All, I am about to implement EAL-TLS and IPSec for my wireless network. Basically,
this wireless segment is physically separated from my internal network via the firewall. It means that the wireless segment will be hanging of my DMZ network (called wireless DMZ because the WAP will be in the wireless DMZ network). Wireless users will be required to be authenticated to a RADIUS server (freeradius) before being allowed to be connected to the wireless network. In order to connect to the internal network or to the Internet, wireless users have to make an IPSec connection (via Cisco VPN client connection) to the Cisco Pix firewall. At the moment, everything works great; however, I have a few questions that hopefully someone in this group can help with answers. 1) I use EAP-TLS on freeradius server for Authentication and Accounting because I know linux and freeradius is free (as the name implies). I don't want to use stinking Cisco ACS because it requires either Windows and Solaris which I don't like because my freeradius server is running a Pentium 90Mhz /128MB of RAM just fine. I want to spend the company wisely especially in this economy. From what I understand, EAP-TLS is open standard while LEAP is Cisco proprietary solution and LEAP is vulvernable to "man in the middle attack" while EAP-TLS is not. Now I am under pressure from upper-management to migrate from EAP-TLS on Freeradius over to Cisco LEAP (upper management decision). The idiot executive's reason is that LEAP is more secure than EAP-TLS and they already have money allocated for the project. Because of this, I'll have to migrate from EAP-TLS over to LEAP. Therefore, my question is that anybody using LEAP and are you happy with it? 2) At the moment, my wireless network has about 10 users so running IPSec (3DES) on top of EAP-TLS is not so bad. However, I am going to roll out this project for about 200 users which I know the performance will suffer. Has anyone done IPSec over EAP-TLS for a network with 200+ users and what kind of performance issues do you have? I don't want to use Cisco ACS product because it is expensive and it sucks big time; however, sometime you just have to swallow your losses and move on. Thanks. Mike --------------------------------- Do you Yahoo!? HotJobs - Search new jobs daily now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56934&t=56934 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
