Security on WLAN with ACS

Hi,
I've an ACS3.3 server, and currently I'm authenticating clients with MAC methods, no Broadcast SSID, and fixed 128bits WEP Key. Is it safe ? and there are two things which I don't like, which are the WEP key fixed which I need to configure on each PC, do you think there is a safe way to automatically get a Key?
second thing is in terms of Mac Address authentication, do you see a problem if I link it to Active Directory?
Thanks a lot for any recomendation

The WEP keys used to encrypt and decrypt transmitted data can be statically associated with your adapter or dynamically created as part of the EAP authentication process.
http://www.cisco.com/en/US/products/hw/wireless/ps4555/products_installation_and_configuration_guide_chapter09186a00802bf0a7.html

Similar Messages

  • Cisco Security Manager integration with ACS

    Has anybody got this working yet.
    I have tried but as yet have been unsucessful in registering csm with the ACS server.
    I am following the the instructions however, nothing seems to work all i get is failed to registar.
    Any help would be appreciated
    Regards
    Jason

    Check out this link...
    http://www.cisco.com/en/US/products/ps6498/prod_troubleshooting_guide_chapter09186a00806e23e3.html

  • Securing WLAN with VPN's: Any other Tricks ?

    Hello,
    Newbie to VPN's and security.
    Securing our WLAN environement with about 50 Cisco 1200AP's, 65 SpectraLink VoIP phones, various wireless users. Currently have a seperate Wireless VLAN. Will be putting this on our corporate VPN. Is there any other security measures in the AP that could be turned on ? ex. TKIP, MIC, MAC address filtering. Will the VPN solution protect against rogue AP's.
    Any assistance would be very helpful.
    TLC

    Doing an EAP method via 802.1x is going to be stronger than a VPN is, at least for wireless. VPNs only protect your unicast data, not your wlan or broadcast data....there are several other drawbacks to vpn for wireless.
    Create multiple SSID-VLAN mappings: one for EAP-capable devices, and others for less secure devices like the Spectralinks. This way you can let more-capable devices do better security, and the phones will do static WEP. Set up ACLs to restrict what devices coming in on the phone ssid-vlan can get to to just the spectralink gateway and you should be good.
    It's probably best to set the spectralink gateway on the same vlan as the phones, and only let the server off the net (assuming it needs to talk to a Call Manager or something). Otherwise if it's just interfacing to your PBX, don't let anything of that vlan.

  • WLC 5508 not communicating with ACS 4.2

    Hi,
    Strange one here, I have setup a WLAN with PEAP user authentication through ACS to the Windows database. My clients cannot connect to the WLAN.
    From the logs, I can see no activity on the Radius server stats (as seen from the controller) and no failed login attempts on the ACS itself. The ACS/Radius is setup correctly on the controller and the controller can ping the ACS, but they just don't seem to be talking???
    I have used this setup before, but the only difference is that the controller is a 5508 (done this with 4400's in the past) and the ACS is running on VMWare (Never done this before).
    If I change the security to WPA2 PSK it works fine.
    I want to use PEAP for user authentication. NOT Machine auth. I have a certificate installed on the ACS and it is in the trust list of the client PC.
    Any help appreciated!
    Dan

    Noble,
    Here are a few links...
    http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60sol.html
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml
    If you find this helpful, please rate the post!
    Thanks

  • Cost of Using WLAN with X6

    I'm still the delighted owner of an X6!
    In the first month of using my device I've used the internet via my own wlan and a nearby access point (BTFon) so that when I go on holiday I'll know how to check emails etc at no cost to me. I've just got my O2 bill and found that in fact I've been charged for using the wlan which is something of a surprise. It's really not a lot of money but when you expect no charge at all..............
    Have I failed to set something correctly? I can't imagine that if I'm using my device over a wlan connection correctly that O2 would even be aware.
    My second point is to ask if I should be concerned about security whilst surfing with my X6. We all use security software on our pc's at home. What if anything should I do about security when using my X6? 
    Many thanks,
    Colin

    If you don't want to use mobile data, remove all access points in destinations (in the connectivity section of settings) except wifi, you cannot be charged by your data provider when using a wlan connection !!
    If I have helped at all, a click on the White Star is always appreciated :
    you can also help others by marking 'accept as solution' 

  • WLC 4402-50 with ACS 3.3

    Hi,
    We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
    Is there an incompatability between the WLC 4402-50 with ACS 3.3?
    thanks
    Bob

    The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
    It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.

