Solved

Wireless Authentication using Mac-Addresses, IAS and a Wep Key

Posted on 2004-08-19
7
654 Views
Last Modified: 2013-11-30
Hi everyone,

First I'll tell you how every thing is setup and then I'll tell you the problem.

I have Cisco 1200 series AP and right now and my users authenticate to the IAS server using their mac-address. Right now I have to manually type in the wep key to get wep encryption.

What I want to do is have the computer be authenticated with the mac-address on the server and then push out a wep key to them after they connect.

I have tried setting up the AP with the follwoing commands regarding encryption.

interface Dot11Radio0

encryption vlan 10 mode ciphers wep128

ssid Jontest
    vlan 10
    authentication open mac-address hd-login
   
This does not work, the computer gets authenticated by the IAS server but will not get a DHCP address.

I know that it is a problem with my config because when I remove the command

encryption vlan 10 mode ciphers wep128

i get an address.

Can somone tell me if you can actually do this? or am I stuck manually entering the WEP Key?
0
Comment
Question by:fcaat
  • 2
7 Comments
 
LVL 4

Accepted Solution

by:
cyrnel earned 168 total points
Comment Utility
Starting with a disclaimer: sorry, but I don't know Cisco's current 802.11 lineup.

Unless the installation is in a relatively isolated area I would stick with the manual key entry. MAC discovery/spoofing is fairly simple which makes MAC-based security just a form of obscurity. There might be an easy solution for you that works with your existing equipment but I'm not aware of it. We've almost completely dumped WEP and WEP-limited hardware and moved to devices supporting WPA. In some cases it's just a firmware & software update. In others, replacement. Not simple in all cases with supplicant availability but it's more easily scaled and much more secure than WEP.

That said, I'll make way for Cisco gurus.
0
 
LVL 3

Assisted Solution

by:Felix2000
Felix2000 earned 166 total points
Comment Utility
cyrnel is very correct mac spoofing is vey easy these days so it would make your network very insecure.

A typical setup that can be used though costs more is to setup a vpn server behind the AP.  The VPN box would site between the AP and the Main network isolating the AP to its own network.
So users use the wireless network to connect to an isolated lan and then use a vpn client to connect to the main network.

Wireless User <---> AP <--> VPN Server <--- > Main Lan

I believe The Cisco AP have the ability to do the automatic key distribute but you need a Radius server (probably Cisco ACS server) to do that with.

Check this link
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

-=[ Felix ]=-
0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 166 total points
Comment Utility
VPN looks to me like the best way to go.  Cisco's LEAP, which greatly improves WEP security, also requires a Radius server (although I think maybe any will do).  MAC-based security is okay for physically-secure/unshared media, but on any kind of broadcast/shared it's trivially fragile.

0
 
LVL 4

Expert Comment

by:cyrnel
Comment Utility
PennGwyn, doesn't LEAP key rotation also require all Cisco equipment?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

In this article we will discuss some EI Capitan Mail app issues and provide some manual process to resolve them.
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now