? Info on secure enterprise 250+ user WLAN required.

I need to read up on WLAN configuration, security and authentication to a
Windows 2003 domain for around 250+ users.
Info on real world coverage to laptops with integrated WiFi in a curved
Victorian 4 storey building would be useful too.

I'm aware of the weak security that most kit is configured for out of the
box and the problems it can bring.

Anyone have any useful internet references?

I've looked at
http://www.ja.net/development/networ...wag/index.html
and
http://www.ja.net/development/aa/index.html

My aim is to convince a very conservative network manager that wireless
doesn't have to be insecure if properly implemented.

Cheers!

Paul

> I need to read up on WLAN configuration, security and authentication
to a
> Windows 2003 domain for around 250+ users.

Win2003 Server has IAS, Internet Authentication Service (Radius) but
for 250+ users i think you
will need the Enterprise Edition.
Search the Microsoft web site for IAS for more info.
802.11i (WPAv2)
http://www.wifialliance.org/opensect...ted_access.asp with
802.1x and using EAP protocol and a strong authentication method such
as PEAP (server side certificate and username,password) or EAP-TLS
(server and client certificates) or Funks EAP-TTLS along with Radius
is the latest security for wireless.
Or some people prefer to still use VPN.

You will need to make some decisions on the type of Access point,
Smart or Thin. Smart access points usually have all the config info
within and are typically managed individually. Thin are basically a
radios connected to a switch, and everything is managed from the
switch.
the type you choose may depend on how many APs you expect to have
(manageability)


> Info on real world coverage to laptops with integrated WiFi in a
curved
> Victorian 4 storey building would be useful too.

It would be very hard to give any real world coverage without doing a
site survey or the building. Different buildings have various RF
propagation characteristics. Other things like bandwidth requirements
of the users and rather roaming is necessary throughout the building
come into play.

>
> I'm aware of the weak security that most kit is configured for out
of the
> box and the problems it can bring.
>
> Anyone have any useful internet references?
>
> I've looked at
> http://www.ja.net/development/networ...wag/index.html
> and
> http://www.ja.net/development/aa/index.html
>
> My aim is to convince a very conservative network manager that
wireless
> doesn't have to be insecure if properly implemented.

My suggestion would be to visit some sites like cisco, symbol, proxim
etc and read the success stories, white papers
etc and arm yourself with knowledge.

Thanks very much for the information.

I thought that Win 2003 had IAS built in.
The version installed is very likely to be Enterprise, as it already
authenticates 7000+ users.

It looks possible to have no VPN, relying on EAP-TTLS to secure the link
instead.

I will look at the manufacturers' sites that you mention as well.
Did try looking on Intel earlier, but large parts of the site appeared to be
down.

Cheers!

Paul.

"Airhead" <(E-Mail Removed)> wrote in message
news:41ea9a2e$0$22516$(E-Mail Removed) m...
>
>
>> I need to read up on WLAN configuration, security and authentication
> to a
>> Windows 2003 domain for around 250+ users.
>
> Win2003 Server has IAS, Internet Authentication Service (Radius) but
> for 250+ users i think you
> will need the Enterprise Edition.
> Search the Microsoft web site for IAS for more info.
> 802.11i (WPAv2)
> http://www.wifialliance.org/opensect...ted_access.asp with
> 802.1x and using EAP protocol and a strong authentication method such
> as PEAP (server side certificate and username,password) or EAP-TLS
> (server and client certificates) or Funks EAP-TTLS along with Radius
> is the latest security for wireless.
> Or some people prefer to still use VPN.
>
> You will need to make some decisions on the type of Access point,
> Smart or Thin. Smart access points usually have all the config info
> within and are typically managed individually. Thin are basically a
> radios connected to a switch, and everything is managed from the
> switch.
> the type you choose may depend on how many APs you expect to have
> (manageability)
>
>
>> Info on real world coverage to laptops with integrated WiFi in a
> curved
>> Victorian 4 storey building would be useful too.
>
> It would be very hard to give any real world coverage without doing a
> site survey or the building. Different buildings have various RF
> propagation characteristics. Other things like bandwidth requirements
> of the users and rather roaming is necessary throughout the building
> come into play.
>
>>
>> I'm aware of the weak security that most kit is configured for out
> of the
>> box and the problems it can bring.
>>
>> Anyone have any useful internet references?
>>
>> I've looked at
>> http://www.ja.net/development/networ...wag/index.html
>> and
>> http://www.ja.net/development/aa/index.html
>>
>> My aim is to convince a very conservative network manager that
> wireless
>> doesn't have to be insecure if properly implemented.
>
> My suggestion would be to visit some sites like cisco, symbol, proxim
> etc and read the success stories, white papers
> etc and arm yourself with knowledge.
>

I'm sort of curious. Why Discount VPN? We have both wired, and wireless
networks on a VPN server (bridged to our regular network), and when someone
wants to connect wirelessly, they add a vpn client to their system. Remote
offices, people travelling and using public networks, PDA's etc are all
handled by the VPN server, but we were able to leave the rest of the servers
alone, so the security was handled in one place.

