ACS & NDS

Unanswered Question
Jul 9th, 2008

Hello!

I need some help with the configuration of a wireless solution that includes an ACS and in which the authentication is based in an NDS database.

As I have seen in Cisco documents, the only authentication methods supported by NDS databases, are EAP-GTC, EAP-TLS and EAP-FAST Phase Two.

I have discarded EAP-GTC (the customer doesn't have a token server and so) and EAP-TLS (we don't want certificates to be used). So the only method we can use is EAP-FAST.

And here is my problem, NDS database doesn't support EAP-FAST Phase Zero, so it's necesary to manually provide the PAC. Is this correct? It's necesary to provide every client with a different PAC? How can I configure this?

Has anybody configured a deployment like the one I describe here?

Please, help!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Thu, 07/17/2008 - 14:21

Phase zero is optional and PACs can be manually provided to end-user clients. (See Manual PAC Provisioning.) You control whether ACS supports phase zero by checking the Allow automatic PAC provisioning check box in the Global Authentication Configuration page.

For the further details for the PAC and configuration follow the URL :

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAuth.html#wp326451

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808e5d6b.shtml#nd

egarridog Mon, 07/21/2008 - 04:32

Thanks for your answer. But I have more doubts, I hope you could help me.

As I've read in Cisco documents, it's possible to generate PAC files for groups of users. Does this mean that I could use only one PAC file to all the users of the wireless network?

EAP-FAST method phase two is based in other methods, isn't it? So, it's imposible to avoid using EAP-GTC or EAP-FAST. Is this correct?

If I can't avoid them, is better to use one of them and forget PAC provisioning...

Have you ever configure a solution like the one I described?

Thanks!

PHIL SMITH Mon, 07/21/2008 - 06:08

Trouble with EAP-FAST is that it's a Cisco protocol, and whilst it's 'open', it needs 3rd party client support (i.e. it's not supported natively in Windows XP for example).

The simplest way we've come across for integrating wireless authentication with NDS is putting in a Windows server and using Microsoft Windows Services for NetWare to sync between NDS and Windows.

http://www.microsoft.com/windowsserver2003/sfn/default.mspx

Then, point ACS at the Windows server and you've got all the EAP options available to you.

We've never actually installed the Windows box - we've found that people using NDS usually have a Windows box sitting somewhere on the network.

Might not be an option in this case, but maybe worth keeping in mind...

JEFFREY SESSLER Sun, 08/10/2008 - 13:33

You could install Free Radius for eDir (NDS). As long as the customer has already deployed Universal Password, Free Radius can then provide PEAP-MSCHAPv2.

There are a couple of alternatives to ACS, Ignition being one of them, that can also talk with eDir and provide PEAP-MSCHAPv2 support, again assuming the customer has deployed Novell's Universal Password.

Actions

This Discussion

 

 

Trending Topics - Security & Network