  • MARS 5.2.7 integration with ACS 4.1

    Hello
    I cannot find any documentation I can follow to integrate MARS with ACS. I mean I want to use ACS to authenticate user in MARS.
    Any of you know if MARS 5.2.7 has this feature? If yes can please give some info where to find docs?
    Thank you really much
    Best regards Antonello.

    HI ,
    LMS 4.0 no longer integrates with ACS the way that LMS 3.x did.  You  can still use ACS for authentication in LMS 4.0, but for authorization,  each user must have a local account in LMS, and the roles will be  assigned using LMS 4.0's new RBAC.  Users are defined under Admin >  System > User Management > Local User Setup, and roles are defined  under Admin > System > User Management > Role Management  Setup.
    By default, if a user does not have an account in LMS, they will receive the Help Desk role
    Please check the below link:
    http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/security.html#wp1100379
    Thanks-
    Afroz
    [Do rate the useful post]

  • Integrating WCS 7.0 with ACS 5.1

    Has anybody got any experience with trying the config as depicted in the WCS 7 config guide?
    I have tried today to integrate WCS 7 with ACS 5.1 and got a partial success.  I have created a unique Shell Profile that invokes for the WCS only which contains 1 role (role0=Root) and 73 task entries (as copied from the WCS group pages) and I can log in to WCS with the new account, but some things I dont appear to have priviledges for, such as Reports.  Is there any way to debug which task WCS thinks I dont have to do this?  Any other ideas?

    Turned on trace in WCS and saw info like this: (abreviated)
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task14 = View Alerts and Events
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task51 = Performance Reports
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task15 = Email Notification
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] rejecting task: task50 = Device Reports                is not a valid task
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task53 = Network Summary Reports
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task16 = Delete and Clear Alerts
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task48 = Mesh Reports
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] rejecting task: task47 = Config Audit Dashboard    is not a valid task
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task42 = Monitor Chokepoints
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task41 = Monitor Security
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task40 = Monitor Tags
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task46 = RRM Dashboard
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task45 = Monitor Interferers
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task44 = Monitor Spectrum Experts
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task43 = Monitor WiFi TDOA Receivers
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding role: role0 = Root
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] Disconnecting from authorization socket  - From Server:  10.9.2.253  - For User:  acstest
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] Total permissions for user acstest : tasks  68 : roles  1 : virtual-domains  0
    all i did was copy and paste in all tasks from the WCS export list???

  • WLAN with 802.1x

    Hi!
    Since the sw upgrade to version 7.3.101.0 (wlc 5508) i have the following issue.
    We have a WLAN with 802.1x (WPA2/AES) secured. Before the update the users need to enter user/ pw every time when they reconnect (WLAN switch off/ on again) to the WLAN.
    Now the users don`t need to enter user/ pw when they reconnect to the WLAN.
    I could not find any setting on wlc to clear this issue.
    Thank you for your help!

    So i think there is now way, because the client devices are not managed (e.g. smartphones).
    What i try is this setup:
    Layer 2 Security:
    WPA+WPA2
    WPA2 Policy
    AES
    Authentication Key Management set to 802.1x
    Layer 3 Security:
    Web Policy/ Splash Page
    ...connection is working, but user don`t need to re enter credentials after reconnect (ipad; galaxy 3..)

