Hello,
We have a large installed base of Aironet 1200 Access Points at our main locations, and we also have some smaller sites that also need wireless access. These smaller sites are connected back to the main location via VPN.
We are currently doing LEAP for security and we use Cisco ACS Solution Engines for security. We use the ACS for user administration, and also for restricting MAC addresses that are allowed on the network.
The question is, since I don't really want to be dependant upon the VPN connection back to the main office to connect to the ACS to run these remote wireless networks, are there any other reasonable alternative ways to provide at least MAC lockdown security. I could obviously lock down each access point individually to certain MAC's, but that becomes an administration nightmare because assuming your users will roam, you would have to put the MAC manually in every single AP.
Here are the ideas we have thought of so far:
- Use the ACS for authentication (not preferred because we must also rely on our VPN tunnel staying up for the wireless to work)
- Use a 3rd Party ACS (probably not cost effective, plus it means running an additional server at each site)
- Possibly use Kiwi CatTools to script out the MAC lockdowns to each AP (we already own CatTools, so it is free, but probably still a lot of administration)
MAC lockdowns are the absolute minimum security we would need, obviously the more the better. I am open to any other ideas.
Thanks for any advice.