remote office wireless

michael.lussier · ‎08-01-2008

Good evening everyone. I have a requirement for wireless access in our state offices. There are all over Wide Area Links frac T-1 to T-3's. The requirement is for AES using EAP-FAST. The wireless users must be able to work if the WAN link goes down.

I have looked at the wireless module for the 2800 I have had one working in the lab. I have over 130 different office domains and forrests. I need a genric type certificates to allow the users to work and that I can change out at set intervals. The certs that are generated now dont appear to let me do this using MS CA.

ANy Thoughts on this would ge greatly appriciated.

michael.lussier · ‎08-01-2008

sorry about the typo's ! here is the clearer copy

Good evening everyone. I have a requirement for wireless access in our state offices. They are all over Wide Area Links using frac T-1 to T-3's. The requirement is for AES using EAP-FAST. The wireless users must be able to work if the WAN link goes down. HREAP Right â€¦.

I have looked at the wireless module for the 2800 I have had one working in the lab. I have over 130 different office domains and forests. I need a generic type certificates to allow the users to work and that I can change out at set intervals. The certs that are generated now don't appear to let me do this using MS CA.

Any Thoughts on this would be greatly appreciated.

Scott Fella · ‎08-01-2008

For H-REAP, you must undestand that any EAP type authentication has to be handled by a radius server or a wlc running local EAP. So even with H-REAP AP's, if the WAN goes down, there is no way to authenticate the users. Since the AP needs to validate the user via the radius server.

http://www.cisco.com/en/US/products/ps6521/products_tech_note09186a0080736123.shtml#t7

-Scott
*** Please rate helpful posts ***

misha_bac · ‎09-10-2008

and what auth types are supported in h-reap local auth,local switching then?

h-reap design guide says that it can support methods which can be 'handled localy' - what are they?

upd: found it - open, wep, wpa-psk or wpa2-psk

what if we place radius server on each remote site - can then h-reap aps use eap?

basicly what i want - it's to place radius server on each site and make WLC auth against it (each site to their own server), and when link goes down, everything would work as intended, like there was no wan fail - LAPs would auth against radius server which alredy on their site. is it possible?

Scott Fella · ‎09-10-2008

If you place a radius server in each remote site, then you can authenticate users via 802.1x. If you want to authenticate LAP's also, it is best practice to have a separate AAA server for that. I have not had a client deploy radius servers in each location, the reason being.... you have to sync all of them. Also, usually all services are centralized, so if the WAN goes down, email and file shares, etc are not available to the user. So take a look at your traffic flow and see if putting a radius server in each site is worth the cost or not. You can still use 802.1x but have the radius server centralized, but again... depends on what you are trying to accomplish.

-Scott
*** Please rate helpful posts ***