WDS and Microsoft IAS authentication

Unanswered Question
Jul 4th, 2008

Hi all,

I have a WiFi environment with a WDS AP (local RADIUS) and about 10 infrastructure AP's. The WDS does LEAP authentication/fast roaming for the 7921G phones.

Now I have to build up a new SSID/VLAN with 802.1x/PEAP/MS-CHAP V2 (on IAS) authentication.

Unfortunately, each infrastructure AP can authenticate the client only when wlccp is deactivated.

Is there a way to use the WDS/LEAP as a local raduis and send Infrustucture authentications to it, but still send user authentications to the IAS?

The 7921G can't be authenticated on the IAS (security issue).

Thanks,

Norbert

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Richard Atkin Mon, 07/07/2008 - 03:33

Hi Norbert,

WDS certainly does support PEAP-MSCHAPv2, so I'd suggest it's just a case of troubleshooting the setup until you get it all working. A few references you may find useful...

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml

http://supportwiki.cisco.com/ViewWiki/index.php/Special:Search?ns0=1&ns100=1&ns102=1&ns106=1&search=peap+wds&searchx=Search

alig.norbert Mon, 07/07/2008 - 07:27

Hi,

Thanks for the reply. I've found the "hint".

On the WDS-AP (IAS is 192.168.1.3):

-----------------------------------

aaa group server radius GRP-DOT1x

server 192.168.1.3 auth-port 1645 acct-port 1646

aaa authentication login method_GRP-DOT1x group GRP-DOT1x

radius-server host 192.168.1.3 auth-port 1645 acct-port 1646 key 7 00xxxxx

wlccp authentication-server client eap method_GRP-DOT1x

ssid vlanfordot1x

On the infrastructure AP:

-------------------------

aaa group server radius GRP-DOT1x

server 192.168.1.3 auth-port 1645 acct-port 1646

aaa authentication login method_GRP-DOT1x group GRP-DOT1x

radius-server host 192.168.1.3 auth-port 1645 acct-port 1646 key 7 00xxxxx

dot11 ssid vlanfordot1x

vlan 10

authentication open eap method_GRP-DOT1x

authentication network-eap method_GRP-DOT1x

interface Dot11Radio0

ssid vlanfordot1x

encryption vlan 10 mode wep mandatory

wlccp authentication-server client eap method_GRP-DOT1x

nutchaporn Wed, 07/09/2008 - 18:58

Hi, I have found this

Note By default, the access point sends reauthentication requests to the authentication server with the service-type attribute set to authenticate-only. However, some Microsoft IAS servers do not support the authenticate-only service-type attribute. Changing the service-type attribute to login-only ensures that Microsoft IAS servers recognize reauthentication requests from the access point. Use the dot11 aaa authentication attributes service-type login-only global configuration command to set the service-type attribute in reauthentication requests to login-on

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_3g_JA/configuration/guide/s43auth.html

SERGEY KAIDAN Wed, 06/09/2010 - 00:07

I use:

interface Dot11Radio0
no ip address
ip access-group 100 in
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 210 mode ciphers aes-ccm  (important feature)

will it work if  I config WDS with IAS as I can see above ?

Actions

This Discussion

 

 

Trending Topics - Security & Network