Securely connecting legacy devices ?

[GGW]

Running Ubiquity AP AC's. Single network configured as WPA-Enterprise. Everyone is happy except one single legacy device that only supports WPAII-PSK.

I'm thinking just create another network for WPAII-Personal for this one device. Is there a way to limit to just a single mac address? Are there better options?

Thanks,

 

[sfx2000]

Double check with UBNT, but I think you can set up a separate WLAN Group and SSID, and define the auth properties for each group.

sfx

 

[GGW]

Yep, that's what I was referring to in setting up a different network. Poor terminology on my part. I think that should work but I'm not sure how best to secure it since that effectively opens up authentication quite a bit (vs everything being Enterprise/Radius).

 

[azazel1024]

Don't do it then. Setting it up so only that one MAC can access doesn't secure anything. Its always possible to capture the association handshake and grab the MAC address of that client, spoof it and then you are in.

I mean, granted you'd have to crack the WPA2-PSK password as well, which isn't trivial, but it would of course be less secure than using enterprise and RADIUS.

There really isn't a way to secure it more than the above and it'll always be less secure than WPA-Enterprse and a RADIUS server.

 

[sfx2000]

Yep, that's what I was referring to in setting up a different network. Poor terminology on my part. I think that should work but I'm not sure how best to secure it since that effectively opens up authentication quite a bit (vs everything being Enterprise/Radius).

Well, since you have a radius server in house, you should be able to bind the WLAN group to a specific profileSet in the radius/directory server.

Remember, with WPA/WPA2 enterprise, you're only authenticating the 802.11 AP association, what you do afterwords is 802.1x, and there it depends on how the legacy device authenticates to the directory server to allow port access.

sfx