I've been reading through about 100 posts in this forum regarding
PEAP and Cisco ACS and RSA SecurID and the more I read about it,
the more I get confused.
I am trying to setup a simple lab for proof of concept. I have
a Pix firewall with 3 interfaces, outside, inside and dmz. Here
are the information:
On the inside network, I have the following:
A windows 2003 Server, IP 192.168.1.2, running Cisco ACS 4.0(1),
Active Directory, Certificate Server, MS Exchange Server 2003, and
MS SQL Server 2005.
A Windows 2003 Server, IP 192.168.1.3, running RSA SecurID Server
A Linux Redhat Enterprise Server 3.0, IP 192.168.1.4, running
Apache Server, DHCP server and mySQL. The DHCP server will serve
IP addresses to wireless XP clients. I configured the pix firewall
to relay dhcp and I can confirm that the dhcpd relay works.
on the dmz network, I have the following:
A Cisco Access Point (AP 1200), IP 192.168.0.2, serving wireless clients.
For lab purposes, I have the following rules on the firewalls:
access-list dmz permit ip any host 192.168.0.2 host 192.168.1.2 log
access-list dmz permit ip any any log
access-list inside permit ip any any log
access-group inside in interface inside
access-group dmz in interface dmz
nat (dmz) 1 0 0
global (outside) 1 interface
On the machine running Cisco ACS 4.0(1), I installed RSA Agents software so that
ACS 4.0(1) can communicate with the RSA SecurID Server. I test the connectivity
via RSA SecurID tool installed on the ACS server and it works. I configure
the ACS server to external database authentication via SecurID and I know that it
works because I configured the Pix firewall for AAA authentication and the ACS
proxy the connection the the RSA server and I have two-factor authentication.
Finally, I have a bunch of wireless windows XP clients with cisco wireless
cards and these windows XP have Cisco ACU installed on them. One other thing, these
windows XP wireless clients, when they are connected into the LAN, they are connected
into network 192.168.1.0/24 so that their windows domain is "juniper.net". Users,
when are connected via LAN, they are part of the domain "juniper.net". When they
unplugged the laptop, they are disconnected from the network and they go outdoor
they start using wireless.
What I would like to do is to implement PEAP authentication for wireless XP clients.
In other words, before the XP wireless clients get IP addresses from the DHCP Server,
they must authenticate via two-factor authentication. The username/password will be
the one stored in the RSA SecurID server. Once they are authenticated, then a windows
domain logon will presented, then they can authenticate to the Active Directory Server
located on the "inside" network. After that, they can open microsoft outlook and
retrieve mails from the Exchange Server.
What I would like to achieve sound very simple but it is NOT. I think I have to do
1) Install the microsoft root certificate on the ACS server,
2) in the ACS external database, select SecurID as the option,
3) check EAP-GTC somewhere in the ACS system page,
4) setup the Access Point for EAP authentication,
5) setup the windows XP clients for PEAP authentication.
Some posts mentioned about PEAP machine-authentication and user-authentication. What
does that mean?
Does anyone have instructions step-by-step on how to setup PEAP authentication?
I think these are not hard but this is my first time doing this so it is quite
overwhelming, not to mention the fact that my day-to-day job is to work on Checkpoint,
Cisco Pix/VPNc and Juniper/netscreen firewalls. Therefore, wireless is totally new
I've attached a diagram of what I wanted to accomplish. Thanks in advance.