Securing WLAN with dynamic keys

I am looking at deploying WLAN in a small office, about 15 mobile
workstations. Cisco LEAP looks to be a good choice, but I am interested in
hearing what others have done along these lines.

Jeremy

> workstations. Cisco LEAP looks to be a good choice, but I am interested in
> hearing what others have done along these lines.

Why go for something proprietary when you could use other AP's with
802.1x?

David.

I would like to integrate the wireless login with an NT domain login. AFAIK,
802.1x is a framework, and LEAP sits on top of it. If you know of an open
solution, I would LOVE to use it.

Jeremy

"David Taylor" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> > workstations. Cisco LEAP looks to be a good choice, but I am interested
in
> > hearing what others have done along these lines.
>
> Why go for something proprietary when you could use other AP's with
> 802.1x?
>
> David.

> I would like to integrate the wireless login with an NT domain login. AFAIK,
> 802.1x is a framework, and LEAP sits on top of it. If you know of an open
> solution, I would LOVE to use it.

Radius is open!

Of course, it depends on what you have but you could set up Windows 2000
with Active Directory and IAS (Why can't Microsoft just go and call it
RADIUS?). Then your 802.1x authentication is against a Radius server
which will in turn check AD.

That's as NT domain login as you're going to get and not having to rely
on vendor specifics for the card.

David.

Where I work, the access points are wide open. Anyone with 802.11b
hardware can associate with one, but then there is absolutely nothing
they can do with it. No LAN access, no internet access, no nothing.

You have to be authorized (on a per-user basis) to use the wireless VPN
gateway. We use Cisco software & hardware. VPN authentication is via a
SecureID card. This is a credit-card sized device with a 6-digit
numeric display that changes once a minute, in a seemingly random
pattern. If your user id, PIN, and SecureID number don't all pass
muster, you get no access.

WEP & WPA will never compete with that.


Bob

<(E-Mail Removed)> wrote in message
news:behukg$8k3$(E-Mail Removed)...
> Thomas Richter <(E-Mail Removed)> wrote:
> > why not using a vpn for the wlan clients? and disabling the built in
> > encrytion of the wireless hardware?
>
> This seems perfectly logical to me. External users have VPN already
for
> access from the internet. Put the WLAN on the internet, and use VPN
to
> access the internal company network.
>
> A bonus is that the WLAN can be publicly available to your visitors so
that
> they can connect back to their offices.
>
> What's wrong with this scheme?
>
> I read about "man in the middle", where someone can steal your VPN
login
> attempt. Is that possible? Perhaps with some certain VPN vendor?
>
>
> --
> ---
> Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8-122.5

> Where I work, the access points are wide open. Anyone with 802.11b
> hardware can associate with one, but then there is absolutely nothing
> they can do with it. No LAN access, no internet access, no nothing.

Interestingly though you're using two factor authentication with the
SecureID cards, have you considered the possiblity that someone else
might associate with the AP and then if one of your corporate chaps
associates a laptop with shares (or other suitable ports) open that
someone could install a trojan on that machine and use it as an entry
point to the network.

Hallo dold


> I read about "man in the middle", where someone can steal your VPN
> login attempt. Is that possible? Perhaps with some certain VPN
> vendor?


use an ipsec vpn with activated authentification header protocol.
this protocol is made against man in the middle attacks.



kind regards thomas richter

--
* all your basestations are belong to us...*

I suppose that could happen in the interval between association and
authentication, but the Cisco software has a built in stateful firewall.
The firewall runs all the time, even when not using the VPN. Most users
have no idea that it's there, much less how to turn it off.


"David Taylor" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> > Where I work, the access points are wide open. Anyone with 802.11b
> > hardware can associate with one, but then there is absolutely
nothing
> > they can do with it. No LAN access, no internet access, no nothing.
>
> Interestingly though you're using two factor authentication with the
> SecureID cards, have you considered the possiblity that someone else
> might associate with the AP and then if one of your corporate chaps
> associates a laptop with shares (or other suitable ports) open that
> someone could install a trojan on that machine and use it as an entry
> point to the network.
>
>