WiFi Security

MAC Address Filtering

A common feature available with wireless access devices is the means to restrict access to only wireless devices that have their network (MAC) address configured in a filter list. Therefore, any device that tries to authenticate with a MAC address not matching the list will be rejected.

This method is not foolproof. If traffic can be decrypted then a valid MAC address could be determined and used to access the network.
Separate VLAN/DMZ for Wireless LAN

Most medium to large networks utilise virtual LAN’s (VLAN’s) to separate IP networks into logical groupings for security, performance and management reasons. Most good quality layer 3 switches provide VLAN’s that allow you to define firewall rules or access lists to restrict what resources on the network that wireless networks clients can access.

For more protection, the wireless network can be placed behind a fully featured stateful firewall rather than a VLAN alone.
WPA Wireless Clients Sample Implementation

This section shows an example of implementing WPA Enterprise with PEAP. Three components are required.

* The supplicant (the WIFI client),
* The Authenticator (the Access Point) and;
* An Authentication Server (A Radius server such as Microsoft IAS Server).

In this example the Access Point is a Cisco Aironet 1310 Series Outdoor Access Point/Bridge1 running IOS 12.3(7)JA.

In addition, since we are using PEAP, we need a suitable certificate server and we have used Microsoft Certificate Services.

Since we are using Microsoft IAS for Radius, which integrates with Active Directory, we have created 2 new Active Directory groups called "Wireless Users" and "Wireless Computers" respectively. These groups will be used to determine what computers and users are allowed access to the WIFI network. This ensures a high level of granularity for IT staff to manage access.
Configuring IAS (RADIUS)

IAS is a free component that is supplied with Win2k/Win2003 but is not installed by default. It can be installed via the Control Panel->Add/Remove Programs/Windows Components applet.

Both IAS and the authenticating access point need to be configured to perform Radius authentication. Firstly, you need to register IAS in Active Directory, so that IAS policies can be used on Active Directory users and computers to govern access.

In the left hand pane of the IAS management console, select Internet Authentication Service (Local) and right click to select the Register Server in Active Directory option.