Secured WLAN for mixed, unmanaged environment.

Unanswered Question
Nov 16th, 2007

Hello,

I'm in charge of setting up a WLAN for macintosh and windows computers that are not managed by the local staff. The goal is to provide access to local servers. At first we went for a webvpn on an ASA, but it currently does not support Macs.

So I'm trying to setup a username/password authentication against LDAP with some kind MACOS free radius.

The WLC is configured like that :

wlan create 1 wifi-intranet.fonctionnaires wifi-intranet.fonctionnaires

wlan aaa-override enable 1

wlan radius_server auth add 1 1

wlan security static-wep-key encryption 1 104 <mode unknown> <passwd hidden> 1

wlan security wpa wpa1 enable 1

wlan security wpa wpa1 ciphers tkip enable 1

wlan enable 1

The freeradius has a self signed certificate, the mac users get prompted to trust that certificate, then authenticate with ldap credentials and it works just fine.

The windows computer is stuck on 'eap,request identity'. It just doesn't go any further.

It is configured as in the configuration guides for PEAP with WLC and ACS.

To summarize, authenticate windows computers with an ldap username/password, without other supplicant than the one provided with XP sp1.

The radius is a mac product named Elektron.

The wlan runs on a WLC4402 with 1130 AP's.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ED CARMODY Fri, 11/16/2007 - 08:34

the issue is that the windows peap supplicant uses MS-CHAPv2, which does an nt-hash on the pwd before it sends it to the AAA server...your ldap would need to store nt-hashes of the pwd, or you need to point the AAA to an AD to auth windows users.

lionellemaire Fri, 11/16/2007 - 10:00

hi, thanks for your attention.

I made some progress today by removing some machine-authentication registry keys (authmode = 2, supplicantmode = 3) that seemed to prevent me using peap.

it works fine now, the problem is, as I said, that the windows computer are not managed. the users just have a ldap username.

Now, which is the lowest version of windows to support peap ?

is it xp/sp1 or sp2 ???

johnnylingo Sat, 01/05/2008 - 01:49

Yes, XP SP1 will support PEAP. PEAP has been around since 2002 and it just barely made the cut for SP1.

However, keep in mind that SP2 is required if you want to run PEAP with WPA, since WPA didn't come out until 2003.

Actions

This Discussion

 

 

Trending Topics - Security & Network