PEAP - Kerberos - Active Directory - Wifi Authentication

Unanswered Question
Mar 26th, 2008

Hello all,

I am very confused as to the authentication method used for a wifi client logging into a windows domain.

802.1x supports EAP type eap-peap-mschap-v2, but active directory supports Kerberos and not MSCHAPv2 (I believe).

What do I have to do to get a wifi-client working to connect to active-directory using Kerberos whilst EAP only supports MSCHAPv2?

Please help, I am a tad confused :)

Many thx indeed,

Kind regards,

Ken

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dewmancco Wed, 03/26/2008 - 09:27

I believe you need some sort of RADIUS server to perform the authentication.

In our enviorment - we use a Cisco ACS (RADIUS) server to authenticate our wireless clients.

Our clients all use PEAP auth, and the APs all point to the RADIUS server. The RADIUS server has agents that get installed on AD member servers - then those agents act as the go-between for ACS(RADIUS) and Active Directory.

I beleive M$ has a radius server (IAS) which should tie nicely into AD - I just have never used M$ RADIUS solution so I cant tell you how to make it work - although I can tell you how to make a Cisco ACS work

kfarrington Wed, 03/26/2008 - 11:00

Many thx indeed for your reply. You are very kind.

So can I just have my WLCs pointing directly to the M$ IAS ? and does that run Kerberos?

Sorry, still a little confused?

Many thx

Ken

rileymartin Wed, 03/26/2008 - 14:16

I just set this up and I'm still confused. Here is an overview of what you will need to do:

1) Install a Windows 2003 certificate server CA, and IAS/RADIUS.

2) Authorize your IAS server in active directory.

3) Create a wireless policy in IAS for PEAP Secure password (EAP-MSCHAP v2).

4) Configure your AP as a RADIUS client in IAS.

5) Deploy the certificate from your CA to all your wireless laptops either automatically through AD, through web-enrollment with IIS or manually.

6) I think all laptops must be members of the AD domain but I'm not positive.

Here are the best links that I could find that will guide you step by step.

Microsoft word document: Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en

Ultimate wireless security guide Automatic PEAP deployment with Microsoft Active Directory GPO:

http://articles.techrepublic.com.com/5100-1035-6148576.html

Checklist: Configuring the IAS server and wireless access points for wireless access

http://technet2.microsoft.com/windowsserver/en/library/60fa5de5-58a0-4673-be1e-dd24fb1014a41033.mspx?mfr=true

DUSANVAUPOTIC Thu, 03/27/2008 - 00:06

I have configured all of the above from 1-6.

Access points which are wired are no problem to configure.

But I have two 1300 series bridges (1310),

one configured as a Root Bridge with wireless clients the other as a NonRoot Bridge with wireless clients.

The non-root cannot associate to the root and is giving the following error:

Interface Dot11Radio0, cannot associate: EAP authenticating.

How can I configure the nonroot?

Many thx in advance.

kfarrington Thu, 03/27/2008 - 01:48

This is absolutley fantastic. Many thx indeed,

One question if I may :-

4. Configure your AP as a RADIUS Client in IAS.

As I am using 1242 zero touch APs, and using 440x controlers (WLCs), I assume I just configure the WLCs as the RADIUS clients?

Can you or anyone else confirm that?

Then I beleive you have given me exactly what I need :)))))))))))))))

Many thx indeed,

Ken

rileymartin Thu, 03/27/2008 - 18:54

I'm sorry but I'm new to Cisco as well as wireless so I'm really lost. I was lucky to get some good help to setup the PEAP. I wish I could help you further but I really don't know what I'm doing.

I'm still trying to get help with setting up some sort of 'Guest' access. I've posted a question but no one replied. I don't suppose you have any experience with that?

kfarrington Fri, 03/28/2008 - 01:15

Yes, we have setup Guest access.

Send me the link (or I will look for it now with your usename) so I can hopefully help you out as you have so kindly helped me :))))

Will find and get back to u

Thx

Ken

Actions

This Discussion

 

 

Trending Topics - Security & Network