1. Home
  2. Cisco Systems
  3. Aironet 1231 config

Aironet 1231 config

So, my company just bought the first aironet 1231, I've got a feeling that if I get this going correctly that more will come... No problem! Just want to do this right.

I have done some wireless, WEP, IAS, RADIUS, whatever... My question is, what is the best config these day's?

I am considering using WPA/PEAP, is this correct? Is this the best available today? What I want is, secure wireless, secure wireless, secure wireless, and convient wireless. So, I put a cert on the IAS server, don't broadcast the SSID, make a GPO for the EAP and call it a day?

Anyone have an opinion?

(don't mind the sig, I usually post in the non smoking group)

Reply to
Wil
Loading thread data ...

Hi Wil,

You may wish to investigate Cisco's Wireless LAN Security in Depth:

formatting link
as well as Cisco's IOS Software Configuration Guide for Cisco Aironet Access Points:

formatting link
Sincerely,

Brad Reese BradReese.Com Cisco Repair Service Experts

1293 Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 U.S. Toll Free: 877-549-2680 International: 828-277-7272 Website:
formatting link
Reply to
www.BradReese.Com

Good stuff!

So I'm not worried about the client security at this point. I'm going to build it to the spec's that I deem secure, write a security proposal, adopt it before anyone knows better, and require the clients to conform :) (as usual, we'll see how that part actually play's out, ha)

We're using the IntelPro cards (abg), seem to have good TKIP support.

What is required for the backend? I would like to install the least amount of things possible, IAS/PEAP seems reasonable.

Wil my 3¢

Uli L> Wil schrieb:

Reply to
Wil

Wil schrieb:

WPA with PEAP is absolutely o.k. from the security point-of-view.

You're starting the question from the wrong side. If you have a AIR-1231 the security in your setup is only determined by the least secure client device. The Aironet 1231 (which has the 802.11g radio) supports all current standards.

If you have some 802.11b-only devices with radios not from Cisco they probably not support the TKIP/Michael cipher for WPA.

If you'll need seemless and fast roaming (< 100msec) there are better possibilities than PEAP auth against IAS.

I prefer CCKM over WPA with CCXv2 or greater devices. Works with Linux too.

Keep in mind that with *any* user authentication the machine is not connected to the network before the user logs in. This may leed into trouble with software distribution services, if the machine is up but no user logged in. You may setup a machine account.

It depends.

Reply to
Uli Link

Good luck, finding drivers with only minor bugs ;-) Good marketing, bad hardware.

With only a few clients you can use the IOS built-in RADIUS server of one AP. Setting up one AP as WDS and all other will use this as cache will dramatically reduce roaming time.

Else with every roaming event the client has to reauthenticate against the IAS.

Reply to
Uli Link

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.