Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 589
  • Last Modified:

Wireless Question

I have a Cisco WAP4410N Wireless-N Access Point that I need to set up on to allow wireless users (laptops) to connect to my LAN & access network  drives, printers, Internet, etc. I know how to set all this up except the extra laywer of security. I know I can use WPA for security but how can I set up user authenitication? This AP has a feature where it will redirect a user to an internal website for authentication once they connect but I am assuming I need a radious server correct? My question is, what is the easiest radious server to set up? I'll just have less than 5 user accounts. Is this something alinux box can do or some other freeware that will work on a Windows box? I have a active directory domain with Windows 7 computers & iPads. Any advice or suggestions will be appreciated.
0
wantabe2
Asked:
wantabe2
  • 2
  • 2
  • 2
  • +3
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
since you already have AD then adding a radius (RRAS role) is one option
0
 
Darr247Commented:
Yes, you can easily run RADIUS on a linux box, but everything you need should be available in your server without needing to setup a separate box for it, and you can have the users authenticate with their domain credentials.

Since you didn't tell us what server you're running (I'm not aware of Win7's ability to run a domain and AD without one), I'll point you towards this article for 2003 Server
http://aaronwalrath.wordpress.com/2007/11/05/set-up-windows-2003-ias-server-with-radius-authentication-for-cisco-router-logins/
0
 
kevinhsiehCommented:
In Windows 2003 the RADIUS service is called IAS. In Windows 2008 it is called Network Protection Service (NPS).
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Rick_O_ShayCommented:
Did you look at Freeradius?

http://freeradius.org/download.html
0
 
ChiefITCommented:
I would use TACACs over Radius while using Cisco.

http://tacacs.net/

TACACs benifits over RADIUS:
-TACACs uses TCP for reliability and another layer of security
-Most importantly-TACACs can separate authenticate and authorization of the connection on separate machines. This adds another layer of security AND ALSO allows you to run it on a PC.

PLEASE NOTE: Since Authorization and Authentication must be performed on the same machine for RADIUS, you are left with running RADIUS on a centralized authentication server (usually meaning a domain controller). Do you want wireless users to even communicate with the domain controller using UDP as the protocol? Imagine the attack that can happen there.
0
 
Darr247Commented:
The WAP4410N is really a Linksys...
It's one of Cisco's Small Business series, though on later versions of the Small Business routers/APs they've stopped molding the Linksys name into the top cover, I'm not aware of any of them running IOS.
0
 
wantabe2Author Commented:
I have several Windows 2008 Domain controllers with an active directory domain. So you are saying I can use the Windows 2008 server to authenticate wireless users beofre they can access the local LAN? Here's what I need to happen...A user opens safari on their ipad or opens IE on their laptop & they get redirected to an internale page saying they need to type in a username & password before they can proceed. Or a visitor comes into the office & see's the wireless SSID & tries to connect to it. They get prompted for a password & can't go further until I give them an Un & PW...
0
 
kevinhsiehCommented:
I read the white paper from tacacs.net, and I don't see any advantage of TACACS over RADIUS in this situation. When a wireless user authenticates, they con't communicate directly with the AAA server. They communicate with the WAP, which then sends credentials over to the AAA server for authentication and authorization, so only the WAP needs to have access to the TACACS or RADIUS service. The Microsoft service runs directly on the Windows server, typically a DC, which is also where it is recommended to run TACACS. Microsoft will automatically patch their service, though I have very rarely (if ever) heard about a problem with their IAS/NPS service. I guess you can say that TCP vs. UDP is an advantage for TACACS...

The capability of authenticating a wireless or wired user before they get access to your network is determined by your networking equipment. I haven't looked up yours. In my wired and wireless network, you can't access the network until your device authenticates with a username and password. This is managed via GPO for Windows devices, so there is nothing that the user needs to do. I don't have a captive portal like what you are describing for wireless users, but that would be nice. Yes, the networking equipment would need to get credentials from the user, and then pass those on to a DC via RADIUS or TACACS to get authenticated and authorized. If the credentials are good, then the equipment will connect the user to the network.
0
 
ChiefITCommented:
@ Kevinish:
Darr247 brought up a great point by saying;

"The WAP4410N is really a Linksys..."

Yes, this WAP may not use Cisco IOS and therefore might have a problem with TACACs. So, it might be best to use RADIUS in this one particular case.

I have used TACACs with better success than RADIUS on other Cisco-based networks.
0
 
wantabe2Author Commented:
I set up & am using TACACS. Thanks for the suggestion.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now