securing wireless network

Hello Everyone,

Currently we have our wireless network setup with WPA and only the IT department have the code.  We enter all the code in to every computer which belongs to the organization.  The organization consist of Windows XP and Windows 7 computers.  Our domain controller is running windows 2008.  We noticed that other devices that do not  belong to the organization are also connected to the wireless network.  

Any suggestion on how I can secure the wireless connection so if a user somehow get a hold of the wireless key, they are still require some kind of authentication before they have access to the network?  

We have a public and and private SSIDs.

Thank you.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
First, you should be using WPA2.

You could use a 63-character passphrase on the wireless.  Then nobody would be able to memorize it; only copy and paste it if they somehow have access which by itself would be a breach of security in some fashion.

You should make sure that the wireless clients you are using will not display the passphrase on the client computer.  I don't know if there are password finders that will do this but it's another step at least.

You could use Radius network login with individual login passwords in addition to the wireless security.
Dan CraciunIT ConsultantCommented:
Using a Radius Server will almost solve your problem: since I believe most of the unidentified devices on your network are employee's phones/tablets, as long as they have a password they can use it on multiple devices.

You can use MAC filtering, but that's usually more work than worth. Have to manually keep updated the MAC table and any employee can find out in 5 mins on Google how to spoof a MAC.

I don't know your router, but if you can integrate it with AD you're a long way toward solving your problem, i.e. allowing only authenticated AD users access to the network.

TAS-ITAuthor Commented:
How do I set it up where only authenticated AD users have access to the wireless network?
We have a HP Procurve Wireless controller.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Dan CraciunIT ConsultantCommented:
That HP Procurve I think it's an access point. Which means it's sole purpose is to connect wireless clients to your router, who is the "brain" behind your network.

The Cisco ASA firewalls have what they call "Identity firewall", which basically uses an AD server to decide the rights for each user.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Craig BeckCommented:
You will need to use RADIUS as DanCraciun said.

The problem here is that Windows allows a user to view the PSK in plain-text, so it's easily copied to an unauthorized machine.

RADIUS will give you the ability to allow only devices or users you dictate to connect to the network using access policies.  You could do it based on whether the client device is joined to a domain or not, or based on a combination of domain-membership and user account, for example.
Fred MarshallPrincipalCommented:
I believe a typical scenario for the wireless is this:

1) you do not provide DHCP on the wireless access point.
2) you provide DHCP on the more central router/server which also is doing the AD or Radius or ...
3) Then, a wireless device will:
- "connect" to the network via the "radio" / via the access point but not yet have an IP address for the network.
.. "communicate" with the DHCP server (etc. etc.) to get an authenticated IP address.

Those two steps are essentially what a laptop does when it connects to a network AND the gateway/wireless router/access point is providing DHCP.
- first the radios connect
- next the security requirements are met
- then an IP address is leased.

Because of this, I'm sure you've seen it, if the laptop passphrase isn't correct, the laptop will appear to "connect" (which really means the radios) but the security features aren't met so no IP address.  Sometimes this is very confusing to an uninitiated user.  They can "connect" but they can't "connect".
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.