Cisco 881
-
freedom55
- Member
- Posts: 83
- Joined: Sun Nov 01, 2009 9:15 pm
- Location: BC, Canada
-
ldsrussp
- Member
- Posts: 85
- Joined: Wed Jul 16, 2008 5:34 pm
My questions are:
1) When does the lds account access method get deployed for the 881's instead of the current password only?
2) Will the lds account access method be compatible with older 1200 series APs from Cisco? I'm not sure of the exact model (dont' have it in front of me) but it's an Aironet 1200 or something like that.
3) Has anyone had DHCP issues with the new firewalls? Neither of the two new ones I've installed will give my Macbook Pro an address via DHCP (at least wireless, have not tried direct connection yet). They will give it to the PCs just fine and my iPod via wireless but not the Mac. My mac has no issues pulling DHCP addresses from any other wireless AP I've used and I regularly use 3 different ones at 3 different locations. Any ideas here? I'm waiting to see if other Mac users start to complain.
1) When does the lds account access method get deployed for the 881's instead of the current password only?
2) Will the lds account access method be compatible with older 1200 series APs from Cisco? I'm not sure of the exact model (dont' have it in front of me) but it's an Aironet 1200 or something like that.
3) Has anyone had DHCP issues with the new firewalls? Neither of the two new ones I've installed will give my Macbook Pro an address via DHCP (at least wireless, have not tried direct connection yet). They will give it to the PCs just fine and my iPod via wireless but not the Mac. My mac has no issues pulling DHCP addresses from any other wireless AP I've used and I regularly use 3 different ones at 3 different locations. Any ideas here? I'm waiting to see if other Mac users start to complain.
-
russellhltn
- Community Administrator
- Posts: 34514
- Joined: Sat Jan 20, 2007 2:53 pm
- Location: U.S.
ldsrussp wrote:When does the lds account access method get deployed for the 881's instead of the current password only?
The rumor I'm hearing is "before the end of the year".
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.
So we can better help you, please edit your Profile to include your general location.
So we can better help you, please edit your Profile to include your general location.
-
bradhokanson
- Church Employee
- Posts: 48
- Joined: Sun Mar 06, 2011 12:31 pm
- Location: Utah, USA
ldsrussp wrote:My questions are:
1) When does the lds account access method get deployed for the 881's instead of the current password only?
2) Will the lds account access method be compatible with older 1200 series APs from Cisco? I'm not sure of the exact model (dont' have it in front of me) but it's an Aironet 1200 or something like that.
3) Has anyone had DHCP issues with the new firewalls? Neither of the two new ones I've installed will give my Macbook Pro an address via DHCP (at least wireless, have not tried direct connection yet). They will give it to the PCs just fine and my iPod via wireless but not the Mac. My mac has no issues pulling DHCP addresses from any other wireless AP I've used and I regularly use 3 different ones at 3 different locations. Any ideas here? I'm waiting to see if other Mac users start to complain.
1) Not sure but i can find out
2) I am 90% sure that it wont. The matte grey 1231 APs are FAT meaning they have their configuration 100% self contained. The new 1041s are lightweight. They get their configuration from CHQ. (The 1231s CAN be lightweight but they are not configured to be so.) The 1231s also dont support WPA2-Ent (EAP/PEAP) the 1041s do.
3) I haven't heard of this on any of the installs I have done.
-
ldsrussp
- Member
- Posts: 85
- Joined: Wed Jul 16, 2008 5:34 pm
bradhokanson wrote:1) Not sure but i can find out
2) I am 90% sure that it wont. The matte grey 1231 APs are FAT meaning they have their configuration 100% self contained. The new 1041s are lightweight. They get their configuration from CHQ. (The 1231s CAN be lightweight but they are not configured to be so.) The 1231s also dont support WPA2-Ent (EAP/PEAP) the 1041s do.
3) I haven't heard of this on any of the installs I have done.
Seems to me then that due to #1 and #2 I have no choice but to ask Salt Lake to disable the wireless in the new firewalls as they are a security risk given I have no control over the passwords and how often they do or do not change. I can't see our FM group wanting to upgrade from perfectly good commercial APs either so maybe I should just ask them to remove the password completely as it sounds about as secure as what they are doing now.
-
Aczlan
- Member
- Posts: 358
- Joined: Sun Jun 06, 2010 5:29 pm
- Location: Upstate, NY, USA
The difference (based on a Northeast Region FM/STS Meetinghouse Technology conference call the other week) is that currently, the Stake/Ward leadership is responsible for ensuring that those who are allowed to access to the network can be trusted and to police the troublemakers (thus the shared key), but when the new access system is installed (with a LDS Account being required to log on) anyone will be able to get on the network (unsecured wireless) but they will not be able to go anywhere on the internet without logging in with a LDS Account, thus any traffic can be traced back to a specific LDS Account.ldsrussp wrote: so maybe I should just ask them to remove the password completely as it sounds about as secure as what they are doing now.
