Machine authentication + PEAP on Windows 2000

jan.pauler · ‎05-23-2007

Hi all,

is it possible to do machine authentication with following setup?

-Workstations with Windows 2000 SP4+latest updates

-Cisco Aironet 1242AG Access points

-RADIUS (=IAS in Windows 2000 Server)

-Windows 2000 domain with CertServices

-3com 3CRDAG675 A/B/G wireless adapters

-dynamic WEP+PEAP (or better WPA/AES+PEAP)

I have seen several Cisco articles about settings up ACS3.2 for this. But I have no luck trying to set this up within our environment.

Did anybody here tried this or is using something similar?

Thank you for any ideas.

Jan

brispin · ‎05-29-2007

I have tried this scenario with the Cisco ACS server but not with the IAS server. This setup should work with the IAS as well. There is a good document on Cisco.com which explains how to configure PEAP with ACS. This should help you to some extent. http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

rseiler · ‎05-29-2007

The most important information is something you didn't provide: What is the wireless software that you are using to connect to the wireless network? Are you using the 3COM wireless NIC software that comes with the card or are you trying to use a microsoft built-in client?

Anyway, the only config that has worked for me for machine auth is Windows XP SP2 with several hotfixes (NOT security patches), ACS 3.3(3) minimum, the microsoft zero config client, and the correct configuration all around. Really doesn't matter if your server infrastructure and certsrv is Win 2000 or 2003.

May I ask why you are insisting on using Windows 2000 on the clients? (What year is it, 2007?)

jan.pauler · ‎05-29-2007

Thanks both for help.

@ rseiler: right now, we are using the 3com WLAN Manager, which is ok for our current setup. But I already tried to change 1 testing workstation settings to several types of encryption & PEAP authentication, without success. When the computer starts no IP is assigned by DHCP and users are able to initally work offline. After somebody with local/cached profile logs on, the 3Com WLan manager connects and after that everything works "fine". But this is not acceptable. The 3Com WLAN Manager has several setttings for pre-logon, after-machine-bootup options, but I didnt notice any change after trying all of them in several combinations. But this particular problem is probably better suited for 3Com forums/support.

I also tried Microsoft client, which has limited options. The problem with W2K is that no wireless settings can be changed within microsoft supplicant. What I achieved here is to first set 3Com WLAN Manager for correct encryption settings, SSID etc. then disabling it and using Microsoft's supplicant instead. This works really well, but I have tested it only with dynamic WEP + PEAP + IAS W2K as I read somewhere in Cisco documents that W2K has no direct support for higher encryption.

As for why still Windows 2000 in year 2007 - its company policy, which is set by central IT department and actually W2K is enough for almost everything we need. Some of the workstations we use for only 1 specific task which doesn't require much horsepower and the HW of these machines couldnt cope with XP's demands. Buying new machines for such task doesn't sound right. We will have to go with XP though, because new versions of applications we use are just plainly requesting XP during install.

Are there any 3rd party PEAP supplicants which also support machine auth for Windows platform, like Funk, Aegis(probably Cisco now :-) ) ?

Again thanks for your help.

rseiler · ‎05-30-2007

Your best bet is to purchase Cisco CB21AG wireless cards and use the Cisco ACU client to connect to the wireless network. This is the most functionality you will get under win2k...

jan.pauler · ‎05-30-2007

Thanks for your reply, but I cant just throw 50 PCI A/B/G Wireless cards out of window :-( They weren't cheap and I wouldn't get permission to buy other brand if the current ones are working "fine".

To use 3Com wasn't my decision either, I already inherited such setup.

Unfortunately I have to find a way to do it with what I have right now. I would probably get permission to buy a SW Client for our WiFi clients, but I have no experience with 3rd party supplicants and I also dont know if some of them support machine authentication. As I already mentioned I am able to run it also with 3Com set to PEAP and dynamic WEP, even if it is not the best setup I could get (still better than the current static WEP). This is the only one, where GPO works fine. I'll try 3Com support and hopefully they will answer with something constructive.

Thank you for your help.

mdcole · ‎06-03-2007

You should be able to use Funk Odyssey client - if it is still around....I think they may have gotten bought out by Juniper.

I used it for LEAP support a few years back on a handful of HP laptops that we couldn't get working.

You can download a 30 day trial: http://www.juniper.net/webleads/leadsRegistration.do?_returnurl=http://www.juniper.net/customers/support/products/aaa_802/oac_demo.jsp&_id=www.OACFreeTrial&_enhanced=N&templateName=aaa_demo

jan.pauler · ‎06-03-2007

Thank you for your suggestion. I will try the trial then.

Right now I am trying to get some help/clarification in local 3com support centre, but so far I got suggestions of settings which I already tried before.