Cisco 881

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
User avatar
johnshaw
Senior Member
Posts: 2111
Joined: Fri Jan 19, 2007 1:55 pm
Location: Syracuse, UT

Postby johnshaw » Fri Apr 29, 2011 12:08 pm

If that is the case, and I have 3 sites with the same installs, then I'm happy to know it is working.... another GSD theory shot down!!!

Freedom55
Member
Posts: 83
Joined: Sun Nov 01, 2009 9:15 pm
Location: BC, Canada

Postby Freedom55 » Sun May 01, 2011 7:01 pm

Hi JohnShaw,

The existing WAP is a Cisco 1231G. According to our STS, as soon as he plugged it into the 881, the WAP went live. It doesn't sound like any compatibility problems - which I think reflects the instructions that were issued with the 881.

Hope that helps.

ldsrussp
Member
Posts: 85
Joined: Wed Jul 16, 2008 4:34 pm

Postby ldsrussp » Wed May 18, 2011 5:18 pm

My questions are:

1) When does the lds account access method get deployed for the 881's instead of the current password only?

2) Will the lds account access method be compatible with older 1200 series APs from Cisco? I'm not sure of the exact model (dont' have it in front of me) but it's an Aironet 1200 or something like that.

3) Has anyone had DHCP issues with the new firewalls? Neither of the two new ones I've installed will give my Macbook Pro an address via DHCP (at least wireless, have not tried direct connection yet). They will give it to the PCs just fine and my iPod via wireless but not the Mac. My mac has no issues pulling DHCP addresses from any other wireless AP I've used and I regularly use 3 different ones at 3 different locations. Any ideas here? I'm waiting to see if other Mac users start to complain.

russellhltn
Community Administrator
Posts: 26430
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Wed May 18, 2011 5:28 pm

ldsrussp wrote:When does the lds account access method get deployed for the 881's instead of the current password only?


The rumor I'm hearing is "before the end of the year".
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.

bradhokanson
Church Employee
Church Employee
Posts: 41
Joined: Sun Mar 06, 2011 12:31 pm
Location: Utah, USA

Postby bradhokanson » Wed May 18, 2011 10:20 pm

ldsrussp wrote:My questions are:

1) When does the lds account access method get deployed for the 881's instead of the current password only?

2) Will the lds account access method be compatible with older 1200 series APs from Cisco? I'm not sure of the exact model (dont' have it in front of me) but it's an Aironet 1200 or something like that.

3) Has anyone had DHCP issues with the new firewalls? Neither of the two new ones I've installed will give my Macbook Pro an address via DHCP (at least wireless, have not tried direct connection yet). They will give it to the PCs just fine and my iPod via wireless but not the Mac. My mac has no issues pulling DHCP addresses from any other wireless AP I've used and I regularly use 3 different ones at 3 different locations. Any ideas here? I'm waiting to see if other Mac users start to complain.


1) Not sure but i can find out
2) I am 90% sure that it wont. The matte grey 1231 APs are FAT meaning they have their configuration 100% self contained. The new 1041s are lightweight. They get their configuration from CHQ. (The 1231s CAN be lightweight but they are not configured to be so.) The 1231s also dont support WPA2-Ent (EAP/PEAP) the 1041s do.
3) I haven't heard of this on any of the installs I have done.

ldsrussp
Member
Posts: 85
Joined: Wed Jul 16, 2008 4:34 pm

Postby ldsrussp » Thu May 19, 2011 7:41 am

bradhokanson wrote:1) Not sure but i can find out
2) I am 90% sure that it wont. The matte grey 1231 APs are FAT meaning they have their configuration 100% self contained. The new 1041s are lightweight. They get their configuration from CHQ. (The 1231s CAN be lightweight but they are not configured to be so.) The 1231s also dont support WPA2-Ent (EAP/PEAP) the 1041s do.
3) I haven't heard of this on any of the installs I have done.


Seems to me then that due to #1 and #2 I have no choice but to ask Salt Lake to disable the wireless in the new firewalls as they are a security risk given I have no control over the passwords and how often they do or do not change. I can't see our FM group wanting to upgrade from perfectly good commercial APs either so maybe I should just ask them to remove the password completely as it sounds about as secure as what they are doing now. :(

Aczlan
Member
Posts: 353
Joined: Sun Jun 06, 2010 4:29 pm
Location: Upstate, NY, USA

Postby Aczlan » Thu May 19, 2011 8:06 am

ldsrussp wrote: so maybe I should just ask them to remove the password completely as it sounds about as secure as what they are doing now. :(

The difference (based on a Northeast Region FM/STS Meetinghouse Technology conference call the other week) is that currently, the Stake/Ward leadership is responsible for ensuring that those who are allowed to access to the network can be trusted and to police the troublemakers (thus the shared key), but when the new access system is installed (with a LDS Account being required to log on) anyone will be able to get on the network (unsecured wireless) but they will not be able to go anywhere on the internet without logging in with a LDS Account, thus any traffic can be traced back to a specific LDS Account.