  • EAP-TLS match on custom EKU with ACS 5.5

    Hi,
    is there any possibility to match on a custom EKU with ACS 5.5?
    I have to create a solution to limit access to a specific WLAN SSID. Only certificates containing a specific, self-created EKU should have access to this SSID. Other certificates from the same CA should be denied.
    I know that it's possible with Microsoft NPS but I would prefer a solution with ACS. But in ACS the ceritifcate dictionary contains only a few attributes i.e. common name, issuer, subject, but not the Enhanced Key Usage  (EKU).
    Any suggestions?
    Thanks,
    Werner

    Object Identifier Check for EAP-TLS Authentication
    ACS can compare the OID against the Enhanced Key Usage (EKU) field in the user's certificate. ACS denies access if the OID and EKU do not match. For more information about options, see Authentication for profile_name Page, page 14-46.
    When OID comparison is enabled and a valid OID string is entered, all the certificates that the users present for EAP-TLS authentication are checked against the OIDs entered. Authentication will be successful only if the OIDs match. If OID comparison is enabled but the user certificate presented does not contain any OID in the EKU field, authentication will fail.
    To enable OID comparison you must:
    •Enable EAP-TLS from the NAP page.
    •Enter only contain numbers, dots, commas and spaces in the OID strings, for example: 1.3.6.1.5.5.7.3.2 is a valid OID string.
    •Enter multiple OIDs as comma-separated values. For example: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2 is a valid string.

  • All the devices not showing after CSM integration with ACS

    Hi all
    I integrated ACS with CSM and added all the security devices into ACS as client devices.But after integration with with ACS only few devices are shown in the CSM when i logged in as super admin.for all other users (system admin,network operator etc.),no devices are shown in the CSM.Please give me a solution to solve this.

    Did you have devices already in CSM when you integrated it into ACS ? Did you make sure that the hostname of the devices is exactly the same in acs and csm ?

  • No auto-connect to WLAN with hidden SSID

    I work in Infrastructure Services at the IBM Zurich Research Laboratory.
    Across IBM, there is a standard setup for wireless LAN access. There’s a public WLAN that provides access only to the internet; and there’s a private WLAN that provides access to both the internet and the corporate intranet. The private WLAN requires authentication via WPA/WPA2 Enterprise using LEAP or a certificate, and has a hidden SSID.
    Both WLANs are served by the same access points.
    The iPhone and iPod Touch do not automatically reconnect to the private WLAN with the hidden SSID.
    Each time the iPhone wakes from sleep, the user must connect manually to the private WLAN. The user must go into Settings and then Wi-Fi, wait for the private WLAN to appear in the list (there’s always a delay) and then tap on it. Also, if one opens Mail or Safari application before connecting manually, the the blue pop-up list of available networks will not include the private WLAN with the hidden SSID.
    This is a major inconvenience, because it adds half a minute or more to each operation that requires network access. Checking one’s email—something that should normally take no more than ten seconds—instead takes a minute or more, depending on how quickly one manages to connect.
    This bug also results in needless expense, because network operations that should go over the local WLAN often go instead over the mobile phone network.
    The inability of the iPhone/iPod Touch to reconnect automatically to networks with hidden SSID has been a problem since the original iPhone came out.
    This problem is an obstacle preventing wider adoption of the iPhone within IBM.

    Anyone have an update on this ?
    I have a new 3GS with 3.1.2 and have the same issue. I haven't tried the factory reset yet, but from this link;
    http://l00pback.wordpress.com/2009/10/14/iphone-3-1-bug-no-auto-reconnect-to-hid den-ssid-wireless-networks/
    “Work around”: Not really a workaround, but a sightly less frustrating way of reconnecting… when in range of the network… recreate the network by entering the SSID and leave out any of the security stuff then click Join. The join will fail (for obvious reasons), but will then “remind” the phone that that network exists and will then connect using the previously configured settings."
    takes some of the pain away.

