© 2020 Cisco and/or its affiliates. All rights reserved.
Page 63 of 76
accounting may be used to provide an audit trail of each employee’s access to the wireless network
infrastructure.
The use of WPA2 with AES-CCMP encryption on the WLAN does not extend to management frames. Therefore,
the optional use of protected management frames (PMF) is advisable for WLANs where possible. PMF is part of
the IEEE 802.11 standard, which provides a level of cryptographic protection to robust management frames
such as de-authentication and dissociation frames, preventing them from being spoofed. It should be noted
that the benefits of PMF does require wireless clients to support PMF. Cisco also offers an
earlier version of
Management Frame Protection (MFP) that has both infrastructure and client components.
In a home-office environment, it may be necessary to configure a WLAN to support WPA2 with pre-shared key
(PSK). This is sometimes referred to as WPA Personal on wireless devices. This may be necessary because
the implementation of an AAA server is not cost-effective for the number of end-users who access the WLAN.
This may also be necessary in other environments if there is no end-user associated with a wireless device, the
wireless device does not support the ability to configure a userid & password, or the wireless device cannot
support a digital certificate. Since the PSK is shared among all devices that access the wireless infrastructure, it
may be necessary to change the PSK if an employee who knows the PSK leaves the organization. Furthermore,
with WPA PSK, there is no easy audit trail of each employee’s access to the network.
The
use of a dedicated, open WLAN is still common, but not ideal, for wireless guest access. Therefore, the
configuration of an unsecure WLAN on the network infrastructure may still be necessary. Open access guest
WLANs are often implemented in order to minimize the complexity of onboarding a guest who needs only
temporary wireless network connectivity. Typically, the guest WLAN is terminated
outside the corporate
firewall, which allows no access inbound to corporate resources, so guests may be allowed access to the
Internet only. Depending upon the requirements of the organization, guests may be required to authenticate
before being allowed to access the Internet. Typically, a captive-portal model is used with WebAuth, in which
guest web sessions
are redirected to a portal, which authenticates the guest before allowing Internet access.
Do'stlaringiz bilan baham: