Wireless network security with HP MSM765 access controller

Hi All,

We have MSM765 wireless access point controllers. We have two ssids for internal and guest wifis. The internal ssid isn't boardcasted and it is configured with WPA2 (AES/CCMP) and the key source is set to Dynamic. We have MAC address list configured on proxy which can only use the internal lan.

Is there anyway we can do better to secure the network? How have you guys set up your lan and what is the benefits they way you guys set it up?

I know there are ways to MAC address spoofing and someone was saying that even after stopping the boardcasting there are ways people can find out the lan.

Please let me know.

Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
Minimally have
- 802.1X for any wireless authentication, leverage 802.1X as the means to implement EAP at Layer 2 for wireless clients, EAP-TLS is one of the most secure as it uses digital certificates as authentication credentials, which means that every AP and wireless client must have a certificate generated and signed by a common certificate authority (CA).
- each AP will need to be registered with your RADIUS server as a RADIUS client and configured on both sides with the shared secret
- ensure the extend of wireless VLANs through the network is out to the specific port the AP is attached to that network
- if possible, adjust AP and antennae placement to the specific locality and not use high powered unnecessarily, site survey of locality help to see blind spots as well as the extend reach which can be over exposure (that you will want to avoid or reduce)

See this summary - ProCurve Networking Wireless LANs: planning the site assessment

May want to take a look at "Controller-based with Split Traffic"

- Most often, this behavior is desired when organizations want to drop authenticated wireless traffic on the wired network, while tunneling guest traffic to the controller and directly out to the Internet. In other scenarios, this configuration might be used to secure specific types of traffic to and from protected resources in the network, since this behavior can allow for encryption all the way to the controller, protecting data on most of the wired network as well as on the RF side.
Aaron TomoskyTechnology ConsultantCommented:
Wpa2 enterprise with a radius server allows you to use usernames and passwords and/or machine certificates to authenticate.

So certs are better than a Mac filter and logins are always better than a psk
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.