LAP1142N-A-K9 and 802.11n

Answered Question
Mar 21st, 2012

can the access point be configured to do local authentication for 802.11N, or is a radius server necessary?

I have this problem too.
0 votes
Correct Answer by airframes about 2 years 1 month ago

Roger,

Correct. This is because WPA2 in and of itself is not really an authentication protocol. For example, if you look at setting up WPA2 Enterprise on a W7 machine, you will see security options that allow you to pick the authentication protocol. Your options in Windows 7 native are SmartCard/Certificate or PEAP (which is one of the flavors of Extensible Authentication Protocol, aka EAP). Here is a screengrab:

Unfortunately, the native EAP options in Windows are not compatible with the native Aironet autonomous EAP options, which are LEAP (older) and EAP-FAST (newer). Both of these EAP methods are Cisco-developed methods. If you want to use local EAP authentication on an AP, I would suggest you go with EAP-FAST. To get EAP-FAST functionality onto your Windows client, you can use the Cisco AnyConnect client with the Network Access Manager (NAM) module. This is what that client looks like, and you can see from the authentication selection list that you now have an option for EAP-FAST (and LEAP):

You would configure WPA2/AES independently, which you do through the security settings -- encryption manager. You need to first enable support for the AES CCMP cipher, and then you need to enable WPA support on your SSID (along with your accepted EAP method).

The link that George provided is a good guide to put all this together. Modify the instructions to use EAP-FAST instead of LEAP, configure an AES CCMP cipher instead of WEP, and set your SSID to accept Open with EAP + Network EAP and also WPAv2.

Justin

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (6 ratings)
nikhilcherian Wed, 03/21/2012 - 13:06

The AP you mentioned require a WLC to work with, else you will have to convert it to Autonomous, by loading the proper image from Cisco site to work as s standalone AP. You can configure the AP in autonomous mode to work for local authentication

bellaireroad Wed, 03/21/2012 - 17:00

thanks,,,,I was aware that it would do local authentication for 802.11g, but can it be setup up to authenticate for 802.11N?  Apparently to get N speed, WPA/AES is required

nikhilcherian Wed, 03/21/2012 - 20:34

Authentication is not depenedent on 11n or g and for getting 11n speed you need to have either OPEN authentication or WPA2 with AES

Regards

NikhiL

bellaireroad Thu, 03/22/2012 - 08:31

thanks.....getting back to the original question, can the 1142 be configured as a local radius sever to do WPA2 with AES? 

best regards, Roger

airframes Thu, 03/22/2012 - 12:29

Roger,

NikhiL is saying that your desired authentication method is not limited based on your decision to use .11g or .11n or .11a or 11Mbps or 54Mbps or 144Mbps or whatever other physical parameters you want to configure.

Yes, you can set up local authentication on your 1142 using a local RADIUS server.

What you do beyond that, WPA with TKIP or WPA2 with AES or OPEN is a radio configuration, not a AAA configuration.

What is it you you want to authenticate on your local radius server? A MAC address? A username and password?

Justin

George Stefanick Thu, 03/22/2012 - 12:32

Just to beat a dead horse

802.11N

OPEN - No security

PSK - WPA2/AES

ENTERPRISE - WPA2/AES

Nothing else will work ..

Leo Laohoo Thu, 03/22/2012 - 13:27

Just to beat a dead horse

802.11N

OPEN - No security

PSK - WPA2/AES

ENTERPRISE - WPA2/AES

Nothing else will work ..

Two words:  ANIMAL CRUELTY

bellaireroad Thu, 03/22/2012 - 15:02

Hello Justin,

Thanks for the explanation, I am trying to set up the access point  as a local radius server to do WPA2/AES.  I have been using the web interface, and these are the options I get.  I'm a little confused because I dont see an option for WPA2/AES,  I must be missing something?

Correct Answer
airframes Thu, 03/22/2012 - 16:09

Roger,

Correct. This is because WPA2 in and of itself is not really an authentication protocol. For example, if you look at setting up WPA2 Enterprise on a W7 machine, you will see security options that allow you to pick the authentication protocol. Your options in Windows 7 native are SmartCard/Certificate or PEAP (which is one of the flavors of Extensible Authentication Protocol, aka EAP). Here is a screengrab:

Unfortunately, the native EAP options in Windows are not compatible with the native Aironet autonomous EAP options, which are LEAP (older) and EAP-FAST (newer). Both of these EAP methods are Cisco-developed methods. If you want to use local EAP authentication on an AP, I would suggest you go with EAP-FAST. To get EAP-FAST functionality onto your Windows client, you can use the Cisco AnyConnect client with the Network Access Manager (NAM) module. This is what that client looks like, and you can see from the authentication selection list that you now have an option for EAP-FAST (and LEAP):

You would configure WPA2/AES independently, which you do through the security settings -- encryption manager. You need to first enable support for the AES CCMP cipher, and then you need to enable WPA support on your SSID (along with your accepted EAP method).

The link that George provided is a good guide to put all this together. Modify the instructions to use EAP-FAST instead of LEAP, configure an AES CCMP cipher instead of WEP, and set your SSID to accept Open with EAP + Network EAP and also WPAv2.

Justin

bellaireroad Thu, 03/22/2012 - 17:02

Thanks Justin, for taking the time to provide a very concise and detailed explanation...greatly appreciated.  Most of the devices on our network are windows  machines,  and installing clients on all of them isn't an attractive option.  We have server 2003 on the network, which I think can be setup as a radius server with PEAP and WPA2/AES, This might be the best way to go.

  Most of the network users also have iphones...any special considerations there?

Just as an aside, what is Cisco's logic in not supporting PEAP, since I'm guessing most supplicants are windows machines?

Best Regards, Roger

Actions

Login or Register to take actions

This Discussion

Posted March 21, 2012 at 8:36 AM
Stats:
Replies:12 Avg. Rating:5
Views:542 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard