Security with Cisco 1200 AP's 2

[mugs82]

I recently set up 18 Cisco 1230's running IOS on my network. All we had budgeted for wireless was spent on the access points. So, there wasn't any money for buying an Access Control System.

We are running an NT 4.0 network with no specific vendor for the wireless NICS and we also have several OS X Macs. The pc clients are all XP Pro.

I currently have the clients set up for mandatory WEP. I also disabled broadcasting the SSID. I put in 4 WEP keys, but left rotating wep keys disabled because I don't think the Macs support that or using WPA. All of the WAPS are set up as roots rather than repeaters.

The network spans two subnets over 2 locations. I'll probably have about 30 people using the system at any given time.

I feel like I've bought a million dollar house with a saranwrap door. I would like to hear how others have done it or would do it. Also, it seems there is a lack of good information on how to implement a cisco wireless network just using the access points. Does anyone know of good reading materials or links to sites that are helpful?

Thanks in advance.

 

[Benzilla20]

The 1200 has a small radius server built in. I forget how many users it allows though, might not work for you.

Since you have two subnets, are you using proxy mobile IP?

Ben

 

[mugs82]

What is proxy mobile IP?

 

[mikescuba]

I believe that the internal user list will support 50 users, otherwise you could look at some sort of linux radius server, the 1230's are supposed to support radius servers besides the CiscoACS appliances.

With that said, I've got ACS servers here & I don't know diddly about setting up radius on linux.



Mike

"Look behind you, here comes the bleeding edge

 

[Benzilla20]

Proxy mobile IP is basically keeping the same IP address on a client regardless of subnet.

Say client 1.2.3.x/24 roams into 1.2.4.x/24 network - they still function. There are config changes on the router as well as the AP. I have never seen it implemented but it might work in your case.

Ben

 

[lui3]

As far as security goes what are you exactly trying to achieve. If you want all traffic on the network encrypted then you are going to have to use a combination of wep and some user authentication.

The problems that i have found with ciscos implementation or user authentication even with the ACS is that you have to use cisco aironet cards or cards that support eap and leap. the mac osx clients can support some of those technologies out of the box but as for other vendors its limited at best.

until 802.11i becomes standard and vendors adopt it there are going to problems with smooth wireless security. in my environment i have done the following.

i have created two vlans
one public and really locked down, internet and email only. with a broadcasting ssid and no wep

one private. full wep, mac access lists, no ssid broadcast, no radius.

users don't authenticate. private clients are configured by hand.

visiting guests connect to the wlan by choosing the public hot spot ssid that is being broadcast. they can't see any internal network services but they can browse the web.

unless you plan on standardizing your wireless cards in the clients and getting some acs things are going to be tough. it does sound like you have things started well though with wep etc,

do you have the same ssid configured for each access point. this makes roaming easier even for configured clients.

 

[hunterdw]

Lui3--

What you've described is what I want to accomplish. We use Cisco 1120B and 1121G APs across 4 subnets in 4 different campus locations across the state.

We want our APs to support both public and private WLAN usage. Our PRIVATE clients are configured by hand for WEP. That's already going on. We're happy there. They move across vlan3 which is our data vlan onto a content "no-boobies" filter (We're a church).

We also want to offer public wi-fi for anyone who comes to our public spaces (lobbies, conference rooms, etc.) and are looking for the best solution to that.

I know the 1120b and 1121g have public/private mode, but I'm fuzzy on the implementation. I want them to use the same content filter (on vlan3) but not see the rest of my server farm that's also on vlan3.

Can you give me an idea on how you configured your AP equipment? Do you have yours setup that when a public client attaches, they are shown a default webpage first?

--DW

 

[lui3]

DW,

I can send you the configurations that i have on my APs along with the required wired infrastructure configurations. You can email me at louism@gcs.k12.nc.us.

I work for a school system and we are deployings lots of wireless both public and private. Write me at this address and we can correspond much faster.

I look forward to hearing from you.

 

[pbucha]

I've had great luck setting up my EAP authentication through my ISA boxes. As long as the user is part of the domain and their laptop is a member of the domain, they can get in with no hassles.

There are some issues to that, however, primarily with guests and such. We often have guests come in however, since we are the corporate office. Without domain membership, they can't get it and I can't very well add users and computer domain memberships everytime someone walks in the door. I've tried setting up a VLAN with Open Wep. I figure I can hand these users a slip of paper with the WEP key, and change it as often as I like, without inconveniencing my normal users who are on the other VLAN. Problem is, I can't seem to separate the two or get it to do what I want.

Anybody have suggestions?

 

[JVKAdmin]

Lui3,

Thats exactly the type of scenario I'd like to set up for our company.

Can you post some details as far as whats required ? Do you need to purchase more than one Cisco AP to do this or can you just purchase a few APs and have the the private/public thing work on all of them (essentially having all users roam to each hot spot.). Also, we don't own any other Cisco equipment, is it necessary to purchase other equipment then just the APs ?

Thanks

Kevin.