Thank you Paul for you input. Even though we are not bounded by HIPAA but many of our customers are in the financial sector so we do have to be "security conscious". Quick question, I know EAP-TLS uses Certificate so that the Certificate has to generated on the RADIUS server and install on the client machine. That itself takes care of Central Key Managment, rotation, etc... because the RADIUS server generates manages, change and rotate keys per user, per session (Dynamic WEP) thus eliminating the need to mannually manage keys. I thought that is the very idea of EAP-TLS.... Supplicant(Client)-------> Authenticator(WAP)--------> Authentication Server(RADIUS) Does that make sense? Mike Paul Forbes wrote:Well, EAP-TLS is certainly more secure than LEAP for one very simple reason: LEAP uses NT credentials as the seed for the dynamic WEP key, whereas EAP-TLS uses certificates. Also, LEAP is a little brittle in my trials with it: to roam successfully between AP's the NT credentials need to be statically entered and stored in the Aironet Client Utility. If you practice password rotation (which I hope you do), then every client is going to have to muck with their ACU to re-enter their NT credentials. All in all, less secure and less transparent than EAP-TLS.
The problem we faced when trying to move to EAP-TLS was client OS support, as WinXP is currently the only OS that has EAP-TLS support (and PEAP for that matter if you're REALLY security conscious). Yes, I know you can use Funk or Meetinghouse, but both of those solutions cost money on a per client basis. When you have a heterogeneous client base (Windows2000, WinXP, WinCE, Linux and Mac OS X), EAP-TLS and PEAP aren't quite there. One thing I am curious about is why you'd be running IPsec over EAP-TLS/LEAP. Are you bound by HIPAA? If not, just use EAP-TLS or LEAP and the dynamic WEP keying (plus MIC, TKIP and broadcast key rotation) are, by all the tests and hacks I've seen/read, very secure. Good luck. Paul Forbes Network Engineer Trimble > -----Original Message----- > From: mike greenberg [mailto:newbiecisco@;yahoo.com] > Sent: Tuesday, November 05, 2002 11:21 AM > To: [EMAIL PROTECTED] > Subject: EAP-TLS or LEAP with IPSec for wireless security [7:56934] > > > All, > > I am about to implement EAL-TLS and IPSec for my wireless network. > Basically, > > this wireless segment is physically separated from my > internal network via > the > > firewall. It means that the wireless segment will be hanging > of my DMZ > network > > (called wireless DMZ because the WAP will be in the wireless > DMZ network). > > Wireless users will be required to be authenticated to a RADIUS server > (freeradius) > > before being allowed to be connected to the wireless network. > In order to > connect > > to the internal network or to the Internet, wireless users > have to make an > IPSec > > connection (via Cisco VPN client connection) to the Cisco Pix > firewall. At > the > > moment, everything works great; however, I have a few questions that > hopefully > > someone in this group can help with answers. > > 1) I use EAP-TLS on freeradius server for Authentication and > Accounting > because I > > know linux and freeradius is free (as the name implies). I > don't want to > use stinking > > Cisco ACS because it requires either Windows and Solaris > which I don't like > > because my freeradius server is running a Pentium 90Mhz > /128MB of RAM just > fine. > > I want to spend the company wisely especially in this > economy. From what I > > understand, EAP-TLS is open standard while LEAP is Cisco proprietary > solution and > > LEAP is vulvernable to "man in the middle attack" while > EAP-TLS is not. > > Now I am under pressure from upper-management to migrate from > EAP-TLS on > > Freeradius over to Cisco LEAP (upper management decision). The idiot > executive's > > reason is that LEAP is more secure than EAP-TLS and they > already have money > > allocated for the project. Because of this, I'll have to migrate from > EAP-TLS over > > to LEAP. Therefore, my question is that anybody using LEAP > and are you > happy > > with it? > > 2) At the moment, my wireless network has about 10 users so > running IPSec > > (3DES) on top of EAP-TLS is not so bad. However, I am going > to roll out > this > > project for about 200 users which I know the performance will > suffer. Has > anyone > > done IPSec over EAP-TLS for a network with 200+ users and > what kind of > > performance issues do you have? > > I don't want to use Cisco ACS product because it is expensive > and it sucks > big > > time; however, sometime you just have to swallow your losses > and move on. > > Thanks. > > Mike --------------------------------- Do you Yahoo!? HotJobs - Search new jobs daily now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56939&t=56934 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
