HOWTO: USING WEP AND TKIP -- Do not want clients to enter WEP

From: Paul Lalonde (plalonde2@cogeco.ca)
Date: Tue Nov 04 2003 - 10:27:10 GMT-3

• Next message: Mike Williams: "RE: Dumb Question but will ask"
• Previous message: Brian Green: "2500's or 2600's for home lab ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Partha,

Yes, there is a very good way of doing this.

There is a very secure solution based on 802.1x authentication and EAP-TLS.
I have implemented a number of secure wireless infrastructures based on
this. 802.1x and EAP-TLS work together with a RADIUS server to dynamically
issue WEP session keys. You don't have to manage any of them!!

Windows XP has offered 802.1x authentication from the beginning, and now
Microsoft has released 802.1x authentication clients for its other operating
systems (ie. WinNT, Win2000, etc).

The Zero-Configuration Wireless features of Windows XP make setting up
wireless connections -- even secured ones -- easy.

The 802.1x and EAP-TLS system can be a little tricky to set up, but here is
the basic premise:

1. Configure the access points for "open" authentication with "EAP"
required.
2. Enable TKIP + WEP128 encryption.
3. Configure the access point to rely on a RADIUS server for EAP
authentication.
4. Configure a RADIUS server. I recommend Microsoft IAS "Internet
Authentication Service"
5. Configure Certificate Authority services on Microsoft Windows 2000 Server
(recommended platform)
6. Configure the RADIUS server to accept the access point as an
authenticator NAS "nework access server"
7. Configure the RADIUS server and Windows 2000 users / groups to accept
connections from the wireless.
8. Create a certificate on each wireless workstation (while on the LAN) and
use that certificate to enable wireless access.

I'd highly recommend the following documents. This can be tricky to set up
the first time, but once you've gotten it working, it works great and is
very secure.

http://www.microsoft.com/windowsxp/pro/techinfo/deployment/wireless/default.
asp

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_referen
ce09186a00801444a1.html

The second link talks about an older version of Cisco Aironet access point
code and Cisco Secure ACS, but the fundamentals are very good.

Hope this helps,

Paul Lalonde
CCIE #11749

----- Original Message -----
From: "Barman, Partha" <PBarman@necbns.com>
To: <ccielab@groupstudy.com>
Sent: Monday, November 03, 2003 10:13 PM
Subject: USING WEP AND TKIP -- Do not want clients to enter WEP key !!

> I want to use WEP and TKIP. Is there any way that my clients can connect
to
> the wireless network without entering a WEP key. We have a lot of visitors
> and donot want them to enter WEP keys.
>
> Please advise with any ideas or documentaion to look at.
>
> Thanks,
> Partha
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Mike Williams: "RE: Dumb Question but will ask"
• Previous message: Brian Green: "2500's or 2600's for home lab ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:08 GMT-3