EAP-FAST with Manual PAC

snarayanaraju · ‎01-08-2010

Hi Experts,

I am configuring the setup with the following devices

ACS SOLUTION ENGINE 4.2

WIRELESS LAN CONTROLLER 4404

INTEL PROSET WIRELESS ADAPTER IN LAPTOP

CISCO 1242 WIRELESS ACCESS POINT

LDAP SERVER

I am trying to use LDAP server as the external server connected to CISCO ACS Solution engine. I learned that when EAP FAST is used with ACS & LDAP, manual PAC Provisioning is the only option. I am not able to find the configuration steps for Manual PAC Provisioning In ACS Solution engine document (However it is available as CSULIT.exe in ACS for Windows)

Can you help me by providing information on configuration of ACS Solution engine for Manual PAC Provisioning.

Thanks in advance

sairam

Jatin Katyal · ‎01-10-2010

Hi Sairam:

You are correct. In ACS windows this can be done with Csutil utility where as in ACS solution engine you need to generate manual PAC from the system configuration and EAP-FAST and then define the FTP server.

Manual Pac provisining from ACS solution engine:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/user/guide/sau.html#wp98829

Set Up the Client for EAP-FAST

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00804b9d57.shtml#client-eap-fast

Please let me know if you need any further aide on this.

HTH

Regards,

JK

Plz rate helpful posts-

~Jatin

snarayanaraju · ‎01-10-2010

Hi JK,

Thanks for the links.Very useful & I have rated Full.

BTW, I learned that EAP-FAST Manual PAC provision involves laborious tasks of manually creating and distribting PAC files to users.

Since my design is not to include PKI / Certificates and to use Username/Password I opted EAP-FAST initially.

Then, because of the drawbacks, Now I am planning to use PEAP-GTC which also have provision to avail Username/Password and no Certificate is involved. Is it correct? Without creating certificates will i be able to deploy PEAP-GTC provided I have ACS server & LDAP as external database

Please let me know if you have any opinion please

regards,

sairam

Jatin Katyal · ‎01-11-2010

Hi Sairam:

Peap is a username/password based authentication but it does require atleast server side certificate, it could be self-signed certificate or any third party certificate.

PEAP-GTC is Cisco propritary, so its meant to work with Cisco products only. But, I also saw that we've an option for EAP-GTC on IBM utility.

In order to enable EAP_GTC, you can use either one of them:

Cisco350card

Cisco ACU utility

PEAP- Generic Token Card (PEAP-GTC)----FEW FACTS

=========================================

# Supports authentication using one-time passwords

# Supports NDS and LDAP

# Supports password change at expiration

# Is defined in a draft RFC

# Does not expose the logon user name in the EAP identity response

# Is not vulnerable to a dictionary attack

# Requires a server certificate and CA certificate, but does not require per-user certificates.

PEAP authentication:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp326152

HTH

Regards,

JK

Plz rate helpful posts-

~Jatin

snarayanaraju · ‎01-11-2010

Hi JK.

Thanks. I tested in the live environment today. I am using GTC using Intel Pro set utility. This option is available.

Moreover I disabled "Validate certificate" option and it is working even without server side certificate. only username password is sufficient to authenticate.

Your opinion is solicited. Expecting your valuable comments on this please

sairam

Jatin Katyal · ‎01-11-2010

Sairam:

Either you misunderstood or I wasn't clear in my last post...

When I say server side certificate that means, you need to install certificate atleast on the ACS to make this happen.

If it is working fine then you must have server cert installed on the ACS. If you wish, you can verify from the system configuration > ACs certificate page > Install certificate (Please notice the fields "Issued To" and Issued By")

Long story short, PEAP-GTC does use certificate but users will authenticate by providing their credentials.

Hope this helps.

Regards,

JK

Plz rate helpful posts-

~Jatin

snarayanaraju · ‎01-11-2010

Dear JK,

I am sorry If i havenot communicated this properly. However let me describe this now again

I have unchecked the checkbox "VALIDATE CERTIFICATE" in the client supplicant. Then I am able to use only username/password. In this scenario neither i have installed certificates on the client nor accepted certificate from the server.

It is working perfectly with only username/password authentication

any comments please

sairam

Jatin Katyal · ‎01-12-2010

Hey Sai,

Thats okay...I understand that you have unchecked the option on the clients "validate server certificate" on Wireless Zero Configuration utiltiy by Windows and doing this client is not validating/accepting server identity.

We do this, If we donot want to install/accept certificate on client and we can authenticate by issuing username/password. However, we need certificate on the ACS (server certificate) just to enable peap. If we don't install this certificate on the ACS then you won't be able to select PEAP-GTC under system configuration > global authentication.

In nut shell, this is username/password based authentication.

Hope this helps...TC

Regards,

JK

Plz rate helpful posts-

~Jatin

snarayanaraju · ‎01-12-2010

Hi JK,

Its true. I have already created a self signed certificate in ACS Secure Engine

The reaso i went with PEAP is EAP-FAST with LDAP do not support automatic provisioning of PAC in Phase I. Only Manual Provisioning is supported

Correct me if I am deviating from the concept

sairam