Wireless security, but no AD

mikearamamikearama Member Posts: 749
in CCNP
Trying to get a feel for what you techies recommend...

I have a client who, until now, has been totally wired. The branch manager wants to add wireless, to a three story office building. It's setup as a workgroup, with no servers at all... so no radius, AD, etc. I have three LinkSys - Cisco AP's ( http://www.amazon.com/Linksys-Cisco-WIRELESS-ACCESS-POINT-WAP54GP/dp/B000BWBU42 ).

Every agent either uses office-provided desktops (wired), or brings in their own laptops. It's these laptops that will get wireless. Since I don't control logons, every laptop (about 50) has different setup.

So, security. How do I employ WPA/PEAP/TKIP in such a case? I don't think I can use PEAP, since I don't have a sam to check against, and it's too diverse a network to give out certs.

Any thoughts?

Mike
There are only 10 kinds of people... those who understand binary, and those that don't.

CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
· Share on FacebookShare on Twitter

Comments

  • phreakphreak Member Posts: 170 ■■□□□□□□□□
    My first thoughts are OpeRADIUS but I cannot say for sure that'd work as I never have tried. Might be worth your time to do a search. icon_confused.gif
    · Share on FacebookShare on Twitter
  • APAAPA Member Posts: 959
    in your case with no users database or cert infrastucutre your best solution would be

    WPA/WPA2 with TKIP (Pre-Shared Key)

    The shared key will be used to authenticate the users and enable wireless access.

    WPA2 requires a hotix on Windows XP BTW.....

    If you need more info let me know.....
    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
    · Share on FacebookShare on Twitter
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    Are the users going to be in a seperate LAN for the wireless or will they have to interact with the current LAN?

    I'd use pre-shared keys and cut off the AP's from the established network by either placing them into a vlan with very strict rules (IE only permit requests to the printer, for example) or completely segregating their traffic entirely. Also make sure to change the pre-shared keys on a regular basis. It may be a pain in the neck for your employees but unless you have a way of centralizing authentication it's worth it.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    pbosworth@gmail.com
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
    · Share on FacebookShare on Twitter
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Place a VPN concentrator behind the access point and use IPSec between the clients and the VPN concentrator, that will give you the highest level of security you can get with those access points.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    Would GRE tunnels using IPsec give the same result?
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    pbosworth@gmail.com
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I don't believe GRE is supported on end client devices.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • mikearamamikearama Member Posts: 749
    A.P.A wrote:
    in your case with no users database or cert infrastucutre your best solution would be

    WPA/WPA2 with TKIP (Pre-Shared Key). The shared key will be used to authenticate the users and enable wireless access.

    I was hoping to not have to use a PSK, since most of the agents are not techy, and configuring their wireless clients will become a fulltime gig.

    Paul Boz wrote:
    Are the users going to be in a seperate LAN for the wireless or will they have to interact with the current LAN?

    I'd use pre-shared keys and cut off the AP's from the established network by either placing them into a vlan with very strict rules (IE only permit requests to the printer, for example) or completely segregating their traffic entirely. Also make sure to change the pre-shared keys on a regular basis. It may be a pain in the neck for your employees but unless you have a way of centralizing authentication it's worth it.
    .

    They'll most likely interact. The LAN is quite simplistic, so once they're "authenticated", they'll have free reign. They use proprietary financial software that connects to head office, as well as printing.

    So again, PSK's, yeah? Shoot!

    dtlokee wrote:
    Place a VPN concentrator behind the access point and use IPSec between the clients and the VPN concentrator, that will give you the highest level of security you can get with those access points.

    That's good... very good. I just can't see how that won't increase the complexity. Won't I still require something network-side to authenticate against? The concentrator's gotta look to something. In a workgroup, what would that be?

    Or, does the concentrator act as it's own radius server, and I'll have to set up the vpn client with a PSK?


    I guess I'm pretty much resolved to having to dole out PSK's.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
    · Share on FacebookShare on Twitter
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    You can create users on the concentrator and people would establish the VPN connection (or you can configure it to auto create the vpn) from the client workstation to the concentrator.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
Sign In or Register to comment.