  • How can integrate UCS Manager with ACS

    Somebody have guidelines to integrate UCS Manager 2.0 with ACS 5.3 using TACACs
    I have tried creating a TACACs Providers and a TACACs Providers Group, the In the Native Authentication i have changed the real from local to tacacs usin the provider group i've created.
    In the ACS i have added the device and in monitoring viewer i can view the succesful log of authentication but the UCS Manager windows close before the authentication page

    Hi Shelley,
    I was reading the document, but I have some doubts. What we need is to do the integration with Cisco Secure ACS 4.X Solution Engine 1113 Appliance. We need to identify a client for a name and not for IP Address. Can I do this with SM and ACS??.
    Regards.
    Jaime.

  • Wireless guest wlan and secured corporate wlan

    I am implementing an enterprise wireless network for my company. I am planning on setting up one secured corporate wlan for employee and one open guest wlan for the guest/contractor/vendor. Is there a way I can prevent my employee jump from the secured wlan to the guest wlan? Thanks.
    Lee

    Hi stepehen
    LWAPP also defines the tunneling mechanism for data traffic.
    A LAP discovers a controller with the use of LWAPP discovery mechanisms. The LAP sends an LWAPP join request to the controller. The controller sends the LAP an LWAPP join response, which allows the AP to join the controller. When the LAP joins to the controller, the LAP downloads the controller software if the revisions on the LAP and controller do not match. Subsequently, the LAP is completely under the control of the controller. LWAPP secures the control communication between the LAP and the controller by means of a secure key distribution. The secure key distribution requires already provisioned X.509 digital certificates on both the LAP and the controller. Factory-installed certificates are referenced with the term "MIC", which is an acronym for Manufacturing Installed Certificate. Cisco Aironet APs that shipped before July 18, 2005, do not have a MIC. So these APs create a self-signed certificate (SSC) when they are upgraded in order to operate in lightweight mode. Controllers are programmed to accept SSCs for the authentication of specific APs.
    Pls Refer the docu..
    http://cisco.com/en/US/products/ps6306/products_qanda_item09186a00806a4da3.shtml
    Regds
    Saji k.s

  • 3850. mac filter at wlan with wpa key

    Hello
    I want to get simple mac filter at certain WLAN with psk authentication
    I have such at my home cisco881 - MAC-based ACL apply to the radio interface.
    I don't find how to make MAC-based ACL at 3850.
    And I don't understand how to use class-map type control subscriber (and match mac-address), for example, for such task, because they apply to interface, but now wlan.
    Can somebody send me full working config or certain url with decision for such task?

    subscriber mac-filtering security-mode {mac | none | shared-secret}
    Example:
    Device(config-sg-radius)# subscriber mac-filtering security-mode mac

Maybe you are looking for

  • Using PCK with  XI3.0

    Greetings, I have installed the PCK SP5 running on J2EE server. The PCK GUI is working fine. we have also configured a simple scenario to send a File from PC (where the PCK is installed) to XI. In the XI directory when I tried to configure the Commun

  • Podcast only turns up in search (not in store front)

    Hi there! I'm really excited that I finally was able to get my video podcast (starslyderz) up and running. iTunes accepted it, and everything should be great, right? Problem is, nobody will ever SEE my podcast unless they specifically do a search for

  • Iphoto Slideshow Export Coming Out Blank

    I've tried multiple times to export a slideshow, from IPhoto, onto a cd onto a hard drive via usb port cd or wirelessly and without fail EVERYTIME the movie has spots where the music will still play but the photos disappear and it's black (blank). HE

  • Importing Avid cut list

    This is a bit unusual...we want to import an Avid cut list into Premiere. We can't import the whole Avid project as that media is unavailable but wish to apply the cut list to new media in a premiere sequence as markers. Are there any scripts or thir

  • I have different bookmarks that I want to keep on each computer, will sync delete the bookmarks on one computer and overwrite the bookmarks from the other computer in their place

    I have not used sync yet, but I have the gut feeling there is going to be a problem if I do. I have different bookmarks that I want to keep on each computer. Will sync delete the bookmarks on one computer and overwrite the bookmarks from the other co