How do you connect ACS LEAP-FAST to 4404?

Unanswered Question
May 5th, 2009

How do you connect ACS LEAP-FAST to 4404? I'm wanted to have an open SSID where the students can login with their Novell Usernames/passwords but get encrypted.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
gamccall Tue, 05/05/2009 - 08:52

There is no LEAP-FAST. There is LEAP, or EAP-FAST. Neither one is built into Windows, so the first step is to make sure that your users have a software client which supports your desired EAP method.

On the 4404, you'll just set up a WPA or WPA2 network using 802.1X, and configure the address and shared key for the ACS server in your RADIUS entries. The specific EAP method is not configured on the controller.

On the ACS server, you will configure the controller as a AAA client with the appropriate shared secret, using Cisco Airespace as the RADIUS type, and make sure that EAP-FAST is enabled and set up in the Global Encryption section. And of course, you'll have to set up external authentication to your Novell LDAP.

Starthorn Tue, 05/05/2009 - 09:47

I mean EAP-Fast.

Where do I type in the RADIUS entries? In the security tab and I see RADIUS on the left.

I also see EAP-FAST Method Parameters under local EAP

Starthorn Tue, 05/05/2009 - 10:33

Do I need RADIUS Key Wrap?

Also what ip should I use in ACS? should I use the web auth ip or the ip I use to get the the web page?

gamccall Tue, 05/05/2009 - 12:23

You do not need RADIUS key wrap.

Use the controller's management address as the IP address for the AAA client.

RADIUS servers are configured under Security: AAA: Radius servers; then, select the servers under WLANs: your SSID: Security: AAA. You are not using Local EAP; don't configure anything there.

Starthorn Wed, 05/06/2009 - 08:50

Heres what I have done so far.

I went to the security tab in the controller and under aaa>RADIUS>Authentication

I clicked new

typed in the ACS IP

Shared Secret Format ACSII

Shared key (for a test): aaabbbccc

I left everything else as default

I was able to use the blue arrow on the next screen to ping the ACS server. It worked.

I went to Wlan

Clicked on my ssid

went to security

went to aaa servers

Picked the Authentication Servers from the drop down menu.

I try to connect with my laptop with the settings:

gamccall Wed, 05/06/2009 - 09:05

OK, so what happens then? If you're not getting online successfully, what errors do you see on the controller and/or in the ACS authentication logs?

Starthorn Thu, 05/07/2009 - 05:41

I disabled windows firewall. It was blocking the ports.

I also Had to enable eap-fast on the acs and turn on anonymous pac/authenticated pac.

I'm using a user I made on the ACS.

My next step is to allow Eap-fast to use my novell user name and password with LDAP... This works for our other ssid that uses web auth.

How do I do this?

gamccall Thu, 05/07/2009 - 06:07

Just set the controller to use the ACS servers as AAA Authentication on your secure SSID.

Starthorn Thu, 05/07/2009 - 06:44

its setup like that. I assume that you also need LDAP Servers drop down box filled in to right?

I'm picking the same LDAP in the drop down box as I did when I use LDAP to web auth.

Do I need to configure LDAP on the ACS? Also Do I have to have manual PAC generation to use ldap or can I use automatic?

gamccall Thu, 05/07/2009 - 06:50

The LDAP boxes on the right are only used if you are using Local EAP- i.e. if you do not have a RADIUS server. If you're using an ACS, then you are not using Local EAP and will leave those options blank.

Starthorn Thu, 05/07/2009 - 08:17

ok, so what would be my next step?

I can connect with GTC and MSChapv2. I thought I read MSCHAPv2 can't be used with LDAP.

I can type a username and password in my laptops client. If I connect how do I know its LDAP that let me in?

gamccall Thu, 05/07/2009 - 08:51

The MSCHAP+LDAP issue only comes into play when you are using Local EAP. Again, because you are using an ACS server this is not a Local EAP implementation.

If you are able to connect successfully, doesn't that resolve your problems? Is there a specific reason why you are concerned about verifying that the LDAP protocol is being used? I suppose you could sniff the traffic between the ACS and your Novell server if you wanted to be really sure.

Starthorn Thu, 05/07/2009 - 08:57

I can only connect with the username I made on the ACS server. When I try to use my novell user name and password It doesnt work.

Starthorn Thu, 05/07/2009 - 10:46

ok. I looked up how to generate a PAC file manually but the steps its telling me to do dont jive with my menu. Must be from an old version. It said

Go to system configuration and click EAP-Fast PAC file Generator. Its no there though....

Do you know where I should go to generate a manual pac?


This Discussion



Trending Topics - Security & Network