I am looking into two solutions for my warehouse. Cisco access ports with LEAP and symbol access points with keyguard. Is one more secure than the other or are they both on par? Symbol claims that leap isn't good in a roaming environment - is that true?

any info would be greatly appreciated. i am a novice in wireless security :)

Thanks
Jenn

I'd suggest you investigate a 3rd alternative, the Zywall 10W (and it's relatives) permit wireless VPN over the wireless network (this is optional, but it permits 3DES encryption over the WLAN-> LAN, on encountering the LAN traffic is then routed to the LAN/WAN per routing rules of the firewall).

The Zywall tends to be relatively low cost, and permits use of a high power wireless card (wireless is enabled on this router by sliding a wireless laptop PCMCIA card into a slot in back). Thus you can use a 200mW Engenius EL-2511 CD PLUS (or 200mW Engenius EL-2511 EXT PLUS) to enhance the area covered by the router/access point. That the Zywall is an integrated router/firewall as well as an 802.11b access point is just icing on the cake.

Regards

You didn't mention if you were attempting to use and hand-held scan devices or IP phones.... If either are the case you might be out of luck with LEAP.

Proxim and Avaya make products that provide two interfaces and might be more cost effective.

Good Luck

I am using symbol handhelds. here is what I got from one of the vendors:

Federal Express gave a p.o. to Symbol to embed the Cisco Radio in the wearable device. Therefore we can implement Cisco LEAP for the security protocol.

LXE MX3-CE ( Cisco radio) for Raymonds.

Symbol 1046 (Cisco radio) wearables.

Cisco 1200 Access Points.

So you think LEAP is a bad decision for handhelds?

No, more-so the possibility that it can be easily overlooked...
Handhelds, for a long time, have been notoriously lacking the ability to have security measures added because of the inhierant nature of being an embedded platform that has limited firmware abilities...

In some cases it is easier to run two separate networks to accomodate the secured and unsecured technologies.

If you want keyless security and management, try Greener Pasture's BubbleWave. They use LDAP and Radius for authentication and doesn't care which AP you use.

-an

For goodness' sake....If you're Symbol devices do LEAP, do LEAP.

I do LEAP with Cisco cards all the time and the roaming is just outstanding. Your mileage with a Symbol client (whether or not it's doing LEAP) is going to vary. It's the radios, not so much the software auth client on them, that makes the diff (altho I hear there were issues with IP phones doing LEAP, but that's another story altogether).

BTW, you've got to take what Symbol says with a grain of salt: Cisco and Symbol hate each other's guts...

Roaming is not built into the 802.11b standard, yet. Your best bet in all cases is to use radios of the same manufacture and firmware revision. Hand Held Products also makes scanners with Cisco radios in them that are LEAP-capable.

LEAP passes a username in the clear, but other than that it's strong, easy, and user-friendly. Plus, Cisco's licensed the LEAP client, so you'll start seeing more devices coming out with firmware upgrades to support the LEAP architecture.

In my book, an 802.1x based EAP solution beats any VPN-based solution any day, and your barcode scanners are never going to support a VPN client anyhow.

I can go on an on on why, but LEAP is plenty good enough. If you were building nuclear missiles, or doing work for Homeland Defense, I'd tell you to do PEAP, not LEAP, and not VPN.

what do you think about tkip and keyguard? better than leap?

tkip is an interim solution for non-EAP security. pretty good, from what I understand, but still proprietary, so it won't work between hardware vendors most likely.

Keyguard is (I think) Symbol's name for their kerberos-based security (might be wrong about that). Only Symbol devices are going to do it.

Here's the thing: what are you going to run on the WLAN, and who's going to support it. My take is that I want to be able to run whatever I want, and provide an appropriate level of security to each application/hardware/software combination I'm going to run.

Barcode apps are not real tantalizing targets for hackers. Web servers, email transmissions, etc might be.

If you install Cisco 1200 APs, and can run VLANs and 802.1q trunks on your network, you could set up multiple logical WLANs, each with whatever security requirements you choose. You could create one net with simple WEP for barcode, one with LEAP for enterprise computing, one that's wide open to the internet for guests, or any combination.

Does that make sense? Need a system archtitect? ;)

Just checked, and Keyguard is Symbol's implementation of TKIP, not kerberos.

As such, it's likely strong, but still is not real likely to work with everyone else's TKIP.

Cisco just released WPA-compliant software for their APs, but the client software isn't due until Q3, or so I hear.