Aaron Z

Aczlan
Member
Posts: 353
Joined: Sun Jun 06, 2010 4:29 pm
Location: Upstate, NY, USA

Postby Aczlan » Thu May 19, 2011 5:38 pm

I have some questions about the new authentication system:
1. Will the LDS Account authentication be ONLY on the wireless connections, or will it be on the wired ones as well?
2. If it is on the wired connections as well, what would be the effect of having a non-standard AP installed and unsecured (what would be the difference between that and the official church WAP)?
3. What is being done to prevent people from trying to hack into the Clerk computers?
4. Will there be a way to disable the wireless (for example, when webcasting stake conference, I would prefer not to have to fight with others for bandwidth) or will QOS be setup to prioritize webcasting and other "Official" traffic?

Thanks

Aaron Z

User avatar
aebrown
Community Administrator
Posts: 15101
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Thu May 19, 2011 8:42 pm

Aczlan wrote:I have some questions about the new authentication system:


These questions were all addressed in the recent regional meetinghouse technology meetings that many of us have attended.

Aczlan wrote:1. Will the LDS Account authentication be ONLY on the wireless connections, or will it be on the wired ones as well?


It will apply to wired connections as well. That leads me to assume that it will be a function of the firewall itself -- I don't know for sure, but I don't see what other component could reliably handle wired connections. I specifically asked last night in my region's meeting if it would apply to the PIX 501 and ASA 5505 firewalls, and the answer was yes.

Aczlan wrote:2. If it is on the wired connections as well, what would be the effect of having a non-standard AP installed and unsecured (what would be the difference between that and the official church WAP)?


Give the previous answer, it shouldn't matter -- the WAP, whether official or unofficial, would be providing the physical network connection, and authentication would happen at the firewall.

Aczlan wrote:3. What is being done to prevent people from trying to hack into the Clerk computers?


The Sophos software firewall "is being hardened" in preparation for this changeover, since it was acknowledged that there would be broader access. Obviously a stronger software firewall would be helpful right away. And I have no idea how to reconcile this clearly stated direction with reports that under Windows 7 the Sophos firewall is not installed.

Aczlan wrote:4. Will there be a way to disable the wireless (for example, when webcasting stake conference, I would prefer not to have to fight with others for bandwidth) or will QOS be setup to prioritize webcasting and other "Official" traffic?


Yes, you'll be able to disable the wireless, at least with the Cisco 881W firewall and companion 1041 WAPs. They briefly showed a control panel with a variety of options. They even mentioned doing blocks of time so that you could disable wireless for three hours for stake conference, for example, and have it come on automatically at a specified time.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

Aczlan
Member
Posts: 353
Joined: Sun Jun 06, 2010 4:29 pm
Location: Upstate, NY, USA

Postby Aczlan » Thu May 19, 2011 9:41 pm

aebrown wrote:These questions were all addressed in the recent regional meetinghouse technology meetings that many of us have attended.

They didnt get into the nuts and bolts of how system management will work during the meeting I watched/attended, they just mentioned that it would eventually be possible to turn off the wifi on the new firewall and that until the LDS Account login was rolled out, there would be a shared key to access the wifi.
It will apply to wired connections as well. That leads me to assume that it will be a function of the firewall itself -- I don't know for sure, but I don't see what other component could reliably handle wired connections. I specifically asked last night in my region's meeting if it would apply to the PIX 501 and ASA 5505 firewalls, and the answer was yes.

From what I have heard, it sounds a lot like Wifidog which we use at work (Library IT support) on WRT54GL WAPs. It allows you to get on the local network (unsecured network) but the firewall blocks outgoing internet connections until you login
Give the previous answer, it shouldn't matter -- the WAP, whether official or unofficial, would be providing the physical network connection, and authentication would happen at the firewall.

My thoughts exactly
The Sophos software firewall "is being hardened" in preparation for this changeover, since it was acknowledged that there would be broader access. Obviously a stronger software firewall would be helpful right away. And I have no idea how to reconcile this clearly stated direction with reports that under Windows 7 the Sophos firewall is not installed.

Perhaps the Win 7 firewall has been found to be secure enough when appropriately locked down? Time will tell.
Yes, you'll be able to disable the wireless, at least with the Cisco 881W firewall and companion 1041 WAPs. They briefly showed a control panel with a variety of options. They even mentioned doing blocks of time so that you could disable wireless for three hours for stake conference, for example, and have it come on automatically at a specified time.

That will be nice. I wonder if you can say the "following people will be allowed to access the wireless during the conference session, everyone else will be blocked"

Thanks for the info

Aaron Z


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest