Hi All
I am currently designing a wireless network and I am trying to work out the best way to provide the segmentation of services whilst trying to keep SSIDs to a minimum and maintaining an acceptable level of security. Trying to achieve all of this is proving difficult unless I’m overlooking something.
Our network is currently segmented using VLANs and VRFs. We have a VRF for our corporate network, VRFs for various third party/vendors (about 10), and a VRF for internet only access.
We are a Cisco house and use ISE. I am currently thinking of the following:
Corporate SSID that will use EAP-TLS. Access to our corporate VRF will only be granted for corporate user/computers that present an internal CA signed certificate.
Corporate Guest SSID that will use PEAP-MSCHAPv2. User identities will be local credentials in ISE. Depending on what user ID is used to connect to the network, we can place the user in the required network. This will be used for third parties that need access to their own networks and for employee guest
IOT SSID that will use IPSK. Although we dont have any IOT devices yet, I imagine that we will come across devices that don’t support 802.1X so will need to use PSK. IPSK seems flexible enough to support similar use cases to the Corp Guest SSID.
The only concern that I have with the above design is the use of PEAP-MSCHAPv2 due to its known security vulnerabilities, specifically with Evil Twin and Credential theft. My other concern is that depending on device type, configuration to connect using PEAP is not always as straight forward so may create more tickets into our service desk. I’m also aware that some devices such as Android mobile/tablets running OS 14, have removed the capability to bypass certificate validation. I imagine that other vendors will follow suit which may make this solution unusable as we dont manage the client endpoints (and we dont want to be handing out our root CA to everyone). Is there a solution to this - public EAP cert?
How are other doing this currently? Any advise would be appreciated
No comments:
Post a Comment