MW0CDO wrote:
> Thanks very much for the information.
>
> I thought that Win 2003 had IAS built in.
> The version installed is very likely to be Enterprise, as it already
> authenticates 7000+ users.
>
> It looks possible to have no VPN, relying on EAP-TTLS to secure the
> link instead.
>
> I will look at the manufacturers' sites that you mention as well.
> Did try looking on Intel earlier, but large parts of the site
> appeared to be down.
>
> Cheers!
>
> Paul.
>
> "Airhead" <(E-Mail Removed)> wrote in message
> news:41ea9a2e$0$22516$(E-Mail Removed) m...
>>
>>
>>> I need to read up on WLAN configuration, security and authentication
>> to a
>>> Windows 2003 domain for around 250+ users.
>>
>> Win2003 Server has IAS, Internet Authentication Service (Radius) but
>> for 250+ users i think you
>> will need the Enterprise Edition.
>> Search the Microsoft web site for IAS for more info.
>> 802.11i (WPAv2)
>> http://www.wifialliance.org/opensect...ted_access.asp with
>> 802.1x and using EAP protocol and a strong authentication method
>> such as PEAP (server side certificate and username,password) or
>> EAP-TLS (server and client certificates) or Funks EAP-TTLS along
>> with Radius is the latest security for wireless.
>> Or some people prefer to still use VPN.
>>
>> You will need to make some decisions on the type of Access point,
>> Smart or Thin. Smart access points usually have all the config info
>> within and are typically managed individually. Thin are basically a
>> radios connected to a switch, and everything is managed from the
>> switch.
>> the type you choose may depend on how many APs you expect to have
>> (manageability)
>>
>>
>>> Info on real world coverage to laptops with integrated WiFi in a
>> curved
>>> Victorian 4 storey building would be useful too.
>>
>> It would be very hard to give any real world coverage without doing a
>> site survey or the building. Different buildings have various RF
>> propagation characteristics. Other things like bandwidth requirements
>> of the users and rather roaming is necessary throughout the building
>> come into play.
>>
>>>
>>> I'm aware of the weak security that most kit is configured for out
>> of the
>>> box and the problems it can bring.
>>>
>>> Anyone have any useful internet references?
>>>
>>> I've looked at
>>> http://www.ja.net/development/networ...wag/index.html
>>> and
>>> http://www.ja.net/development/aa/index.html
>>>
>>> My aim is to convince a very conservative network manager that
>> wireless
>>> doesn't have to be insecure if properly implemented.
>>
>> My suggestion would be to visit some sites like cisco, symbol, proxim
>> etc and read the success stories, white papers
>> etc and arm yourself with knowledge.

I'm not discounting VPN at all, just hypothesising.

As it happens, I discovered today that there are almost no free IP addresses
left in the allocated block.

Anyway, many thanks to all for the suggestions.
I spent yesterday reading up on them.

The persuasion with ammunition has worked, the network manager has given us
the go-ahead.
Not sure how he EVER got to be net manager, he didn't appear to know all
that much about networks or the newer technologies.
Also discovered that the copper desktop links are still 10Mbps, as are all
the switches.
Hopefully, all of this will change once we start the building refurbishment.

Thanks everyone for the help.

Paul.

"Peter Pan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm sort of curious. Why Discount VPN? We have both wired, and wireless
> networks on a VPN server (bridged to our regular network), and when
> someone wants to connect wirelessly, they add a vpn client to their
> system. Remote offices, people travelling and using public networks, PDA's
> etc are all handled by the VPN server, but we were able to leave the rest
> of the servers alone, so the security was handled in one place.
>
> MW0CDO wrote:
>> Thanks very much for the information.
>>
>> I thought that Win 2003 had IAS built in.
>> The version installed is very likely to be Enterprise, as it already
>> authenticates 7000+ users.
>>
>> It looks possible to have no VPN, relying on EAP-TTLS to secure the
>> link instead.
>>
>> I will look at the manufacturers' sites that you mention as well.
>> Did try looking on Intel earlier, but large parts of the site
>> appeared to be down.
>>
>> Cheers!
>>
>> Paul.
>>
>> "Airhead" <(E-Mail Removed)> wrote in message
>> news:41ea9a2e$0$22516$(E-Mail Removed) m...
>>>
>>>
>>>> I need to read up on WLAN configuration, security and authentication
>>> to a
>>>> Windows 2003 domain for around 250+ users.
>>>
>>> Win2003 Server has IAS, Internet Authentication Service (Radius) but
>>> for 250+ users i think you
>>> will need the Enterprise Edition.
>>> Search the Microsoft web site for IAS for more info.
>>> 802.11i (WPAv2)
>>> http://www.wifialliance.org/opensect...ted_access.asp with
>>> 802.1x and using EAP protocol and a strong authentication method
>>> such as PEAP (server side certificate and username,password) or
>>> EAP-TLS (server and client certificates) or Funks EAP-TTLS along
>>> with Radius is the latest security for wireless.
>>> Or some people prefer to still use VPN.
>>>
>>> You will need to make some decisions on the type of Access point,
>>> Smart or Thin. Smart access points usually have all the config info
>>> within and are typically managed individually. Thin are basically a
>>> radios connected to a switch, and everything is managed from the
>>> switch.
>>> the type you choose may depend on how many APs you expect to have
>>> (manageability)
>>>
>>>
>>>> Info on real world coverage to laptops with integrated WiFi in a
>>> curved
>>>> Victorian 4 storey building would be useful too.
>>>
>>> It would be very hard to give any real world coverage without doing a
>>> site survey or the building. Different buildings have various RF
>>> propagation characteristics. Other things like bandwidth requirements
>>> of the users and rather roaming is necessary throughout the building
>>> come into play.
>>>
>>>>
>>>> I'm aware of the weak security that most kit is configured for out
>>> of the
>>>> box and the problems it can bring.
>>>>
>>>> Anyone have any useful internet references?
>>>>
>>>> I've looked at
>>>> http://www.ja.net/development/networ...wag/index.html
>>>> and
>>>> http://www.ja.net/development/aa/index.html
>>>>
>>>> My aim is to convince a very conservative network manager that
>>> wireless
>>>> doesn't have to be insecure if properly implemented.
>>>
>>> My suggestion would be to visit some sites like cisco, symbol, proxim
>>> etc and read the success stories, white papers
>>> etc and arm yourself with knowledge.
>
>