[mobi_khan]

Hi guys,

Two days back I saw that an outsider who was previously company employee came with his own notebook and he tired to access the access point whose security code was known to him but his user name and password was disabled form the sensys domain. One more risky thing was that the user can access the wireless network i.e. by access the access point from outsider the company.

In the first phase to protect unauthorized user form accessing the access point of our company I have asked the IT to change the security code of the access point and do not share it with the notebook user and provide the code manually once on all the machines.

But I want more then that, I want that only notebooks which are authorized can be accessed and authenticated on our domain and any other notebook which is not listed should not be authenticated on the our domain.

Please provide your feedback in this regard.

[ferrija1]

If that former employee couldn't get onto the network, I don't see why you're so worried, regardless:

If you're using a variant of WPA encryption and don't share the SSID (name of the network), you should be ok. Not sharing the SSID provides decent protection (against average users that are not networking-savvy) but can be beaten by sampling the traffic in the area and noting the SSID.

If you are using wireless routers, you cannot keep the Wi-Fi signals from going outiside your comapny, unless you reposition your routers or lay metal screens along the outer walls of your company's area, which will disrupt the signals. To limit the computers connected, you could use MAC address filtering, but that too can be bypassed, by cloning an authenticated address (a very simple processs)

[Techmonkeys]

non-SSID broadcasting is easier to bypass than MAC ID filtering.

Spoofing a MAC address would mean they would first need to know the MAC address of a machine that is allowed to connect to the wireless, which would be difficult to find out, they then would need to know how to do the mac address filtering.

Using that plus a secure WPA-PSK password would be more than adequate.

SSID broadcasts are irrelevant when you can download a program such as netstumbler for free that will detect any SSID's whether they broadcast or not.

You are also right OP in that getting your technicians to add the password once for the wireless routers and not to let end users know the password either.

[ferrija1]

They both suck at protecting anything, they're just there (as I said) to filter out any novice users, and spoofing a MAC address is easy, it's broadcast (along with the SSID) from any machine wirelessly using the network.

[mobi_khan]

Thanks.MAc filtering will definetely provide a level of prtoection, so now only the listed MAC addresses of the notebooks will be able to access the Access Point. This will also help me form the ppl who are using windows mobile and are accessing their system form these mobiles through remote Desktop

[lunarlander]

I think WPA2 Enterprise can perform authentication. But not to a domain I think. It seems to require a Radius server to do authentication.

[calvin-c]

Yes. If you want authentication of the user rather than of the notebook then something like a Radius server is the way to go.