Establish encrypted wireless link with Domain computer

Unanswered Question
Jan 29th, 2009

I am begging to migrate all of my wireless links to WPA, currently they are unencrypted. I have a few computers that recieve there connectivity via wireless link. I need to have these computers establish an ecyrpted wireless link so domain users can log on to them with cached credentials. I have 1100 series Ap that establish wireless link with an ACS using WPA and MS-CHAPv2.

I was told i have to set up 802.1x the allow computer to establish link but have not been able to figure this out.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mark.cronin Thu, 01/29/2009 - 12:51


Can your clients support WPA2 (AES)?

If not you will need to use WPA TKIP

You have the option of using 802.1x

EAP-TLS - considered most secure but you need a PKI infrastructure





EAP-TTLS - not that common now

You mentioned MS-CHAPv2 so I think you want a single sign on functionality which PEAP offers.

michael.m.williams Thu, 01/29/2009 - 12:58

I haven't heard of the single sign on feature but yes that sounds like what I want. I have established wireless connectivity using WPA and MS-CHAPv2 byt don't believe our equipment supports WPA2. I have a CISCO ACS but do not know how to configure 802.1x, and how I can get domain computers to establish connectivity with campus network and allow user to use domain credentials to log in.


mark.cronin Thu, 01/29/2009 - 13:09


With EAP-PEAP the wireless supplicant uses your windows username / password and the laptop/desktop machine account that exists in the window active directory database to authenticate

With EAP-TLS the wireless supplicant uses the

digital certificate installed on the laptop/desktop to authenticate

Both methods use WPA or WPA2 to encrypt data

take a look at this link


michael.m.williams Fri, 01/30/2009 - 09:19


Is LEAP the only way to do single sign on? IS there a way to do machine authenication? I really don't want to use LEAp, but i need the computer to establish a network connection before user logs on.


mark.cronin Tue, 02/03/2009 - 02:16


PEAP with MSCHAPv2 allows for active directory machine and active directory user authentication. You can select machine access restrictions so the user can only use a domain laptop combined with domain username and password. This EAP method also allows users with non cached profiles on the laptop to login.


michael.m.williams Tue, 02/03/2009 - 07:27


Do you have any materials that can assist me in setting this up? Do I need a 3rd party suplicant to make this?



This Discussion