New WLC Deployment, which Authentication to use

Unanswered Question
Jan 31st, 2007


I am in the planning stages of deploying a wireless solution to my company. We have 2 WLC 4402 at our disposal plus 20 LWAPP AP's.

The requirements are to enable normal corp access for corporate employees using Windows XP and MAC's via 1 WLAN, and to enable guest access to 3rd party users using Mac;s, WinXP and Win2k using another WLAN.

We do not currently have a cetificate server.

We have an IAS Win2k Radius server

I want to avoid having to install any client software on the client pc's if possible.

So, which authentication method can I use that is the easiest to deploy, is secure, and is "fairly" future proof, i.e. I won't have to change all this in a years time.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Anonymous (not verified) Tue, 02/06/2007 - 06:35

If you have an ACS server, then I would suggest you to go for 802.1x/EAP with ACS. Since you are using Cisco wireless products, I have seen several documents in Cisco that talks about authentication using CSACS(Cisco Secure ACS) server.

For this, you need to insttall ACS in Win2k server. Its ok if you can only use IAS win2k server. But Cisco has only few documents for this. Here is one document I have found

garyrivers Tue, 02/06/2007 - 14:33

We are wanting to basically do the same on our network.

Wouldn't using two SSIDs or creating a ACL do the same?


jamesadams_66 Wed, 02/14/2007 - 17:04

I recommend 802.1x and EAP-PEAP authentication.

There are many forms of EAP, but the two forms of EAP that are most appropriate for the majority of customers are PEAP (Protected EAP) and TTLS (Tunneled Transport Layer Security). Both forms of authentication do a good job of protecting passwords because the MSCHAPv2 password challenge session is protected inside an encrypted tunnel.

PEAP or TTLS is better than Cisco's LEAP mechanism which transmits the MSCHAPv2 session in the clear lending itself to offline password dictionary cracking.

PEAP generally refers to PEAP-EAP-MSCHAPv2 mode, which only requires a Server Side Digital Certificate and a Client Side Username/Password.

PEAP is supported in Microsoft IAS Radius.

TTLS is actually a little better in security than PEAP-EAP-MSCHAPv2 because it does not divulge the username in clear text, however it is not supported by Windows IAS or Cisco ACS, and Windows OS does not have a built in TTLS client built in.

In order to run EAP-PEAP (or TTLS mode), the RADIUS server MUST HAVE a server side x.509 digital certificate. This certificate should be purchased from a 3rd party Certificate Authority, don't use a Self-Signed Certificate on their RADIUS server. Self Signed Digital Certificates violate all best practice concepts for PKI, it might be ok for a LAB or Demo, but not a production environment.

lee.messenger Thu, 02/15/2007 - 14:24


Thanks very much for your detailed reply, after further research I believe you are spot on in your recommendation. Could you answer one question regarding your final comment about self-signed certificates. We intend to issue the certificate from the internal Active Directory CA, rather than a 3rd party, would you see any issue with doing this ?



jim_pliss Fri, 02/23/2007 - 09:50

If using AD definatly use a Cisco ACS. You can then use AD security groups to assign wireless access even VLAN access to wireless.

AD CA certs will work fine, just use 509.


This Discussion