10-17-2007 01:35 AM - edited 07-03-2021 02:47 PM
hallo i have version 3.2.78 on my wlc 4402 and i want to configure it for EAP-TLS. it should be secured by 802.1x and wpa2 but i dont know how to do it properly over the webinterface. every suggestion is appreciated.
10-17-2007 05:00 AM
Dave,
Please check this link,
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917a6.shtml
Regards,
~JG
Please rate helpful posts
10-17-2007 05:05 AM
So you want to use EAP-TLS instead of PEAP. I other words, you want a certificate on each device. Here is a link that might help:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917a6.shtml#t20
I have always used WPA2 w/PEAP MSChapv2 and a single certificate on the radius server.
You should maybe upgrade to 4.1.185.0, just in case:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805f381f.shtml
10-17-2007 10:50 AM
Hi thx for replies.
Why would you recommend me peap wit mschapv2 rather than eap-tls.
my problem in addition is that i cant update my wlc 4402 because i am out of warranty.
10-17-2007 11:07 AM
The reason for single side server certs is for you head. If you have to deal with all those client certs and manage them every single time a device is lost or stolen, your head will explode. By using PEAP or even the old legacy LEAP, you don't have that headache. Simpler management=fewer tylenols taken.
10-17-2007 11:12 AM
but the headache for Security lack will i have it or is it more or less the same security level.
10-17-2007 11:25 AM
Exactly.... I worked on a project once doing eap-tls......NEVER AGAIN.
You have to look at it this way. Do you have a Root CA configured. If you do or you don't, you should see what MS best practice for having a CA... You will need Excedrin for tension headaches.
10-17-2007 11:34 AM
I have to reach the result that the guys (students)using their (schoolowned)notebooks are not able to insert other personal notebooks. Is peap good for that?
So using peap how do i have to configure the stuff f.i. my CA?
10-17-2007 11:48 AM
That's a whole different scenario now. I would probably utilize PEAP for authentication and a MAC filter for association purposes. You could also validate a machine against RADIUS but again that could turn into a lot of work. Either way, the machine would be controlled and authentication would take place at a much more secure level.
10-17-2007 11:55 AM
i heard mac filters are not secure because the mac can be changed.
10-17-2007 12:02 PM
OK. Let's talk security here. The mac filter is not security. It is a method to dictate which laptop is allowed to associate to your access point. After the laptop has associated the user logs in to the network via PEAP and is authenticated. If the authentication fails, the user is not allowed a session on the network. This protects you if somebody steals the laptop they can't login to the network because their authentication fails. Never uses MAC filters as security, only access control.
10-17-2007 12:07 PM
but what if the guy takes another laptop changes the mac and copy the certificate (if possibe dont know) and log with his username and password. would it work?
10-17-2007 12:14 PM
hmmmm changes the MAC. That CAN be done but only by a very experienced computer guy and the laptop has to be using a flavor of linux. Windows OS does not allow for modification of mac addresses. Even if he gets access to the MAC he doesn't have the logon credentials to defeat your PEAP authentication. So what has he gained? A whole lot of work for absolutely no reward. I'm just trying to make life easy for you here. Certificates will work as well but Jeez at the headaches of managing certificates.
10-17-2007 12:17 PM
Here is the configuration for using PEAP to authenticate the machine instead of the user.
10-17-2007 12:27 PM
ok will do. so you would not recommend eap-tls because of the huge amount of more work. and the same security level.
The peap mschapv2 just works only the certificate commponent doesnt work so i have to work on this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: