireless Security (of airport Utility) pane for my AEBS? I also have an AX as a remote. Once I set up security for the AEBS, do I have to also set it up for the AX?
Once I have security enabled for the AEBS and the AX, I will have to turn it on for my wife's laptop. I am not sure how to do this, not being a pc guy. Can someone point me in the right direction?
Thanks.I have a network with both macs an PCs. I can only make the PCs able to join the network if I use WEP 40 bit security. With WEP 126 bit and WPA the PCs are not able to connect. I think you should be able to use WPA, but then you have to use a password of an exact numbers of characters (I think 13, but I am not sure). I would go for WEP 40 if I were you.
If your airport extreme is the main base sattion, you must set up the security level (WEP 40) and password there. You must add the same information to the AX. When the Dell try to connect to the network, it will be asked for the password. Enter this, and the PC should be connected. -
Error -36 connecting to win vista PC on internal wireless network using smb
This worked last week but nothing has changed.
The windows vista machine can see the Mac in its network settings. The router shows both the Mac & the PC as connected (however the PC's device name is showing as 'unknown').
Using connect to server "smb://10.0.0.4/Users/Tom/Shared" I get the message "The Finder cannot complete the operation because some data could not be read or written. (Error code -36). The directory "Shared" has been set up as a Share in windows.
The Network (in Mac Finder) shows a dimmed shortcut to "TomLaptop" but trying to connect from here fails too.
Can anyone assist me with this error code -36?
ThanksAny updates on the PC lately?
Have a look here for error -36...
http://docs.info.apple.com/article.html?artnum=301580 -
Cant secure my wireless network?
Okay recently I had to reconnect my WRT54GS linksys router and now it is unsecure, obviously i know how to secure because i've done it before but it isn't letting me...Whenever I type 192.168.1.1 into my browser it will not load the page and it is really frustrating. I have also tried typing in my Default Gateway and ip address that I got from cmd/ipconfig and those will not work either...can someone please help me with this? Im not understanding why this wouldn't work, and yes my internet connectiong is fine and nothing is wrong with my browser..
Do you have your modem connected to the "Internet" port of the router?
Internet is working because you might be bypassing the router.
Yesterday is history. Tomorrow is mystery. Today is a gift. -
How do you secure you wireless network?
Just curious what other solutions people are employing?
We are looking at MAC address filter on the WCS(Limted to 2500?) for the machine then a rule on the ACS pointing to an AD group.
Cheers
Sgo for 802.1X PEAP or something.. this is better than a MAC filter!!
Please dont forget to rate the usefull posts!!
Regards
Surendra -
Internal Corporate wireless and guest wireless network
I need some technical information on hwo the wireless guest network is created on the Airport Extreme. We currently do not permit personal wireless devices to connect to our internal wireless network in order to protect out data. Several times users have presented us with justifiable business requests to have access to the wireless network from their own devices. We've been looking at using the Airport Extreme in order to do this, but we are bound by PCI (Payment Card Industry) requirements to keep our customer credit card data secure. PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?
Two or three of these on each floor would fit our need for such access and keep out customer data secure.
ThanksWelcome to the discussion area!
+PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?+
I spoke to Apple Support some time ago and was told that Apple uses VLAN to create the Guest network, and also that formal documentation was not available on this topic. I was referred to the AirPort Extreme Specifications for available information.
This was some time ago, so if you need more up to date info, you might want to try to contact Apple to see if they are willing to share more information about this feature. Although, since VLAN is used, your question may already be answered.
FWIW, to use the Guest Network feature in a home situation, the AirPort Extreme must be set up as the main router controlling DHCP and NAT on the network. If you were thinking of installing the AirPort Extreme behind another router, the Guest Network feature would not be available in this type of configuration. -
Is online banking secure/safe to do over wireless network?
''locking as a duplicate - https://support.mozilla.com/en-US/questions/867855''
I will be traveling and would like to know if it is safe to check my credit card and checking account online over the wireless network at the hotel?Use AirPort Utility and click the amber dot. It will tell you the reason it's blinking.
Is the network secure. i.e. can I safely do online banking?
As long as you secured your wireless network with WPA / WPA2 security using a non-trivial password, yes, it's as secure a method as there is at present. It's just as important to keep your Express in a location inaccessible to anyone untrustworthy. -
Security settings for print and file sharing on a wireless network.
