LEAP to PEAP Migration

Unanswered Question
Jul 6th, 2009
User Badges:

I have a customer that must perform a LEAP to PEAP migration. The good thing is that all of the back end authentication is SecureACS, so it can do both. We're using a 4404 WLC with approx. 25 APs. The customer doesn't have centralized management for the clients, so there's no clear upgrade and/or migration path. As laptops come in to the company's repair center, they'll have the profile changed. With that having been said, I have created two different profiles with the same SSID name, but with the security settings for LEAP on one and PEAP on the other. Since the clients only have LEAP or PEAP configured, not both, should this work? I have errors on some of the clients, but it's not clear as to whether or not my config is to blame. The two SSIDs collapse to the same VLAN - will I really see any improvement by placing the users on different VLANs? Or is the recommended practice two different SSIDs and VLANs all-together? Of course I've seen documentation on the latter, and it would seem that no one has considered the rather unusual constraints of my customer in so much that they don't have a clear cut-over procedure in place (making the two SSID/VLAN approach a no brainer). I guess I'd like a general consensus as to whether or not it's appropriate for me to demand the recommended hard cut-over since my customer is very reluctant to put forth the effort to do so.


Regards,

Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
George Stefanick Tue, 07/07/2009 - 05:10
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Scott,


There is no need to have 2 SSIDs the same, one for peap and leap. In fact, you can have 1 SSID and do both LEAP and PEAP on it.


The controller has no idea what 802.1x EAP type you used, right. When you programed the controller you dont state which EAP to use or not to use you simply state 802.1x


The controller hands off all request to the ACS. So if your ACS is config with both LEAP and PEAP it will dish out LEAP first, if the client is configured for PEAP, the client will respond with a NAK frame with the ID for PEAP. The ACS will then respond to the client with a PEAP request.


Actions

This Discussion

 

 

Trending Topics - Security & Network