Security

I have a client that bought a 650 controller and has about 30 employees. He does not have a RADIUS server and says money is tight right now. I am looking for the best way to implement security on employee ssid with out RADIUS. Any ideas?

Hi Isak,

If you want WPA-Enterprise grade security, you necessarily require a RADIUS service (as per standard).

The RADIUS server may or may not be embedded in the Wireless LAN Controller.

If you want to use the integrated RADIUS server in the Wireless LAN controller, you will have to decide which type of authentication mechanism you want to use.

PEAP is popular but has inherent vulnerabilities. If you want to use the integrated RADIUS server, you may also have to unencrypt or use symmetric encryption for you Active Directory user passwords (which is usually not desired).

Even if this is a very simple network, you may want to consider deploying digital certificates and use EAP-TLS for your users using either the Microsoft CA service or simply TinyCA (Linux). Then you may use the integrated RADIUS server coupled with the OCSP responder to validate client's certificate.

However, this might be an overkill solution for 30 employees. You'll probably prefer using the WPA-PSK and change the Passphrase quartely.

Best regards,

---

@paul.gallant wrote:

Hi Isak,

 

If you want WPA-Enterprise grade security, you necessarily require a RADIUS service (as per standard).

The RADIUS server may or may not be embedded in the Wireless LAN Controller.

If you want to use the integrated RADIUS server in the Wireless LAN controller, you will have to decide which type of authentication mechanism you want to use.

PEAP is popular but has inherent vulnerabilities. If you want to use the integrated RADIUS server, you may also have to unencrypt or use symmetric encryption for you Active Directory user passwords (which is usually not desired).

 

Even if this is a very simple network, you may want to consider deploying digital certificates and use EAP-TLS for your users using either the Microsoft CA service or simply TinyCA (Linux). Then you may use the integrated RADIUS server coupled with the OCSP responder to validate client's certificate.

 

However, this might be an overkill solution for 30 employees. You'll probably prefer using the WPA-PSK and change the Passphrase quartely.

 

Best regards,

 

---

Anything  has vulnerabilities when it is wrongly configured.  Configuring it properly makes it secure.  Are any of those Vulnerabilities on the page here? http://www.networkworld.com/columnists/2007/042307-wireless-security.html

Does your customer have a Microsoft environment?  If so, they can deploy Microsoft IAS or Microsoft NPS depending on the version of windows server.  IAS/NPS is a RADIUS server included with Microsoft Windows Server OS and does not require any additional licensing/etc.  It also integrates with AD.

-Mike

Thanks for the reply guys.

Yes they do have an AD enviroment.

I saw a post here as well on implementation.

http://community.arubanetworks.com/t5/Authentication-and-Access/Step-by-Step-How-to-Configure-Microsoft-IAS-Radius-Server-from/m-p/14391/highlight/true#M80

Good luck with it.  Let us know if you have any issues with the implementation.

-Mike