I would like to gather some security information on file and print sharing on my wireless network before I set it up . What steps do I need to take to make it secure? Is it better to just buy a wirelss print server?
ThanksYou can secure the wireless network, set a password on the shared resources or both.
The box said windows xp or better... So I installed Linux! -
Set-up and secure wireless network
can you hook up my wi fi network and make it absolutely secure ? i hate astound!
Can you be a bit more specific?! Are you trying to secure your wireless network?? If yes, I would suggest running WPA2-AES as the security mode for the best possible wireless security. Which router are you using?
-
Apple left out support for 802.11i, secure wireless networking WAP2
We just bought this iMac from Apple in July, and I'm very unhappy that Apple designed the AirPort networking for one generation earlier security with wireless networking.
The 802.11i standard, which supports very secure WAP2 without the need for a Radius Server (I believe 802.11i refers to this as personal mode) was adopted by the IEEE in 2004.
Apparently, 2 years isn't enough time for Apple to get the correct chipset into the computer. This system supports the earlier standards only, WAP and WEP. To achieve the newer standard requires a different chipset in the AirPort hardware. Apple supports 802.11i in the stand-alone AirPort gateways, and may support it in the newer Intel Core 2 Duo systems as well. Grumble, grumble, grumble.
For Apple marketing and customer support folks reading this, I'd appreciate your thoughts and suggestions on fixing this.
iMac Intel Core Duo 17" Mac OS X (10.4.8)
iMac Intel Core Duo 17" Mac OS X (10.4.8)"I can find no indication of an Apple AirPort product that says it is capable of WPA2"
mrwheels,
You sound like someone looking for an argument. I'm not sure what the relevance of your statement really is, and I've also never heard of 802.11i. The only standards I've heard of are "b" and "g," not "i." Why don't you fill me in, as I've been using WPA2 since earlier this year? I believe my system automatically updated to it from WPA during one of the software updates, I think it was 10.4.6 in April, as I specifically recall having one iMac that was encrypted with WPA while another had WPA2. There was some sort of temporary issue that occurred with that setup, but, unfortunately, I can't remember what it was, since it lasted such a short time (the few minutes until I installed the update on the second iMac, as I recall).
Since the update was not a problem for me, the job of reading the update read-me's to determine exactly when it occurred will have to fall to you. In addition, if you look back at these discussion threads during the time from Jan to April, you will see that there were a goodly number of users who were having severe AirPort connection problems with their Core Duo iMacs. I wasn't one of them. They ALL reported having their problems resolved with the installation of the 10.4.6 software update.
I am using WPA2 on my four 20-inch Core Duo iMacs [purchased at three different times from two different Apple sources] as well as my G4 iBook and other Macs. They have been using WPA2 on both an AirPort Express base station network, and, at a different location, on an AirPort Extreme base station network, both of which are more than two years old. No matter what Apple's printed materials disclose, WPA2 is in fact supported.
"Apple is selling products that are 2 years behind in supporting a critical wireless security standard"
Based on what I've stated, and the fact that there are many Discussions members also using WPA2 with their AirPort base stations, that is baloney:))
Message was edited by: myhighway
Maybe you are looking for
-
Colors suddenly desaturated for no apparent reason
The problem: Out of the blue (sort of), I notice that all colors--but most noticeably reds--in photos opened in Photoshop (and Windows Photo Viewer) are noticeably different. They appeared significantly desaturated, and also color-shifted (reds look
-
I recently deleted many duplicate files. In the midst of it my Itunes songs are not in Itunes. They are in two different folders. One under 'Music' in my ID. And two under a MyMusic file in Documents. How do I know which one to import?
-
I've got a date that is being displayed as YYYY-MM-DD in spite of having set it to be displayed as MM/DD/YYYY in both the VO and EO. I've edited my formatinfo.xml file, and the format is there, but for some reason on this one date field (others are w
-
Counters synchronization in daqmx
Hello Everybody, I'm rewriting custom software in LabView from DAQ to DAQmx. I have the following problem: I need Ctr0 (at low frequency) to trigger "packets" of pulses on Ctr1 (that operates at high frequency). I'm using Pause,Trigerr option on Trig
-
Reinstall cs2 - activation server for CS 2.0 products are closed now.
Hard drive crashed and mirrored the old one to a new computer and can't run my older Photoshop CS2 anymore and customer support can't help anymore. How do I use this software anymore?