EDIT 1:
Our environment is mixed, majority OSX with a few Windows and Linux boxes. More importantly, Android and Apple cellphones will also need wireless access on a regular basis.
We have a redhat box available to run Freeradius on. All networking equipment is Cisco based (ASA + Catalyst switches + Aironet 1140 APs)
Thanks to feedback from HopelessN00b, I am currently considering Freeradius + PEAP as my solution. I'm prepping a testbed for the authorization server side of things to get a feel for it.
Right now we are using wpa2 key + MAC Address filtering on a setup consisting of 2 Cisco Aironet 1140 connected via WDS.
It's working fine but everybody shares the same WPA2 key and both AP configs have to be edited each time someone is added which is slightly time consuming. We only have 2 APs and around 12-15 people in the office and no need to sync with other locations. We are a mixed mac/windows/linux office. What setup would you recommend?
Everything was already configured when I got there and I saw 2 references to a radius server in the running configurations of the APs but the machine referenced does not seem to have those ports open so I suspect those lines are inactive. Am I correct?
Here are copies of the the running configurations:
Accesspoint 1:
service password-encryption
!
hostname wap
!
logging rate-limit console 9
enable secret 5 [redacted]
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.90.245 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authentication login wds-server group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone -0500 -5
clock summer-time -0400 recurring
ip domain name nyc.acme.local
!
!
dot11 association mac-list 700
dot11 syslog
!
dot11 ssid ACME-NYC
vlan 1
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 [redacted]
!
dot11 aaa csid ietf
!
!
username ckent privilege 15 secret 5 [redacted]
username e0f847203232 password 7 [redacted]
username e0f847203232 autocommand exit
username 58946b90ca20 password 7 [redacted]
username 58946b90ca20 autocommand exit
username bwayne privilege 15 secret 5 [redacted]
username e0f847320cca password 7 [redacted]
username e0f847320cca autocommand exit
username 58946bbf4868 password 7 [redacted]
username 58946bbf4868 autocommand exit
username pparker privilege 15 secret 5 [redacted]
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid Acme-NYC
!
antenna gain 0
speed basic-11.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid ACME-NYC
!
antenna gain 0
dfs band 3 block
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.90.245 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.90.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
access-list 700 permit [redacted] 0000.0000.0000
access-list 700 permit [redacted] 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
snmp-server community acme RO
radius-server local
no authentication eapfast
no authentication mac
nas 192.168.90.245 key 7 [redacted]
user ap2 nthash 7 [redacted]
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.90.201 auth-port 1645 acct-port 1646 key 7 [redacted]
radius-server host 192.168.90.245 auth-port 1812 acct-port 1813 key 7 [redacted]
radius-server vsa send accounting
bridge 1 route ip
!
!
wlccp authentication-server infrastructure wds-server
wlccp wds aaa csid ietf
wlccp wds priority 200 interface BVI1
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
!
end
Access Point 2:
service password-encryption
!
hostname wap2
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.90.245 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone -0500 -5
clock summer-time -0400 recurring
ip domain name nyc.acme.local
!
!
dot11 association mac-list 700
dot11 syslog
!
dot11 ssid Acme-NYC
vlan 1
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 [redacted]
!
dot11 aaa csid ietf
!
!
username ckent privilege 15 secret 5 [redacted]
username e0f847203232 password 7 [redacted]
username e0f847203232 autocommand exit
username 58946b90ca20 password 7 [redacted]
username 58946b90ca20 autocommand exit
username bwayne privilege 15 secret 5 [redacted]
username e0f847320cca password 7 [redacted]
username e0f847320cca autocommand exit
username 58946bbf4868 password 7 [redacted]
username 58946bbf4868 autocommand exit
username pparker privilege 15 secret 5 [redacted]
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid Acme-NYC
!
antenna gain 0
speed basic-11.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid Acme-NYC
!
antenna gain 0
dfs band 3 block
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.90.246 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.90.254
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
access-list 700 permit [redacted] 0000.0000.0000
access-list 700 permit [redacted] 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
snmp-server community Acme RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.90.201 auth-port 1645 acct-port 1646 key 7 [redacted]
radius-server vsa send accounting
bridge 1 route ip
!
!
wlccp ap username ap2 password 7 [redacted]
wlccp wds aaa csid ietf
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
!
sntp server 192.168.90.254
sntp broadcast client
end
Kinda broad and hard to answer without knowing more about your skill level and environment, but yes, I would definitely recommend certificate based 802.1x authentication over using a shared WPA2 key.
It's more secure (clients can't snoop each others traffic, since each client uses a different key), it's easier to manage, and you don't have to have some poor helpdesk guy punch in the key for new machines or new users anymore. A shared key is really just the lazy or unskilled admin's quick hack to "get wireless working," and I'm hard pressed to think of what I'd consider a legitimate use case for it in a professional environment.
If you can't set it up, it might be worth having a consultant in for a few hours to set it up for you, but we're not going to be able to say whether that's a good usage of your money, or if the size of your shop and value of the data going over wireless is low enough that a shared WPA2 key is "good enough."
It's not all that difficult (your Windows/Mac/OSX environment might make it a pain to set up, though) even if you haven't done it before, but you'll definitely want to sit down and do some reading on how to best implement and setup a new Certificate Authority as well as a RADIUS server. Honestly, in an environment with that few people and that many different client OSes, I'm not quite sure what implementation I'd favor.
And FYI, always redact the passwords in your AP configs. It's trivial to translate a hash to the password. (I'll fix that now, but remember that for next time...)