我该如何着手改善办公室的无线安全（Radius？Certs？）

编辑1：

我们的环境是混合的，大多数OSX与几个Windows和Linux的盒子。 更重要的是，Android和苹果手机也将需要定期进行无线访问。

我们有一个可用于运行Freeradius的红帽子。 所有networking设备都是基于思科（ASA + Catalyst交换机+ Aironet 1140 AP）

感谢HopelessN00b的反馈，我目前正在考虑Freeradius + PEAP作为我的解决scheme。 我正在准备一个testing平台，让授权服务器端的东西感受一下。

• 追踪无法追踪的AD帐户locking
• 为什么NPS突然停止authentication用户？
• 从Mac OS X客户端testingradius服务器
• 如何将RADIUS与Kerberos集成？
• pfSense – 带EAP-RADIUS的IKEv2：RADIUS服务器closures时的任何回退选项？

现在我们正在使用wpa2 key + MAC地址过滤，其中包括通过WDS连接的2个Cisco Aironet 1140。

它工作正常，但每个人都有相同的WPA2密钥，并且每次添加某个人时都必须对两个APconfiguration进行编辑，这稍微耗费时间。 我们在办公室里只有2个AP和12-15个人，不需要与其他地点同步。 我们是一个混合的mac / windows / linux办公室。 你会推荐什么样的设置？

一切都已经configuration，当我到达那里，我看到在AP的运行configuration2引用到半径服务器，但引用的机器似乎并没有打开这些端口，所以我怀疑这些线路是无效的。 我对么？

这里是运行configuration的副本：

接入点1：

service password-encryption ! hostname wap ! logging rate-limit console 9 enable secret 5 [redacted] ! aaa new-model ! ! aaa group server radius rad_eap server 192.168.90.245 auth-port 1812 acct-port 1813 ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login default local aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods group rad_mac aaa authentication login wds-server group rad_eap aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common clock timezone -0500 -5 clock summer-time -0400 recurring ip domain name nyc.acme.local ! ! dot11 association mac-list 700 dot11 syslog ! dot11 ssid ACME-NYC vlan 1 authentication open authentication key-management wpa version 2 guest-mode wpa-psk ascii 7 [redacted] ! dot11 aaa csid ietf ! ! username ckent privilege 15 secret 5 [redacted] username e0f847203232 password 7 [redacted] username e0f847203232 autocommand exit username 58946b90ca20 password 7 [redacted] username 58946b90ca20 autocommand exit username bwayne privilege 15 secret 5 [redacted] username e0f847320cca password 7 [redacted] username e0f847320cca autocommand exit username 58946bbf4868 password 7 [redacted] username 58946bbf4868 autocommand exit username pparker privilege 15 secret 5 [redacted] ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 1 mode ciphers aes-ccm tkip ! ssid Acme-NYC ! antenna gain 0 speed basic-11.0 18.0 24.0 36.0 48.0 54.0 channel 2412 station-role root ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache ! encryption vlan 1 mode ciphers aes-ccm tkip ! ssid ACME-NYC ! antenna gain 0 dfs band 3 block channel dfs station-role root ! interface Dot11Radio1.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no keepalive ! interface GigabitEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.90.245 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.90.254 ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 access-list 111 permit tcp any any neq telnet access-list 700 permit [redacted] 0000.0000.0000 access-list 700 permit [redacted] 0000.0000.0000 access-list 700 deny 0000.0000.0000 ffff.ffff.ffff snmp-server community acme RO radius-server local no authentication eapfast no authentication mac nas 192.168.90.245 key 7 [redacted] user ap2 nthash 7 [redacted] ! radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.90.201 auth-port 1645 acct-port 1646 key 7 [redacted] radius-server host 192.168.90.245 auth-port 1812 acct-port 1813 key 7 [redacted] radius-server vsa send accounting bridge 1 route ip ! ! wlccp authentication-server infrastructure wds-server wlccp wds aaa csid ietf wlccp wds priority 200 interface BVI1 ! line con 0 access-class 111 in line vty 0 4 access-class 111 in ! end 

接入点2：

  service password-encryption ! hostname wap2 ! logging rate-limit console 9 ! aaa new-model ! ! aaa group server radius rad_eap server 192.168.90.245 auth-port 1812 acct-port 1813 ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login default local aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods group rad_mac aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common clock timezone -0500 -5 clock summer-time -0400 recurring ip domain name nyc.acme.local ! ! dot11 association mac-list 700 dot11 syslog ! dot11 ssid Acme-NYC vlan 1 authentication open authentication key-management wpa version 2 guest-mode wpa-psk ascii 7 [redacted] ! dot11 aaa csid ietf ! ! username ckent privilege 15 secret 5 [redacted] username e0f847203232 password 7 [redacted] username e0f847203232 autocommand exit username 58946b90ca20 password 7 [redacted] username 58946b90ca20 autocommand exit username bwayne privilege 15 secret 5 [redacted] username e0f847320cca password 7 [redacted] username e0f847320cca autocommand exit username 58946bbf4868 password 7 [redacted] username 58946bbf4868 autocommand exit username pparker privilege 15 secret 5 [redacted] ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 1 mode ciphers aes-ccm tkip ! ssid Acme-NYC ! antenna gain 0 speed basic-11.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache ! encryption vlan 1 mode ciphers aes-ccm tkip ! ssid Acme-NYC ! antenna gain 0 dfs band 3 block channel dfs station-role root ! interface Dot11Radio1.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no keepalive ! interface GigabitEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.90.246 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.90.254 ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 access-list 111 permit tcp any any neq telnet access-list 700 permit [redacted] 0000.0000.0000 access-list 700 permit [redacted] 0000.0000.0000 access-list 700 deny 0000.0000.0000 ffff.ffff.ffff snmp-server community Acme RO radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.90.201 auth-port 1645 acct-port 1646 key 7 [redacted] radius-server vsa send accounting bridge 1 route ip ! ! wlccp ap username ap2 password 7 [redacted] wlccp wds aaa csid ietf ! line con 0 access-class 111 in line vty 0 4 access-class 111 in ! sntp server 192.168.90.254 sntp broadcast client end