Solved

Wireless Authentication using Mac-Addresses, IAS and a Wep Key

Posted on 2004-08-19
7
659 Views
Last Modified: 2013-11-30
Hi everyone,

First I'll tell you how every thing is setup and then I'll tell you the problem.

I have Cisco 1200 series AP and right now and my users authenticate to the IAS server using their mac-address. Right now I have to manually type in the wep key to get wep encryption.

What I want to do is have the computer be authenticated with the mac-address on the server and then push out a wep key to them after they connect.

I have tried setting up the AP with the follwoing commands regarding encryption.

interface Dot11Radio0

encryption vlan 10 mode ciphers wep128

ssid Jontest
    vlan 10
    authentication open mac-address hd-login
   
This does not work, the computer gets authenticated by the IAS server but will not get a DHCP address.

I know that it is a problem with my config because when I remove the command

encryption vlan 10 mode ciphers wep128

i get an address.

Can somone tell me if you can actually do this? or am I stuck manually entering the WEP Key?
0
Comment
Question by:fcaat
  • 2
7 Comments
 
LVL 4

Accepted Solution

by:
cyrnel earned 168 total points
ID: 11845823
Starting with a disclaimer: sorry, but I don't know Cisco's current 802.11 lineup.

Unless the installation is in a relatively isolated area I would stick with the manual key entry. MAC discovery/spoofing is fairly simple which makes MAC-based security just a form of obscurity. There might be an easy solution for you that works with your existing equipment but I'm not aware of it. We've almost completely dumped WEP and WEP-limited hardware and moved to devices supporting WPA. In some cases it's just a firmware & software update. In others, replacement. Not simple in all cases with supplicant availability but it's more easily scaled and much more secure than WEP.

That said, I'll make way for Cisco gurus.
0
 
LVL 3

Assisted Solution

by:Felix2000
Felix2000 earned 166 total points
ID: 11849972
cyrnel is very correct mac spoofing is vey easy these days so it would make your network very insecure.

A typical setup that can be used though costs more is to setup a vpn server behind the AP.  The VPN box would site between the AP and the Main network isolating the AP to its own network.
So users use the wireless network to connect to an isolated lan and then use a vpn client to connect to the main network.

Wireless User <---> AP <--> VPN Server <--- > Main Lan

I believe The Cisco AP have the ability to do the automatic key distribute but you need a Radius server (probably Cisco ACS server) to do that with.

Check this link
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

-=[ Felix ]=-
0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 166 total points
ID: 11853424
VPN looks to me like the best way to go.  Cisco's LEAP, which greatly improves WEP security, also requires a Radius server (although I think maybe any will do).  MAC-based security is okay for physically-secure/unshared media, but on any kind of broadcast/shared it's trivially fragile.

0
 
LVL 4

Expert Comment

by:cyrnel
ID: 11853590
PennGwyn, doesn't LEAP key rotation also require all Cisco equipment?
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco switch suggestion 5 63
Import AD groups from one domain to another 9 32
Multiple MPLS Circuits Connecting to LAN 3 42
Netgear modem router default firmware 11 30
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question