Wireless Authentication Questions

Unanswered Question
Jun 2nd, 2008

Hello - I have been asked to investigate changing our wireless network's authentication to 802.1x. Currently we are using WPA, TKIP with a pre-shared key. We have found that more folks are connecting via their cell phones\PDA's (we set them up with the PSK) and having to change the pre-shared key everytime that one of the folks that has been permitted to connect with their phone leaves our company is getting to be quite the task since we need to change that on users laptops and every other phone that connects. From what I have read it looks like we need to get a WLC in place before we can implement 802.1x for authentication but I'm not certain about that. Is it necessary to have a WLC or could we get the same results using our ACS server (Cisco 1113 with ACS for Windows)? I am really just looking for something that is easier to manage, I was thinking about trying ti put some sort fo MAC based authentication in place but that does not seem to be the most secure method. Ideally we want it to be fairly seemless for new folks to connect once the intial setup is complete which with our current setup does, some folks around here have issues with our executives having to type in their credentials on their cell phones or PDA's. If anybody can provide some guidance or perhaps some links to other documents that I can review to come up with a game plan I would be most appreciative.

Thanks - Matt

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Mon, 06/02/2008 - 18:57

You can setup 802.1x with autonomous AP's. However, if you are looking into upgrading your WLAN, then the WLC's is your best bet. Makes configuration and troubleshooting soooooo much easier.

What you need to do is setup ACS on a Windows server that is on the domain and use the windows AD database for authentication. PEAP MSChapv2 is probably what you want to use which requires a server side cert on the ACS and not on all the clients. You would setup a group in AD so you can add or remove users who you want to be able to access your wifi.

This link should help:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml

matt_drmmer Tue, 06/03/2008 - 06:14

Thank you for the response. We are actually not looking to upgrade and just use the equipment that we already have in place so I think that getting a WLC in here would be rather difficult if there are ways to accomplish what we are trying without it. We already have a group on our domain controllers for wireless users that can be seen by our ACS server so could I just modify the authentication used by our access points to PEAP MSChapv2? Sorry for all of the questions, I just want to make sure that I don't miss something that should be obvious or could be done more efficiently.

thanks - Matt

Actions

This Discussion