Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎01-24-2012

Basic PSK authentication

I have a client that bought a 650 controller and has about 30 employees. He does not have a RADIUS server and says money is tight right now. I am looking for the best way to implement security on employee ssid with out RADIUS. Any ideas?

Aruba Employee
Posts: 20
Registered: ‎01-23-2012

Re: Basic PSK authentication

Hi Isak,

 

If you want WPA-Enterprise grade security, you necessarily require a RADIUS service (as per standard).

The RADIUS server may or may not be embedded in the Wireless LAN Controller.

If you want to use the integrated RADIUS server in the Wireless LAN controller, you will have to decide which type of authentication mechanism you want to use.

PEAP is popular but has inherent vulnerabilities. If you want to use the integrated RADIUS server, you may also have to unencrypt or use symmetric encryption for you Active Directory user passwords (which is usually not desired).

 

Even if this is a very simple network, you may want to consider deploying digital certificates and use EAP-TLS for your users using either the Microsoft CA service or simply TinyCA (Linux). Then you may use the integrated RADIUS server coupled with the OCSP responder to validate client's certificate.

 

However, this might be an overkill solution for 30 employees. You'll probably prefer using the WPA-PSK and change the Passphrase quartely.

 

Best regards,

 

Paul Gallant. Eng.
CWNA, CWSP
Aruba Employee
Posts: 135
Registered: ‎06-18-2007

Re: Basic PSK authentication

Does your customer have a Microsoft environment?  If so, they can deploy Microsoft IAS or Microsoft NPS depending on the version of windows server.  IAS/NPS is a RADIUS server included with Microsoft Windows Server OS and does not require any additional licensing/etc.  It also integrates with AD.

 

-Mike

Occasional Contributor II
Posts: 18
Registered: ‎01-24-2012

Re: Basic PSK authentication

Thanks for the reply guys.

 

Yes they do have an AD enviroment.

 

I saw a post here as well on implementation.

http://community.arubanetworks.com/t5/Authentication-and-Access/Step-by-Step-How-to-Configure-Microsoft-IAS-Radius-Server-from/m-p/14391/highlight/true#M80

 

Aruba Employee
Posts: 135
Registered: ‎06-18-2007

Re: Basic PSK authentication

Good luck with it.  Let us know if you have any issues with the implementation.

 

-Mike

Guru Elite
Posts: 20,005
Registered: ‎03-29-2007

Re: Basic PSK authentication


paul.gallant wrote:

Hi Isak,

 

If you want WPA-Enterprise grade security, you necessarily require a RADIUS service (as per standard).

The RADIUS server may or may not be embedded in the Wireless LAN Controller.

If you want to use the integrated RADIUS server in the Wireless LAN controller, you will have to decide which type of authentication mechanism you want to use.

PEAP is popular but has inherent vulnerabilities. If you want to use the integrated RADIUS server, you may also have to unencrypt or use symmetric encryption for you Active Directory user passwords (which is usually not desired).

 

Even if this is a very simple network, you may want to consider deploying digital certificates and use EAP-TLS for your users using either the Microsoft CA service or simply TinyCA (Linux). Then you may use the integrated RADIUS server coupled with the OCSP responder to validate client's certificate.

 

However, this might be an overkill solution for 30 employees. You'll probably prefer using the WPA-PSK and change the Passphrase quartely.

 

Best regards,

 


Anything  has vulnerabilities when it is wrongly configured.  Configuring it properly makes it secure.  Are any of those Vulnerabilities on the page here? http://www.networkworld.com/columnists/2007/042307-wireless-security.html

 

 

 

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: