WPA Pre shared key or Radius server?

[sport404]

Hey everyone,
For a small company maybe say 20-30 wireless devices. What is the best method of implementing WPA? Using a pre shared key, does that mean everytime you change the key you have to go manually update each device or is it automatic after the first time?
Or is using a Radius server for authentication easier?

 

[ADB100]

With pre-shared keys (WEP or WPA-PSK) if you change the key on the AP you must manually change it on each of the clients as well.

If you already have a Windows network with Windows 2000/2003 servers the extra bit of effort to set up Radius and dynamic keys is worth the effort, plus it doesn't cost you anything but some configuration time since Radius is free with Windows Server (IAS).

HTH

Andy

 

[sport404]

I thought I read that when you want to use a new key that the access points broadcast that there is a new one available and the clients then get the update. Is this not correct?

Thanks

 

[ADB100]

No. The pre-shared key remains constant but the encryption of the data is constantly changing through the TKIP encryption algorythm so is much more difficult to crack. If you change the pre-shared key on the AP then you must change it on each of the clients.

HTH

Andy

 

[dupas]

How do you setup a radius server? Will it mess up my domain?

 

[ADB100]

It won't mess up your domain but it does take a bit of setting up:

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

HTH

Andy

 

[dupas]

My idea at my company is this:

I want to setup a wireless connection so employees can connect to our network while in a conference room as if they were at their desk connected with a CAT5e cable.

At the sametime I want to setup a wireless connection so clients can connect to the internet ONLY while in a conference room with my employees.

Can this be done? If so, how can I go about doing it?

 

[dupas]

I already have a Linksys wireless router. Will this do or should of gotten a access point?

 

[ADB100]

It depends if the Linksys can support it. I use Cisco Autonomous Access Points (Aironet 1131G's) and these support external Authentication via Radius. I could post some Cisco configurations but how you would configure the Linksys I don't know....

Andy

 

[dupas]

the linksys does allow me to use Radius server...

 

[ADB100]

Then I suggest you go with that. The process is pretty simple really:

1. Install Radius on your Windows Server, Add/Remove Windows Components, Networking Services, Internet Authentication Service.
2. Add each of your Access Points (or router) as clients of the Radius Server.
3. Create a Remote Access Policy for Wireless Users. I have a policy that checks for the user/computer being a member of a Wireless Users Group, plus checks for the 'NAS-Port-Type = "Wireless - IEEE 802.11".
4. Tell your AP's to authenticate Wireless Assiciation attempts via Radius.

HTH

Andy

 

[dupas]

it is better to go with a router or access point?

 

[ADB100]

it is better to go with a router or access point?

I assume there was a typo there and you actually meant 'is it' instead of 'it is'.....

The answer is - it depends on what you want to achieve. If you need to segregate your Wireless & Wired users then I would use Access Points and separate VLAN's with distinct Layer-3 boundaries between the Wired and Wireless networks. If its a small setup and you see no benefit in separating things then use a router with built-in Wireless and let your wired & wireless users share the same VLAN.

It's a design thing. You need to take stock of what you want to achieve, how much budget you have and what any support implications there will be.
This is probably why Cisco have partners who do this and get paid for it......

HTH

Andy

 

[dupas]

No need to segregate between the two...

I want to setup a wireless connection so employees can connect to our network while in a conference room as if they were at their desk connected with a CAT5e cable.
At the sametime I want to setup a wireless connection so clients can connect to the internet ONLY while in a conference room with my employees.
For this to happen, would I need 2 different devices or can I use 1 device?
Thanks for your help, knowledge and time!

 

[ADB100]

You can use 1 device but it would need to have support for multiple SSID's, each SSID being bound to a separate VLAN - 1 internal 'work' VLAN and another external 'guest' VLAN. You would need to setup access control between the 2 VLAN's on your routers/switches.
You could however have 2 separate Access Points (or wireless routers).

Andy

 

[dupas]

Hmmm, Im not sure if the router I have has this capabilities... Linksys WRT54G

 

[slyride]

I don't think the Linksys is going to let you do 2 SSIDs, it is more of a SOHO device, and you are getting more complex than that. RADIUS is the way to go for security and management if you already have a Windows domain. It is quite a bit more secure than having a PSK since I think it uses CHAP. If you have a spare public IP on your internet gateway, then you could just plug the linksys WAN port into that and keep it off of your LAN all together, then use it for your guests. You still would want to think about what level of security you want for them, and how much you want to deal with helping them configure their connections while they are at your facility.

 

[ADB100]

The Authentication method WPA uses is 802.1x and is integral to the WPA/WPA2 protocol - i.e. you have to do some form of EAP over 802.1x to associate with WPA/WPA2. There are severl different types of EAP but if you are using the built-in Microsoft 802.1x Supplicant then you can use either PEAP (Protected EAP using MSCHAPv2) or EAP-TLS (which Microsoft call Smart Card or other Certificate). The most secure is WPA2 Authentication using EAP-TLS with AES Encryption but this requires a PKI infrastructure. (Which in reality can simply be a Windows CA Server) If you don't want a PKI infrastructure then the next best thing is WPA2 with PEAP and AES.

http://www.microsoft.com/technet/network/wifi/default.mspx