Ultimate guide to enterprise Wireless LAN security released!

Ultimate guide to enterprise Wireless LAN security released!

Summary: TechRepublic has released a large cluster of articles** to help you implement enterprise-class wireless LAN security.  This is not just an introductory guide; it is a step-by-step guide from start to finish!

SHARE:
TOPICS: Networking
15

TechRepublic has released a large cluster of articles** to help you implement enterprise-class wireless LAN security.  This is not just an introductory guide; it is a step-by-step guide from start to finish!

Enterprise Wireless LAN architecture

You can also *download the entire guide in a single PDF* that you can print to read offline.  Enjoy and pass it on!

 

*Note that while the individual articles are open to anyone, the PDF download does require a quick and free registration on TechRepublic.  The PDF download is essentially a free e-book.

**I am the author of these articles and the technical director at TechRepublic

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Thanks++

    I will be sure to put this good use.
    nucrash
    • We'll be adding more of these

      We'll be adding more of these with more sophisticated architectures. For now you have plenty to chew on :). Enjoy and pass it on.
      georgeou
  • Most Excellente

    nt
    D T Schmitz
    • We're trying to release a Linux and Mac version too

      We're trying to release a Linux and Mac version too. Linux on the backend, Mac and Linux on the client end. There are no automation methods for Mac and Linux deployment (that I know of) unless you do some funky hack with a third party management tool or a script you write yourself.

      If anyone knows of a way to implement this level of automation on Mac and Linux, please let me know.
      georgeou
      • Linux Mac setup

        Well I'm not sure what you mean by level of automation. We use OpenDirectory on OSX (ldap + kerberos) as our main auth server and run freeRadius on linux, which is setup to support eap-ttls through our aironets. Our Windows environment is a TS cluster and a couple of app servers. We've got AD setup to do cross-realm authentication to the OD for Windows logins. On Mac clients it's just a couple of mouse clicks in Internet Connect to connect for the first time. Same with the pc laptops and tablets if they're using Intel's wireless management. If the machines are using Windows to manage it, then we have to install third party software to support eap-ttls. On linux laptops it's a couple of lines of setup in a config file. We also run a couple of wireless vlan's on our aironets so we can also support open wireless connections for our many guests.
        gtdavies33@...
        • How do you automate the secure wireless LAN client on Mac or Linux?

          How do you automate the secure wireless LAN client on Mac or Linux?

          How do you automate the Root Certificate update on Linux and Mac?

          That's what I want to know.

          The list of articles I posted shows how to do all of that easily on Windows XP without resorting to any custom scripting. But I'm open to simple scripts for setting up PEAP on Linux running TKIP encryption in WPA mode.
          georgeou
      • Thanks, by the way. Will have a look at it.

        Obvious I haven't done this myself. But this is kind of configuration which is more or less different between different distributions.
        You could run a custom installation on top of the distribution, but usally it's easier to use the version which comes with the distribution.
        I would check out http://wiki.debian.org/, http://www.debian-administration.org/, http://www.ubuntuforums.org/ and http://www.gentoo.org/. I usally get good information from those.
        (You could use http://distrowatch.com/ for help finding more information about linux distributions)
        Jxn
  • Thanks George

    While opinions may generate the most hits, technical knowledge and expertise are much more useful. Will put to good use.
    TonyMcS
    • Thanks, this one should do ok

      Technical articles are hard to generate lots of talkback but the hits do come though not as much as something controversial. But articles like this should continue to generate traffic over time because of its usefulness. Right now word hasn't gone out yet because it's still fresh off the press.
      georgeou
  • Ultimate guide? I think not

    Your guide could be summarized as... buy Microsoft and Cisco. That's a legitimate approach, but somewhat narrow for the lofty title you've given it.

    In particular, IAS is not a good RADIUS implementation. I think Juniper's Odyssey is far superior, and can interface with Active Directory, if you're already locked into that domain controller.

    Also, I think it's time to discourage the use of LEAP. Offline dictionary attacks were successfully demonstrated at conferences long before Maynor invented fake video demonstrations... and that was a long, long time ago.
    GW Mahoney
    • Sounds like you didn't even look at it.

      Hey it's fine if you don't even want to look at it, but don't make false assumptions about me promoting Cisco LEAP or EAP-FAST and pretend it's a review of my work. Those were articles showing why you should NOT use LEAP or EAP-FAST.

      Now as for IAS, I made it perfectly clear that it is locked in to Active Directory. However, it is one of the cleanest and most robust implementations of RADIUS period that comes free with your Win2003 server. But I did PRAISE the use of Funk (Juniper acquisition) Steelbelt RADIUS for non-MS connectivity or even FreeRADIUS. We are starting off with a Microsoft solution but we will be adding tutorials for Funk or FreeRADIUS.
      georgeou
  • Vista Issue

    Fantastic guide, always wanted to implement RADIUS but did not know where to start.

    Only have one issue I can't get any of my Vista laptops to pre-authenticate before login. If I login with a cached account or wire up the laptops then I see notice the wireless will connect once the desktop has loaded.

    If I try and login without a cached account or wire connect all I ever get is "Can???t find a login server"

    Any ideas?
    paul.baird@...
    • Can you get your XP machines to do machine login?

      nt
      georgeou
  • Updates yet?

    But I did PRAISE the use of Funk (Juniper acquisition) Steelbelt RADIUS for non-MS connectivity or even FreeRADIUS. We are starting off with a Microsoft solution but we will be adding tutorials for Funk or FreeRADIUS.

    Are these available yet?

    These are the most helpful tech docs I have come across so far.
    Any new setup/update with new OS's?
    Thanks
    minchella@...
  • A question about PEAP-TLS authentication

    Hi George,

    I think your guide is good .But during deploying the WPA2 PEAP-TLS we think it is better one. So we use CA to issue the certificate, and config all the APs to supoort WPA2. IAS policy and clients are all ok.
    But when my client authenticate to the APs, it failed. And show some error information:

    Event Type: Error
    Event Source: IAS
    Event Category: None
    Event ID: 13
    Date: 11/26/2010
    Time: 2:58:25 AM
    User: N/A
    Computer: WHQV7671
    Description:
    A RADIUS message was received from the invalid RADIUS client IP address 10.1.201.177.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    account.

    and


    Event Type: Error
    Event Source: IAS
    Event Category: None
    Event ID: 3
    Date: 11/26/2010
    Time: 2:20:10 AM
    User: N/A
    Computer: WHQV7671
    Description:
    Access request for user host/SHOW7LT1VM1L.ap.corp.xx.com was discarded.
    Fully-Qualified-User-Name = <undetermined>
    NAS-IP-Address = 100.179.22.223
    NAS-Identifier = APSHO_AP4
    Called-Station-Identifier = 0017.9581.79b0
    Calling-Station-Identifier = 0027.1035.4658
    Client-Friendly-Name = APSHO_AP4
    Client-IP-Address = 100.179.22.223
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 11610
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Reason-Code = 96
    Reason = The authentication request was not processed because the session timed out.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 ....
    I also think the weak signal is the problem, but another SSID works well. So I wonder if two SSID in one Cisco Air AP works bad?
    greatgu