Using Multiple RADIUS servers w/ LEAP & WPA concurrently

Unanswered Question
Mar 5th, 2008

Our current Wireless network was setup by someone on the outside an it uses LEAP w/ckip. When we have random employees come in CKIP is a pain since ckip usually isn't supported by any of the laptop OEM wireless drivers. We've had to resort to using the manufacturer's drivers to get it to work. So because of this we started looking at moving to using WPA w/ TKIP or AES. I started out with a small test setup using MS IAS, PEAP and an IOS based Aironet 1231. The test environment seems to be working fine I can associate with it and gain network access so I don't think there are any problems with IAS or PEAP.

My intention is to setup additional SSIDs on new VLANs so I can run the test WPA network in parallel with the in use LEAP networks. My problem I've seem to run into is when I mix the two configs WPA no longer works. I've enable quite a few different debugs get an idea on what might be the problem and the only thing I can come up with at this time is the possibility of wlccp being the problem. When the machine is trying to connect to the WPA SSID I see a lot of wlccp messages which if I understand how this is supposed to work wlccp shouldn't come into play. For the WPA data clients I don't really care about fast roaming which is what I understand wlccp to be for. People aren't walking around with their laptops while doing something network dependent. They sit down in one location and so seemless roaming is a non-issue.

I've attached sanitized version of the two configs. I'll continue to hack on this but I'm hoping I'm just overlooking something that a second set of eyes might catch. Or maybe it's not even possible. I'd also be interested in what others are using as their network EAP methods, EAP-FAST, PEAP, EAP-TLS. I initially chose PEAP since it seems like a happy medium between strength and ease of use from the client end since 98% of all clients will be Windows laptops. Any comments on using WPA-PSK vs LEAP with 7920 phones?

Thanks in advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
irisrios Tue, 03/11/2008 - 14:38

For the sake of interoperability I would choose PEAP. If you don't want WLCCP messages to pop up then disable WDS which needs reconfiguration on all the access points.

I'm trying to wrap my head around everything that the previous company did so I still have some blanks I'm trying to fill regarding how everything meshes together. This network is used for both voice and data. My primary objective is to make the Data side simpler to connect to for visiting sales staff followed by setting up an internet access only SSID. If I understand it correctly WDS is necessary though for fast roaming. I only care about the fast roaming on the voice side. If I disable WDS I could or would starting having quality issues as people roam from one AP to another or am I off the mark on what WDS actually provides. When you have WDS enabled does the AP try to use it with all configured SSIDs?

bcolvin Tue, 03/11/2008 - 16:04


1. it is recommended that the AP you use as the primary WDS has the radiu disabled.

2. It is also standard that your bridge groups be numbered the same as you VLAN's

3. your native VLAN should not have an SSID associated with it. this is not mandatory but again SOP for multiple VLAN configs.

4. heere is an excelent link for configuring WDS of course it shows using an ACS server as your radius server but any radius server will work.

5 as Irene points out PEAP is a better choice for EAP as it is more secure than LEAP and more widely supported.

6. Any version of WPA is prefered over the older security protocls due the the better encryption methods used.




This Discussion



Trending Topics - Security & Network