Wireless security, but no AD

Trying to get a feel for what you techies recommend...

I have a client who, until now, has been totally wired. The branch manager wants to add wireless, to a three story office building. It's setup as a workgroup, with no servers at all... so no radius, AD, etc. I have three LinkSys - Cisco AP's ( http://www.amazon.com/Linksys-Cisco-WIRELESS-ACCESS-POINT-WAP54GP/dp/B000BWBU42 ).

Every agent either uses office-provided desktops (wired), or brings in their own laptops. It's these laptops that will get wireless. Since I don't control logons, every laptop (about 50) has different setup.

So, security. How do I employ WPA/PEAP/TKIP in such a case? I don't think I can use PEAP, since I don't have a sam to check against, and it's too diverse a network to give out certs.

Any thoughts?

Mike

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

phreak

My first thoughts are OpeRADIUS but I cannot say for sure that'd work as I never have tried. Might be worth your time to do a search.

APA

in your case with no users database or cert infrastucutre your best solution would be

WPA/WPA2 with TKIP (Pre-Shared Key)

The shared key will be used to authenticate the users and enable wireless access.

WPA2 requires a hotix on Windows XP BTW.....

If you need more info let me know.....

Paul Boz

Are the users going to be in a seperate LAN for the wireless or will they have to interact with the current LAN?

I'd use pre-shared keys and cut off the AP's from the established network by either placing them into a vlan with very strict rules (IE only permit requests to the printer, for example) or completely segregating their traffic entirely. Also make sure to change the pre-shared keys on a regular basis. It may be a pain in the neck for your employees but unless you have a way of centralizing authentication it's worth it.

dtlokee

Place a VPN concentrator behind the access point and use IPSec between the clients and the VPN concentrator, that will give you the highest level of security you can get with those access points.

Paul Boz

Would GRE tunnels using IPsec give the same result?

networker050184

I don't believe GRE is supported on end client devices.

mikearama

A.P.A wrote:

in your case with no users database or cert infrastucutre your best solution would be

WPA/WPA2 with TKIP (Pre-Shared Key). The shared key will be used to authenticate the users and enable wireless access.

I was hoping to not have to use a PSK, since most of the agents are not techy, and configuring their wireless clients will become a fulltime gig.

Paul Boz wrote:

Are the users going to be in a seperate LAN for the wireless or will they have to interact with the current LAN?

I'd use pre-shared keys and cut off the AP's from the established network by either placing them into a vlan with very strict rules (IE only permit requests to the printer, for example) or completely segregating their traffic entirely. Also make sure to change the pre-shared keys on a regular basis. It may be a pain in the neck for your employees but unless you have a way of centralizing authentication it's worth it.

.

They'll most likely interact. The LAN is quite simplistic, so once they're "authenticated", they'll have free reign. They use proprietary financial software that connects to head office, as well as printing.

So again, PSK's, yeah? Shoot!

dtlokee wrote:

Place a VPN concentrator behind the access point and use IPSec between the clients and the VPN concentrator, that will give you the highest level of security you can get with those access points.

That's good... very good. I just can't see how that won't increase the complexity. Won't I still require something network-side to authenticate against? The concentrator's gotta look to something. In a workgroup, what would that be?

Or, does the concentrator act as it's own radius server, and I'll have to set up the vpn client with a PSK?

I guess I'm pretty much resolved to having to dole out PSK's.

dtlokee

You can create users on the concentrator and people would establish the VPN connection (or you can configure it to auto create the vpn) from the client workstation to the concentrator.