cancel
Showing results for 
Search instead for 
Did you mean: 

Wing - secure deployment in campus

Wing - secure deployment in campus

el_magneto
New Contributor

Hi, 

In my network security is always a big concern and I wonder how can I maximaze the security of adoption process and communication beetwen APs in RF Domain (common VLAN). In a standard way of adoption  it is based on a MAC adress of an AP (as far as I understand MAC address is a factor that distinguish beetwen devices)  whether I use auto adoption policys or static configuration on controller. But what if I want to be 100% sure that device adopted is mine and noone changed it into its own “hacked” device with spoofed MAC adress (even if this is very hypotetical situation)? Is “auto ipsec” a solution here? Or maybe somthing else? But what about mint links between APs in RF domain - the cannot be secured by ipsec. Am I right?

So the question is - is there a way to secure deployment so only devices which where in my “hands” before deployment can be adopted and form mint link/adjacencies beetwen each other in RF-domain?

If my way of thinking is wrong then correct me please f1a48fbfd793411aa4dce4c88d0a6dbf_1f609.png

11 REPLIES 11

el_magneto
New Contributor

Hi,

Very often APs are installed on places where it is possible to reach phisicaly the device. And 802.1x is a good idea- maby the best - but problems start when switches to which APs are connected can’t support 802.1x on trunk ports. For instance my APs need to be connected to truk ports ( dynamic vlan assigment from Radius).

This is why I’m curious what can Wing do on his own to maximize security in depoyment.

Any other idea?

 

Tomasz
Valued Contributor II

Hi,

 

Very interesting food for thoughts! Personally I would consider:

  • reducing opportunity for non-WiNG devices to enter the VLAN used for MINT (disable unused ports, don’t set VLANs statically on switches’ access ports, enable authentication - even APs can do PEAP as far as I remember, assure routing not being possible from other vlans if not needed)
  • even if someone spoofs AP MAC and you had MAC auth enabled, or even if someone spoofs APs’ dot1x credentials, he still has to be able to mimick/exploit MINT as far as I understand; if it’s a WiNG AP that you don’t want to manage, perhaps auto-provisioning policy with serial numbers would work for you?

It is always good to think how can we contain damage if some unwanted device gets adopted or reads MINT communication or reaches the WiNG communication VLAN, but I’d try to put all efforts possible in making that VLAN isolated from unnecessary contact from non-AP/controller ports and non-MINT VLANs.

 

Hope that helps,

Tomasz

GTM-P2G8KFN