Establish encrypted wireless link with Domain computer

Unanswered Question
Jan 29th, 2009

I am begging to migrate all of my wireless links to WPA, currently they are unencrypted. I have a few computers that recieve there connectivity via wireless link. I need to have these computers establish an ecyrpted wireless link so domain users can log on to them with cached credentials. I have 1100 series Ap that establish wireless link with an ACS using WPA and MS-CHAPv2.


I was told i have to set up 802.1x the allow computer to establish link but have not been able to figure this out.


Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mark.cronin Thu, 01/29/2009 - 12:51

Mike


Can your clients support WPA2 (AES)?

If not you will need to use WPA TKIP


You have the option of using 802.1x


EAP-TLS - considered most secure but you need a PKI infrastructure

EAP-PEAPv0

EAP-PEAPv1

EAP-FAST

or

EAP-TTLS - not that common now


You mentioned MS-CHAPv2 so I think you want a single sign on functionality which PEAP offers.

michael.m.williams Thu, 01/29/2009 - 12:58

I haven't heard of the single sign on feature but yes that sounds like what I want. I have established wireless connectivity using WPA and MS-CHAPv2 byt don't believe our equipment supports WPA2. I have a CISCO ACS but do not know how to configure 802.1x, and how I can get domain computers to establish connectivity with campus network and allow user to use domain credentials to log in.


Mike

mark.cronin Thu, 01/29/2009 - 13:09

Mike


With EAP-PEAP the wireless supplicant uses your windows username / password and the laptop/desktop machine account that exists in the window active directory database to authenticate


With EAP-TLS the wireless supplicant uses the

digital certificate installed on the laptop/desktop to authenticate


Both methods use WPA or WPA2 to encrypt data


take a look at this link


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html


Mark



michael.m.williams Fri, 01/30/2009 - 09:19

Mark,


Is LEAP the only way to do single sign on? IS there a way to do machine authenication? I really don't want to use LEAp, but i need the computer to establish a network connection before user logs on.


Mike

mark.cronin Tue, 02/03/2009 - 02:16

Mike


PEAP with MSCHAPv2 allows for active directory machine and active directory user authentication. You can select machine access restrictions so the user can only use a domain laptop combined with domain username and password. This EAP method also allows users with non cached profiles on the laptop to login.


Mark

michael.m.williams Tue, 02/03/2009 - 07:27

Mark,


Do you have any materials that can assist me in setting this up? Do I need a 3rd party suplicant to make this?


Mike

Actions

This Discussion