WIreless Authentication With ACS

Unanswered Question
Jul 7th, 2008

I have Cisco 1310 Autonomous Access Points about 30 of them, Cisco Secure Access Control Server. ALL i need to do is authenticate 100's of users with the above resources, I dont want to buy any certificates. And i have got lots of Vista users, think LEap doesn't work with VIsta right??? Could anyone suggest an alternative effective authentication method.

Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Mon, 07/07/2008 - 19:19

You can setup PEAP... just setup a MS Certificate Authority server and generate a cert. I don't know if LEAP is supported on Vista or not... unless you use the Cisco card.

Richard Atkin Tue, 07/08/2008 - 12:25

1. Generate a self-signed certificate on the ACS

2. Export a copy of the certificate

3. Configure PEAP-MSCHAPv2 on ACS

4. Configure usernames / passwords on ACS, -OR- back ACS off to an external database (ie, LDAP)

5. Create a WPA-TKIP / WPA2-AES network - (consider a dedicated WDS Server if roaming is required).

6. Back the network off to WDS, and point WDS at ACS, -OR- if no WDS, point APs straight at ACS

7. Configure ACS to accept incomming requests from the WDS / APs.

8. Configure Clients to use WPA-TKIP / WPA2-AES + PEAP-MSCHAPv2.

and finally...

9. If you want to go the whole nine yards, install the public half of the certificate on your clients, and configure them to check the identity of the RADIUS server before they authenticate.

Lots of people don't do step 9, but if you don't want to be vulnerable to spoofing / mitm attacks, you should really do it properly. Without step 9, an attacker could potentially spoof your infrastructure and start stealing usernames / passwords from the MsChap-v2 exchange.

Richard Atkin Tue, 07/08/2008 - 12:35

heh, or setup a CA on your domain, and push the certificate and client configs out using Domain Policy (requires Win2k3 SP1)

vj_vignesh Tue, 07/08/2008 - 18:33

Kool and thanku very much everyone, i have got some idea now, i'll do some reading and start setting up , thankyou verymuch, i'll probably have soeme more doubts, which i;ll get clarified from you people.

vj_vignesh Wed, 07/16/2008 - 09:35

hey i read that for this the ACS uses the windows username and password, is it true, adn also i don't have any domains within my campus, everyone can connect without any domain authentication to th network.

if i use the internal DAtabase of the ACS, where will the client enter his access credentials if i do not have any domain controller etc.


This Discussion



Trending Topics - Security & Network