Aaron Z
-
Aczlan
- Member
- Posts: 358
- Joined: Sun Jun 06, 2010 5:29 pm
- Location: Upstate, NY, USA
I have some questions about the new authentication system:
1. Will the LDS Account authentication be ONLY on the wireless connections, or will it be on the wired ones as well?
2. If it is on the wired connections as well, what would be the effect of having a non-standard AP installed and unsecured (what would be the difference between that and the official church WAP)?
3. What is being done to prevent people from trying to hack into the Clerk computers?
4. Will there be a way to disable the wireless (for example, when webcasting stake conference, I would prefer not to have to fight with others for bandwidth) or will QOS be setup to prioritize webcasting and other "Official" traffic?
Thanks
Aaron Z
1. Will the LDS Account authentication be ONLY on the wireless connections, or will it be on the wired ones as well?
2. If it is on the wired connections as well, what would be the effect of having a non-standard AP installed and unsecured (what would be the difference between that and the official church WAP)?
3. What is being done to prevent people from trying to hack into the Clerk computers?
4. Will there be a way to disable the wireless (for example, when webcasting stake conference, I would prefer not to have to fight with others for bandwidth) or will QOS be setup to prioritize webcasting and other "Official" traffic?
Thanks
Aaron Z
-
aebrown
- Community Administrator
- Posts: 15153
- Joined: Tue Nov 27, 2007 8:48 pm
- Location: Draper, Utah
These questions were all addressed in the recent regional meetinghouse technology meetings that many of us have attended.Aczlan wrote:I have some questions about the new authentication system:
It will apply to wired connections as well. That leads me to assume that it will be a function of the firewall itself -- I don't know for sure, but I don't see what other component could reliably handle wired connections. I specifically asked last night in my region's meeting if it would apply to the PIX 501 and ASA 5505 firewalls, and the answer was yes.Aczlan wrote:1. Will the LDS Account authentication be ONLY on the wireless connections, or will it be on the wired ones as well?
Give the previous answer, it shouldn't matter -- the WAP, whether official or unofficial, would be providing the physical network connection, and authentication would happen at the firewall.Aczlan wrote:2. If it is on the wired connections as well, what would be the effect of having a non-standard AP installed and unsecured (what would be the difference between that and the official church WAP)?
The Sophos software firewall "is being hardened" in preparation for this changeover, since it was acknowledged that there would be broader access. Obviously a stronger software firewall would be helpful right away. And I have no idea how to reconcile this clearly stated direction with reports that under Windows 7 the Sophos firewall is not installed.Aczlan wrote:3. What is being done to prevent people from trying to hack into the Clerk computers?
Aczlan wrote:4. Will there be a way to disable the wireless (for example, when webcasting stake conference, I would prefer not to have to fight with others for bandwidth) or will QOS be setup to prioritize webcasting and other "Official" traffic?
Yes, you'll be able to disable the wireless, at least with the Cisco 881W firewall and companion 1041 WAPs. They briefly showed a control panel with a variety of options. They even mentioned doing blocks of time so that you could disable wireless for three hours for stake conference, for example, and have it come on automatically at a specified time.
Questions that can benefit the larger community should be asked in a public forum, not a private message.
-
Aczlan
- Member
- Posts: 358
- Joined: Sun Jun 06, 2010 5:29 pm
- Location: Upstate, NY, USA
They didnt get into the nuts and bolts of how system management will work during the meeting I watched/attended, they just mentioned that it would eventually be possible to turn off the wifi on the new firewall and that until the LDS Account login was rolled out, there would be a shared key to access the wifi.aebrown wrote:These questions were all addressed in the recent regional meetinghouse technology meetings that many of us have attended.
From what I have heard, it sounds a lot like Wifidog which we use at work (Library IT support) on WRT54GL WAPs. It allows you to get on the local network (unsecured network) but the firewall blocks outgoing internet connections until you loginIt will apply to wired connections as well. That leads me to assume that it will be a function of the firewall itself -- I don't know for sure, but I don't see what other component could reliably handle wired connections. I specifically asked last night in my region's meeting if it would apply to the PIX 501 and ASA 5505 firewalls, and the answer was yes.
My thoughts exactlyGive the previous answer, it shouldn't matter -- the WAP, whether official or unofficial, would be providing the physical network connection, and authentication would happen at the firewall.
Perhaps the Win 7 firewall has been found to be secure enough when appropriately locked down? Time will tell.The Sophos software firewall "is being hardened" in preparation for this changeover, since it was acknowledged that there would be broader access. Obviously a stronger software firewall would be helpful right away. And I have no idea how to reconcile this clearly stated direction with reports that under Windows 7 the Sophos firewall is not installed.
That will be nice. I wonder if you can say the "following people will be allowed to access the wireless during the conference session, everyone else will be blocked"Yes, you'll be able to disable the wireless, at least with the Cisco 881W firewall and companion 1041 WAPs. They briefly showed a control panel with a variety of options. They even mentioned doing blocks of time so that you could disable wireless for three hours for stake conference, for example, and have it come on automatically at a specified time.
Thanks for the info
Aaron Z