[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 675
  • Last Modified:

Wireless Authentication using Mac-Addresses, IAS and a Wep Key

Hi everyone,

First I'll tell you how every thing is setup and then I'll tell you the problem.

I have Cisco 1200 series AP and right now and my users authenticate to the IAS server using their mac-address. Right now I have to manually type in the wep key to get wep encryption.

What I want to do is have the computer be authenticated with the mac-address on the server and then push out a wep key to them after they connect.

I have tried setting up the AP with the follwoing commands regarding encryption.

interface Dot11Radio0

encryption vlan 10 mode ciphers wep128

ssid Jontest
    vlan 10
    authentication open mac-address hd-login
   
This does not work, the computer gets authenticated by the IAS server but will not get a DHCP address.

I know that it is a problem with my config because when I remove the command

encryption vlan 10 mode ciphers wep128

i get an address.

Can somone tell me if you can actually do this? or am I stuck manually entering the WEP Key?
0
fcaat
Asked:
fcaat
  • 2
3 Solutions
 
cyrnelCommented:
Starting with a disclaimer: sorry, but I don't know Cisco's current 802.11 lineup.

Unless the installation is in a relatively isolated area I would stick with the manual key entry. MAC discovery/spoofing is fairly simple which makes MAC-based security just a form of obscurity. There might be an easy solution for you that works with your existing equipment but I'm not aware of it. We've almost completely dumped WEP and WEP-limited hardware and moved to devices supporting WPA. In some cases it's just a firmware & software update. In others, replacement. Not simple in all cases with supplicant availability but it's more easily scaled and much more secure than WEP.

That said, I'll make way for Cisco gurus.
0
 
Felix2000Commented:
cyrnel is very correct mac spoofing is vey easy these days so it would make your network very insecure.

A typical setup that can be used though costs more is to setup a vpn server behind the AP.  The VPN box would site between the AP and the Main network isolating the AP to its own network.
So users use the wireless network to connect to an isolated lan and then use a vpn client to connect to the main network.

Wireless User <---> AP <--> VPN Server <--- > Main Lan

I believe The Cisco AP have the ability to do the automatic key distribute but you need a Radius server (probably Cisco ACS server) to do that with.

Check this link
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

-=[ Felix ]=-
0
 
PennGwynCommented:
VPN looks to me like the best way to go.  Cisco's LEAP, which greatly improves WEP security, also requires a Radius server (although I think maybe any will do).  MAC-based security is okay for physically-secure/unshared media, but on any kind of broadcast/shared it's trivially fragile.

0
 
cyrnelCommented:
PennGwyn, doesn't LEAP key rotation also require all Cisco equipment?
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now