WIreless Authentication With ACS

Unanswered Question
Jul 7th, 2008
User Badges:

I have Cisco 1310 Autonomous Access Points about 30 of them, Cisco Secure Access Control Server. ALL i need to do is authenticate 100's of users with the above resources, I dont want to buy any certificates. And i have got lots of Vista users, think LEap doesn't work with VIsta right??? Could anyone suggest an alternative effective authentication method.

Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Mon, 07/07/2008 - 19:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

You can setup PEAP... just setup a MS Certificate Authority server and generate a cert. I don't know if LEAP is supported on Vista or not... unless you use the Cisco card.

Richard Atkin Tue, 07/08/2008 - 12:25
User Badges:
  • Silver, 250 points or more

1. Generate a self-signed certificate on the ACS

2. Export a copy of the certificate

3. Configure PEAP-MSCHAPv2 on ACS

4. Configure usernames / passwords on ACS, -OR- back ACS off to an external database (ie, LDAP)

5. Create a WPA-TKIP / WPA2-AES network - (consider a dedicated WDS Server if roaming is required).

6. Back the network off to WDS, and point WDS at ACS, -OR- if no WDS, point APs straight at ACS

7. Configure ACS to accept incomming requests from the WDS / APs.

8. Configure Clients to use WPA-TKIP / WPA2-AES + PEAP-MSCHAPv2.

and finally...

9. If you want to go the whole nine yards, install the public half of the certificate on your clients, and configure them to check the identity of the RADIUS server before they authenticate.

Lots of people don't do step 9, but if you don't want to be vulnerable to spoofing / mitm attacks, you should really do it properly. Without step 9, an attacker could potentially spoof your infrastructure and start stealing usernames / passwords from the MsChap-v2 exchange.

Richard Atkin Tue, 07/08/2008 - 12:35
User Badges:
  • Silver, 250 points or more

heh, or setup a CA on your domain, and push the certificate and client configs out using Domain Policy (requires Win2k3 SP1)

vj_vignesh Tue, 07/08/2008 - 18:33
User Badges:

Kool and thanku very much everyone, i have got some idea now, i'll do some reading and start setting up , thankyou verymuch, i'll probably have soeme more doubts, which i;ll get clarified from you people.

vj_vignesh Wed, 07/16/2008 - 09:35
User Badges:

hey i read that for this the ACS uses the windows username and password, is it true, adn also i don't have any domains within my campus, everyone can connect without any domain authentication to th network.

if i use the internal DAtabase of the ACS, where will the client enter his access credentials if i do not have any domain controller etc.


This Discussion



Trending Topics - Security & Network