I wasn't aware that 3.1 was out. I was told way back when that 3.1 would include CRL support by TAC , but considering my recent troubles with TAC, it doesn't surprise me.
I agree with the stolen laptop, but your expecting the typical user to actually think. If they do actually ( send them a bonus check and flowers ! ) then you would need to disable, but NOT delete the account listed as the CN of the cert. If 3.1 does support CRL's then you could revoke the cert, but otherwise, change the CN and disable the old account. My approach is going to be issue a single Cert. per wireless location. If it is compromised everyone that uses those AP's will need to get another Cert that is valid and then disable the old one. My reasoning for this is that I don't want to issue everyone a Cert based on their network login, else when its lost, I have to disable their account and assign a new, and non-standard login. I guess you could modify the login for cert purposes, but then you still have an equal number of certs per wireless user. I figure it is more manageable to have 50 certs for 50 locations than 2500 certs for 2500 users. Of course if I could just dictate Cisco and LEAP then all would be well, but alas, it ain't gonna happen. Thanks Larry -----Original Message----- From: Paul Forbes [mailto:Paul_Forbes@;Trimble.com] Sent: Monday, November 11, 2002 8:40 PM To: [EMAIL PROTECTED] Subject: RE: WLAN security matters [7:57160] Some notes/opinions: 1. A stolen laptop should trigger an employee to contact Human Resources, Security and/or IS. Anything less on the part of said employee is cause for termination - period. Alternatively, if the perceived threat is via corporate/military espionage, then the short-term solution is IPsec (IMO defeating the valuable properties of wireless) and long-term PEAP. Better yet, no wireless access at all and lock the your wired ports down via URT or some such. 2. ACS v3.1 was released and is orderable, but I can't find a single thing regarding CRL support by the authentication server. I'm digging around within my Cisco contacts for an answer. If I hear anything on this front, I'll be sure to toss a up a comment. 3. Mike G. mentioned in a previous email the absence of AES in Cisco's product plans. This is NOT the case - the AP1200 product line was created so that, among other reasons, the CPU was capable of 256-bit AES. This was addressed in some detail at the San Diego Networkers' evening Product Session by Mike McAndrews, the Director of Product Management for the Wireless Networking BU. Cheers all. Paul > -----Original Message----- > From: Roberts, Larry [mailto:Larry.Roberts@;expanets.com] > Sent: Monday, November 11, 2002 4:12 PM > To: [EMAIL PROTECTED] > Subject: RE: WLAN security matters [7:57160] > > > Going back to the original e-mail question. > > I disagree that EAP-TLS is not a solution for sniffing. > Technically any > wireless data can be sniffed, regardless of encryption. > However, it will be > garbage until decoded. If you use EAP-TLS and set the > rekeying to a very > short interval ( say 1 minute ) you would not be passing > enough data for the > person to be able to decrypt using the weakness in the IV. > I'm not saying > rekey every 1 minute, just that rekeying at 1 minute would > assure you that > not enough data had passed. You need to weigh the load on the > server/the > amount of wireless traffic/the amount of security that you > need, to come up > with the rekeying interval. > > The biggest drawback to EAP-TLS has been lack of support at > the OS level. > Windows XP supports it natively, but all other Microsoft OS's require > additional software. Supposedly Microsoft is going to back > fit W2K , but > they haven't released when. If you want vendor neutrality as > I am looking to > do , you either need to be assured that all the vendors > release software > that allows you to run EAP-TLS on your PC, or wait until MS > does it at the > OS level. > I know that Cisco and Lucent have EAP-TLS aware clients, > although I have > only used Cisco's. Cisco and Lucent/Orinoco also have EAP-TLS > aware AP's, > but I have yet to get the spare time to actually install my AP-500. > > With EAP-TLS, you must worry about stolen laptops, which will have the > Certificate stored automatically allowing access to the network. CSACS > 3.0 doesn't't support CRL's , so until 3.1 comes out which I was > told will have > CRL support, you will need to just disable the username on > the certificate. > > The more obstacles that the end user must jump over, the more > likely that a > rogue AP will pop up on the network. > It is critical IMO that the authentication to the network be > as smooth and > transparent as possible. LEAP does an excellent job of that, but its > proprietary :( > > Just my opinion though.... > > Thanks > > Larry Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57266&t=57160 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
