Guest access for vendors/clients

Unanswered Question
Mar 24th, 2008


I have a single AP setup using PEAP with MS Win2k3 IAS/RADIUS. I would like outside vendors and clients to be able to come in and be able to access the Internet as well as a printer. I believe in order to authenticate with PEAP the laptop must be a member of the domain which we can't do with vendors and clients. I'm new to wireless so I'm lost as how to set this up. If anyone is familiar with how to do this I would really appreciate some direction. Thanks in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kfarrington Fri, 03/28/2008 - 01:17

Riley (I found you)

Can you explain the setup a little further. Are you using Wireless LAN Controllers to manage your APs?

Many thx


rileymartin Fri, 03/28/2008 - 05:31

Thank you for the help. This is all new to me so I'm really lost.

All I have is a single AP, nothing else. It's a Cisco Aironet 1200 Series AP a/b/g.

I was able to configure the AP and IAS/RADIUS/CA for PEAP and that's working.

However I have some laptop users who can't be members of the domain. I'm not 100% sure but I think in order for PEAP to work the laptops must be added to the domain.

I read about something called 'Guest' access. I thought I could setup another authentication method in addition to PEAP for these non-domain member laptops. Even though it's less secure I wanted to give them access to some internal resources as well as the Internet.

kfarrington Fri, 03/28/2008 - 05:50

The one thing that I have found out in the last couple of days is that if you are using a radius server, that has to be part of the domain (if its a MS opsys) if you are granting corporate access.

If you are using a Cisco ACS and as the ACS is a Cisco applicance, you have to have a remote agent that the ACS forwards the PEAP-MSCHAPv2 request onto, and the RA is on a box within the domain. Then the RA forwards it to your active directory controller.

For guest access, would you want the guests to be part of your coparate domain?

What you need is the CUWN archetecture where you have controllers on campus where the APs/AP are managed from and then controllers in your internet DMZs (as per cisco design guides) but I dont think this is helping you much.

The reason for this is so that you seperate your corp/guest wifi traffic with the use of LWAPP tunnels so that a guest user cannot access corp resources.


I hope this was not too useless, but like you, I am a newbie to all of this :))



rileymartin Fri, 03/28/2008 - 16:28

I wish I understood all that. All I have is a single AP. Is there a simple way to just add a 2nd authentication method? I think I read I would need a 2nd SSID and perhaps create a VLAN?

Scott Fella Fri, 03/28/2008 - 18:03

You should create another SSID for guest and that will map to a different vlan just for guest. Then you can configure ACL's on your L3 to deny certain traffic from the guest net to your internal net.

rileymartin Fri, 03/28/2008 - 20:54

Thank you for your help.

Since I can't use PEAP for non-domain computers, what would you say would be the next best choice for a secure wireless connection for those laptops that I can't make members of the domain?

Scott Fella Mon, 03/31/2008 - 05:07

If you have ACS then you can use the DB in ACS to authenticate users. With IAS, users will have to be in the domain. If you have to secure the wifi network without using 802.1x, I would suggest using WPA2-PSK. You can always change this weekly and hand the info to your vendors and others who need access. However, if some users do not have support for WPA2, then you might have to go with WPA-PSK which has been compromised already.

kfarrington Mon, 03/31/2008 - 00:23

Hi Fella5 :)

If you do this with a single AP, do you have to configure the AP as a trunk to the switch and carry both VLANs over the trunk?

This is an interesting topic.

Many thx


Scott Fella Mon, 03/31/2008 - 05:02

If the installation is LWAPP then the AP would be on an access port since the traffic flows to the WLC and then trunked to a switch. If the AP is in autonomous mode, then you will have to have a 802.1q trunk between the AP and the switchport. Native vlan would be the management subnet the AP is on.

rileymartin Mon, 03/31/2008 - 06:25

I have a single Aironet 1200 Series Access Point and on the 'Express Security' page it shows Static WEP Key, EAP Authentication and WPA so I don't think it supports WPA2.

Do you know how I could keep the PEAP authentication as well as add a 2nd authentication method such as WPA-PSK?

Perhaps I could only enable the WPA-PSK when vendors/clients are onsite and then disable it when they leave.

rileymartin Mon, 03/31/2008 - 06:29

AP#sh ver

Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(8)JEA, RELEASE S


Technical Support:

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Wed 23-Aug-06 16:42 by kellythw

ROM: Bootstrap program is C1200 boot loader

BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RE


Cairny-AP uptime is 3 weeks, 5 days, 23 hours, 18 minutes

System returned to ROM by power-on

System restarted at 09:13:49 est Tue Mar 4 2008

System image file is "flash:/c1200-k9w7-mx.123-8.JEA/c1200-k9w7-mx.123-8.JEA"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to

[email protected].

cisco AIR-AP1210 (PowerPC405GP) processor (revision A0) with 15138K/12

36K bytes of memory.

Processor board ID FOC074214X8

PowerPC405GP CPU at 196Mhz, revision number 0x00C4

Last reset from power-on

1 FastEthernet interface

2 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:0E:38:23:C8:E7

Part Number : 73-8704-05

PCA Assembly Number : 800-23211-06

PCA Revision Number : A0

PCB Serial Number : FOC074214X8

Top Assembly Part Number : 800-23304-03

Top Assembly Serial Number : FHK0744J2K6

Top Revision Number : A0

Product/Model Number : AIR-AP1210

Configuration register is 0xF


Scott Fella Mon, 03/31/2008 - 06:31

You only can have one authentication method per ssid. You could disable the WPA-PSK, but that would be a daily activity.

rileymartin Mon, 03/31/2008 - 09:07

Can I have multiple SSIDs configured for the same device or for different radios on the same device?

Scott Fella Mon, 03/31/2008 - 12:06

Yes... you can have the same ssid on either the 2.4GHz or 5 GHz radio. You can also have different ssid's per radio. You can have up to 8 SSID's, but recommended is 4.

matthewpage Tue, 04/01/2008 - 13:45

If you want to stick with 802.1x can you not use MD5 or TLS instead of ms-chap-v2??

Using the first two will not require the user to be on the domain. This works for wired so im sure it will work for wireless.


This Discussion