While 802.1X is available in both wireless and wired networks, only wireless networks commonly use encryption.
Using WPA2-Enterprise the communication channel is encrypted with a per-client key¹, so no other clients (authenticated or not) can overtake the channel. With Ethernet on the other hand, the port is authenticated once and then traffic flows unencrypted and unsecured. This is also widely known). If you have untrusted parts of wiring this is bad.
Which leads to my problem: Wireless APs in an enterprise network will commonly be connected to a VLAN trunk port and assign VLAN tags to client packages via RADIUS / LDAP attributes. This is pretty much the most access a network device can have. Increasingly we see outdoor APs deployed on poles, in trees or whatever, on semi-open spaces like university campuses, so there is zero physical security involved. Yet i don't see IPSec on APs. So what am i missing? Are there other options i overlooked or hasn't this become a problem yet?
tl;dr: Why is there no support for IPSec on wireless APs?
¹ "If an 802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server." Wikipedia
No comments:
Post a Comment