ie8 fix
madison

Real World IT

George Ou
Home / News & Blogs / Real World IT

Ultimate guide to enterprise Wireless LAN security released!

By | January 11, 2007, 11:31am PST

TechRepublic has released a large cluster of articles** to help you implement enterprise-class wireless LAN security.  This is not just an introductory guide; it is a step-by-step guide from start to finish!

Enterprise Wireless LAN architecture

You can also *download the entire guide in a single PDF* that you can print to read offline.  Enjoy and pass it on!

 

*Note that while the individual articles are open to anyone, the PDF download does require a quick and free registration on TechRepublic.  The PDF download is essentially a free e-book.

**I am the author of these articles and the technical director at TechRepublic

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Real World IT”

Topics

Disclosure

George Ou

http://blogs.zdnet.com/Ou/?page_id=557

Biography

George Ou

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
15
Comments
Add Your Opinion

Join the conversation!

Just In

A question about PEAP-TLS authentication
greatgu 26th Nov 2010
Hi George,

I think your guide is good .But during deploying the WPA2 PEAP-TLS we think it is better one. So we use CA to issue the certificate, and config all the APs to supoort WPA2. IAS policy and clients are all ok.
But when my client authenticate to the APs, it failed. And show some error information:

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 13
Date: 11/26/2010
Time: 2:58:25 AM
User: N/A
Computer: WHQV7671
Description:
A RADIUS message was received from the invalid RADIUS client IP address 10.1.201.177.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
account.

and


Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 11/26/2010
Time: 2:20:10 AM
User: N/A
Computer: WHQV7671
Description:
Access request for user host/SHOW7LT1VM1L.ap.corp.xx.com was discarded.
Fully-Qualified-User-Name =
NAS-IP-Address = 100.179.22.223
NAS-Identifier = APSHO_AP4
Called-Station-Identifier = 0017.9581.79b0
Calling-Station-Identifier = 0027.1035.4658
Client-Friendly-Name = APSHO_AP4
Client-IP-Address = 100.179.22.223
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 11610
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Reason-Code = 96
Reason = The authentication request was not processed because the session timed out.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
I also think the weak signal is the problem, but another SSID works well. So I wonder if two SSID in one Cisco Air AP works bad?
View in thread
0 Votes
+ -
Thanks++
nucrash 11th Jan 2007
I will be sure to put this good use.
0 Votes
+ -
We'll be adding more of these
georgeou 11th Jan 2007
We'll be adding more of these with more sophisticated architectures. For now you have plenty to chew on happy. Enjoy and pass it on.
0 Votes
+ -
Most Excellente
D T Schmitz 11th Jan 2007
nt
0 Votes
+ -
We're trying to release a Linux and Mac version too
georgeou 11th Jan 2007
We're trying to release a Linux and Mac version too. Linux on the backend, Mac and Linux on the client end. There are no automation methods for Mac and Linux deployment (that I know of) unless you do some funky hack with a third party management tool or a script you write yourself.

If anyone knows of a way to implement this level of automation on Mac and Linux, please let me know.
0 Votes
+ -
Linux Mac setup
gtdavies33@... 12th Jan 2007
Well I'm not sure what you mean by level of automation. We use OpenDirectory on OSX (ldap + kerberos) as our main auth server and run freeRadius on linux, which is setup to support eap-ttls through our aironets. Our Windows environment is a TS cluster and a couple of app servers. We've got AD setup to do cross-realm authentication to the OD for Windows logins. On Mac clients it's just a couple of mouse clicks in Internet Connect to connect for the first time. Same with the pc laptops and tablets if they're using Intel's wireless management. If the machines are using Windows to manage it, then we have to install third party software to support eap-ttls. On linux laptops it's a couple of lines of setup in a config file. We also run a couple of wireless vlan's on our aironets so we can also support open wireless connections for our many guests.
0 Votes
+ -
How do you automate the secure wireless LAN client on Mac or Linux?
georgeou 12th Jan 2007
How do you automate the secure wireless LAN client on Mac or Linux?

How do you automate the Root Certificate update on Linux and Mac?

That's what I want to know.

The list of articles I posted shows how to do all of that easily on Windows XP without resorting to any custom scripting. But I'm open to simple scripts for setting up PEAP on Linux running TKIP encryption in WPA mode.
0 Votes
+ -
Thanks, by the way. Will have a look at it.
Jxn 11th May 2007
Obvious I haven't done this myself. But this is kind of configuration which is more or less different between different distributions.
You could run a custom installation on top of the distribution, but usally it's easier to use the version which comes with the distribution.
I would check out http://wiki.debian.org/, http://www.debian-administration.org/, http://www.ubuntuforums.org/ and http://www.gentoo.org/. I usally get good information from those.
(You could use http://distrowatch.com/ for help finding more information about linux distributions)
0 Votes
+ -
Thanks George
TonyMcS 11th Jan 2007
While opinions may generate the most hits, technical knowledge and expertise are much more useful. Will put to good use.
0 Votes
+ -
Thanks, this one should do ok
georgeou 11th Jan 2007
Technical articles are hard to generate lots of talkback but the hits do come though not as much as something controversial. But articles like this should continue to generate traffic over time because of its usefulness. Right now word hasn't gone out yet because it's still fresh off the press.
0 Votes
+ -
Ultimate guide? I think not
GW Mahoney 12th Jan 2007
Your guide could be summarized as... buy Microsoft and Cisco. That's a legitimate approach, but somewhat narrow for the lofty title you've given it.

In particular, IAS is not a good RADIUS implementation. I think Juniper's Odyssey is far superior, and can interface with Active Directory, if you're already locked into that domain controller.

Also, I think it's time to discourage the use of LEAP. Offline dictionary attacks were successfully demonstrated at conferences long before Maynor invented fake video demonstrations... and that was a long, long time ago.
0 Votes
+ -
Sounds like you didn't even look at it.
georgeou 12th Jan 2007
Hey it's fine if you don't even want to look at it, but don't make false assumptions about me promoting Cisco LEAP or EAP-FAST and pretend it's a review of my work. Those were articles showing why you should NOT use LEAP or EAP-FAST.

Now as for IAS, I made it perfectly clear that it is locked in to Active Directory. However, it is one of the cleanest and most robust implementations of RADIUS period that comes free with your Win2003 server. But I did PRAISE the use of Funk (Juniper acquisition) Steelbelt RADIUS for non-MS connectivity or even FreeRADIUS. We are starting off with a Microsoft solution but we will be adding tutorials for Funk or FreeRADIUS.
0 Votes
+ -
Vista Issue
paul.baird@... 11th Oct 2007
Fantastic guide, always wanted to implement RADIUS but did not know where to start.

Only have one issue I can't get any of my Vista laptops to pre-authenticate before login. If I login with a cached account or wire up the laptops then I see notice the wireless will connect once the desktop has loaded.

If I try and login without a cached account or wire connect all I ever get is "Can???t find a login server"

Any ideas?
0 Votes
+ -
Updates yet?
minchella@... 23rd Jun 2010
But I did PRAISE the use of Funk (Juniper acquisition) Steelbelt RADIUS for non-MS connectivity or even FreeRADIUS. We are starting off with a Microsoft solution but we will be adding tutorials for Funk or FreeRADIUS.

Are these available yet?

These are the most helpful tech docs I have come across so far.
Any new setup/update with new OS's?
Thanks
0 Votes
+ -
A question about PEAP-TLS authentication
greatgu 26th Nov 2010
Hi George,

I think your guide is good .But during deploying the WPA2 PEAP-TLS we think it is better one. So we use CA to issue the certificate, and config all the APs to supoort WPA2. IAS policy and clients are all ok.
But when my client authenticate to the APs, it failed. And show some error information:

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 13
Date: 11/26/2010
Time: 2:58:25 AM
User: N/A
Computer: WHQV7671
Description:
A RADIUS message was received from the invalid RADIUS client IP address 10.1.201.177.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
account.

and


Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 11/26/2010
Time: 2:20:10 AM
User: N/A
Computer: WHQV7671
Description:
Access request for user host/SHOW7LT1VM1L.ap.corp.xx.com was discarded.
Fully-Qualified-User-Name =
NAS-IP-Address = 100.179.22.223
NAS-Identifier = APSHO_AP4
Called-Station-Identifier = 0017.9581.79b0
Calling-Station-Identifier = 0027.1035.4658
Client-Friendly-Name = APSHO_AP4
Client-IP-Address = 100.179.22.223
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 11610
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Reason-Code = 96
Reason = The authentication request was not processed because the session timed out.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
I also think the weak signal is the problem, but another SSID works well. So I wonder if two SSID in one Cisco Air AP works bad?

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix