Solved

Wireless Authentication using Mac-Addresses, IAS and a Wep Key

Posted on 2004-08-19
7
660 Views
Last Modified: 2013-11-30
Hi everyone,

First I'll tell you how every thing is setup and then I'll tell you the problem.

I have Cisco 1200 series AP and right now and my users authenticate to the IAS server using their mac-address. Right now I have to manually type in the wep key to get wep encryption.

What I want to do is have the computer be authenticated with the mac-address on the server and then push out a wep key to them after they connect.

I have tried setting up the AP with the follwoing commands regarding encryption.

interface Dot11Radio0

encryption vlan 10 mode ciphers wep128

ssid Jontest
    vlan 10
    authentication open mac-address hd-login
   
This does not work, the computer gets authenticated by the IAS server but will not get a DHCP address.

I know that it is a problem with my config because when I remove the command

encryption vlan 10 mode ciphers wep128

i get an address.

Can somone tell me if you can actually do this? or am I stuck manually entering the WEP Key?
0
Comment
Question by:fcaat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
7 Comments
 
LVL 4

Accepted Solution

by:
cyrnel earned 168 total points
ID: 11845823
Starting with a disclaimer: sorry, but I don't know Cisco's current 802.11 lineup.

Unless the installation is in a relatively isolated area I would stick with the manual key entry. MAC discovery/spoofing is fairly simple which makes MAC-based security just a form of obscurity. There might be an easy solution for you that works with your existing equipment but I'm not aware of it. We've almost completely dumped WEP and WEP-limited hardware and moved to devices supporting WPA. In some cases it's just a firmware & software update. In others, replacement. Not simple in all cases with supplicant availability but it's more easily scaled and much more secure than WEP.

That said, I'll make way for Cisco gurus.
0
 
LVL 3

Assisted Solution

by:Felix2000
Felix2000 earned 166 total points
ID: 11849972
cyrnel is very correct mac spoofing is vey easy these days so it would make your network very insecure.

A typical setup that can be used though costs more is to setup a vpn server behind the AP.  The VPN box would site between the AP and the Main network isolating the AP to its own network.
So users use the wireless network to connect to an isolated lan and then use a vpn client to connect to the main network.

Wireless User <---> AP <--> VPN Server <--- > Main Lan

I believe The Cisco AP have the ability to do the automatic key distribute but you need a Radius server (probably Cisco ACS server) to do that with.

Check this link
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

-=[ Felix ]=-
0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 166 total points
ID: 11853424
VPN looks to me like the best way to go.  Cisco's LEAP, which greatly improves WEP security, also requires a Radius server (although I think maybe any will do).  MAC-based security is okay for physically-secure/unshared media, but on any kind of broadcast/shared it's trivially fragile.

0
 
LVL 4

Expert Comment

by:cyrnel
ID: 11853590
PennGwyn, doesn't LEAP key rotation also require all Cisco equipment?
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question