802.1x *without* encryption. Is it possible ?

Unanswered Question
May 25th, 2010

Hi,


I have a ACU Client, WLC (with local EAP) and an external RADIUS server.


My aim is to use 802.1x, but WITHOUT encryption.



In the Cisco ACU, when I select 802.1x, I have to select an EAP type.


    With EAP-FAST, selected,


      On the WLC, if I enable local EAP, and  select WEP with No key size, it does not work.

      I have to select a Key size, therebye enabling WEP


         I believe this is because EAP-FAST *MANDATES* usign WEP or a 4 way handshake..



A. If I select other EAP types, and setup my authentication server (Free RADIUS) to support the EAP type,


    can I have a setup that can NOT use encryption ?


          On the WLC, do I just select 802.1x and a WAP key with 0 size ?



B. Is this not possible with any form of Local EAP ??



Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
George Stefanick Fri, 05/28/2010 - 10:30

Interesting question ...


I wonder why you would want to do that ...?


I just checked and it does look like you can do 802.1x with a wep key of NONE.


You may want to give that a shot ...


Please rate the post if you find this helpful

shahedvoicerite Sun, 05/30/2010 - 09:33

Hi George,


Thats actually one of the first things I had tried, but it does not seem to work.


I repeated the test again, but this time with a sniffer running.


            I see the open auth/association go through, but it never proceeds to 802.1x (However this was with a all mixed cell flag on)


            Without that flag set, I dont see any packets from the client, except probe requests !!



On the controller, I was also running a debug aaa enable all, and dont see any activity, in both the above cases.



The moment I set the WEP key length from NONE to 104 bits, it works


I'll try with other clients, but I believe the result will be the same.


Also, this is just to get a better understanding of the behaviour of 802.1x.. Not for production.

Scott Fella Tue, 06/01/2010 - 08:56

Not possible.... no encryption is having the ssid set to open or layer 2 security set to none.  802.1x usualy means some type of authentication to verify the user or device unless WEP is configured. Here is a link you might of seen already regarding different type s of authentication on the WLC:


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#auth-8201


Scott

Actions

This Discussion

 

 

Trending Topics - Security & Network