Solved

Wireless Authentication using Mac-Addresses, IAS and a Wep Key

Posted on 2004-08-19
7
661 Views
Last Modified: 2013-11-30
Hi everyone,

First I'll tell you how every thing is setup and then I'll tell you the problem.

I have Cisco 1200 series AP and right now and my users authenticate to the IAS server using their mac-address. Right now I have to manually type in the wep key to get wep encryption.

What I want to do is have the computer be authenticated with the mac-address on the server and then push out a wep key to them after they connect.

I have tried setting up the AP with the follwoing commands regarding encryption.

interface Dot11Radio0

encryption vlan 10 mode ciphers wep128

ssid Jontest
    vlan 10
    authentication open mac-address hd-login
   
This does not work, the computer gets authenticated by the IAS server but will not get a DHCP address.

I know that it is a problem with my config because when I remove the command

encryption vlan 10 mode ciphers wep128

i get an address.

Can somone tell me if you can actually do this? or am I stuck manually entering the WEP Key?
0
Comment
Question by:fcaat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
7 Comments
 
LVL 4

Accepted Solution

by:
cyrnel earned 168 total points
ID: 11845823
Starting with a disclaimer: sorry, but I don't know Cisco's current 802.11 lineup.

Unless the installation is in a relatively isolated area I would stick with the manual key entry. MAC discovery/spoofing is fairly simple which makes MAC-based security just a form of obscurity. There might be an easy solution for you that works with your existing equipment but I'm not aware of it. We've almost completely dumped WEP and WEP-limited hardware and moved to devices supporting WPA. In some cases it's just a firmware & software update. In others, replacement. Not simple in all cases with supplicant availability but it's more easily scaled and much more secure than WEP.

That said, I'll make way for Cisco gurus.
0
 
LVL 3

Assisted Solution

by:Felix2000
Felix2000 earned 166 total points
ID: 11849972
cyrnel is very correct mac spoofing is vey easy these days so it would make your network very insecure.

A typical setup that can be used though costs more is to setup a vpn server behind the AP.  The VPN box would site between the AP and the Main network isolating the AP to its own network.
So users use the wireless network to connect to an isolated lan and then use a vpn client to connect to the main network.

Wireless User <---> AP <--> VPN Server <--- > Main Lan

I believe The Cisco AP have the ability to do the automatic key distribute but you need a Radius server (probably Cisco ACS server) to do that with.

Check this link
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

-=[ Felix ]=-
0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 166 total points
ID: 11853424
VPN looks to me like the best way to go.  Cisco's LEAP, which greatly improves WEP security, also requires a Radius server (although I think maybe any will do).  MAC-based security is okay for physically-secure/unshared media, but on any kind of broadcast/shared it's trivially fragile.

0
 
LVL 4

Expert Comment

by:cyrnel
ID: 11853590
PennGwyn, doesn't LEAP key rotation also require all Cisco equipment?
0

Featured Post

Enroll in June's Course of the Month

June's Course of the Month is now available! Every 10 seconds, a consumer gets hit with ransomware. Refresh your knowledge of ransomware best practices by enrolling in this month's complimentary course for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question