remote office wireless

Unanswered Question
Aug 1st, 2008
User Badges:

Good evening everyone. I have a requirement for wireless access in our state offices. There are all over Wide Area Links frac T-1 to T-3's. The requirement is for AES using EAP-FAST. The wireless users must be able to work if the WAN link goes down.

I have looked at the wireless module for the 2800 I have had one working in the lab. I have over 130 different office domains and forrests. I need a genric type certificates to allow the users to work and that I can change out at set intervals. The certs that are generated now dont appear to let me do this using MS CA.

ANy Thoughts on this would ge greatly appriciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
michael.lussier Fri, 08/01/2008 - 12:32
User Badges:

sorry about the typo's ! here is the clearer copy



Good evening everyone. I have a requirement for wireless access in our state offices. They are all over Wide Area Links using frac T-1 to T-3's. The requirement is for AES using EAP-FAST. The wireless users must be able to work if the WAN link goes down. HREAP Right ….

I have looked at the wireless module for the 2800 I have had one working in the lab. I have over 130 different office domains and forests. I need a generic type certificates to allow the users to work and that I can change out at set intervals. The certs that are generated now don't appear to let me do this using MS CA.

Any Thoughts on this would be greatly appreciated.


Scott Fella Fri, 08/01/2008 - 12:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

For H-REAP, you must undestand that any EAP type authentication has to be handled by a radius server or a wlc running local EAP. So even with H-REAP AP's, if the WAN goes down, there is no way to authenticate the users. Since the AP needs to validate the user via the radius server.


http://www.cisco.com/en/US/products/ps6521/products_tech_note09186a0080736123.shtml#t7

misha_bac Wed, 09/10/2008 - 03:33
User Badges:

and what auth types are supported in h-reap local auth,local switching then?

h-reap design guide says that it can support methods which can be 'handled localy' - what are they?

upd: found it - open, wep, wpa-psk or wpa2-psk



what if we place radius server on each remote site - can then h-reap aps use eap?


basicly what i want - it's to place radius server on each site and make WLC auth against it (each site to their own server), and when link goes down, everything would work as intended, like there was no wan fail - LAPs would auth against radius server which alredy on their site. is it possible?

Scott Fella Wed, 09/10/2008 - 04:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

If you place a radius server in each remote site, then you can authenticate users via 802.1x. If you want to authenticate LAP's also, it is best practice to have a separate AAA server for that. I have not had a client deploy radius servers in each location, the reason being.... you have to sync all of them. Also, usually all services are centralized, so if the WAN goes down, email and file shares, etc are not available to the user. So take a look at your traffic flow and see if putting a radius server in each site is worth the cost or not. You can still use 802.1x but have the radius server centralized, but again... depends on what you are trying to accomplish.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode