Some notes/opinions: 1. A stolen laptop should trigger an employee to contact Human Resources, Security and/or IS. Anything less on the part of said employee is cause for termination - period. Alternatively, if the perceived threat is via corporate/military espionage, then the short-term solution is IPsec (IMO defeating the valuable properties of wireless) and long-term PEAP. Better yet, no wireless access at all and lock the your wired ports down via URT or some such.
2. ACS v3.1 was released and is orderable, but I can't find a single thing regarding CRL support by the authentication server. I'm digging around within my Cisco contacts for an answer. If I hear anything on this front, I'll be sure to toss a up a comment. 3. Mike G. mentioned in a previous email the absence of AES in Cisco's product plans. This is NOT the case - the AP1200 product line was created so that, among other reasons, the CPU was capable of 256-bit AES. This was addressed in some detail at the San Diego Networkers' evening Product Session by Mike McAndrews, the Director of Product Management for the Wireless Networking BU. Cheers all. Paul > -----Original Message----- > From: Roberts, Larry [mailto:Larry.Roberts@;expanets.com] > Sent: Monday, November 11, 2002 4:12 PM > To: [EMAIL PROTECTED] > Subject: RE: WLAN security matters [7:57160] > > > Going back to the original e-mail question. > > I disagree that EAP-TLS is not a solution for sniffing. > Technically any > wireless data can be sniffed, regardless of encryption. > However, it will be > garbage until decoded. If you use EAP-TLS and set the > rekeying to a very > short interval ( say 1 minute ) you would not be passing > enough data for the > person to be able to decrypt using the weakness in the IV. > I'm not saying > rekey every 1 minute, just that rekeying at 1 minute would > assure you that > not enough data had passed. You need to weigh the load on the > server/the > amount of wireless traffic/the amount of security that you > need, to come up > with the rekeying interval. > > The biggest drawback to EAP-TLS has been lack of support at > the OS level. > Windows XP supports it natively, but all other Microsoft OS's require > additional software. Supposedly Microsoft is going to back > fit W2K , but > they haven't released when. If you want vendor neutrality as > I am looking to > do , you either need to be assured that all the vendors > release software > that allows you to run EAP-TLS on your PC, or wait until MS > does it at the > OS level. > I know that Cisco and Lucent have EAP-TLS aware clients, > although I have > only used Cisco's. Cisco and Lucent/Orinoco also have EAP-TLS > aware AP's, > but I have yet to get the spare time to actually install my AP-500. > > With EAP-TLS, you must worry about stolen laptops, which will have the > Certificate stored automatically allowing access to the > network. CSACS 3.0 > doesn't't support CRL's , so until 3.1 comes out which I was > told will have > CRL support, you will need to just disable the username on > the certificate. > > The more obstacles that the end user must jump over, the more > likely that a > rogue AP will pop up on the network. > It is critical IMO that the authentication to the network be > as smooth and > transparent as possible. LEAP does an excellent job of that, but its > proprietary :( > > Just my opinion though.... > > Thanks > > Larry Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57256&t=57160 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
