×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Wirless /PEAP / Radius / Scenario type question !

Unanswered Question
Aug 1st, 2006
User Badges:


I suspect the answer to the question is simply ?No? but you guys may know better


The scenario is as follows:


A wireless infrastructure with Cisco Aironet 1200 access points in over 50 different locations. Each location has a connection back to one central site. There is no wireless coverage between locations, so it's a kind of a hub and spoke topology. The connections back to the central site are Internet based VPN tunnels which are not entirely reliable and may have some latency issues.

The Wireless clients will be installed on Buses. These buses will be moving from location to location. Each time they come within range of an AP they should be automatically authenticated with no manual intervention ? this part is pretty straightforward (I think)

The client devices on the Buses must use PEAP authentication they authenticate to a Windows 2003 server with IAS (Radius) and CA services running at the central site


Question


If the Link to the central site goes down and the IAS server is unavailable, is there any way the clients can authenticate and be given access to the Wireless network?


Thanks


David


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
scottmac Tue, 08/01/2006 - 05:22
User Badges:
  • Green, 3000 points or more

I don't think it'll happen, as described.


Even if you made each of fifty site a separate subnets and each of the fifty APs a WDS or used a WLSM to get L2/L3 mobility or used the LWAP stuff ... everything relies on access to, or through, a central site.


Without access to the central site for handoff information and/or authentication, the system would fail.


If you can swing some sort of redundant connection (maybe a wireless backbone?) then there are a couple approaches.



If you're dealing with a fairly static client base, then you may want to look into using certificates versus PEAP ... it might make the auth process a little more seamless (and it still works with the MS IAS/CA system).


If you engage a commercial CA (like Verisign), then you could do the authentication against the commercial CA from each of the fifty sites via the Internet (eliminates the need for auth access to the central site).


I believe you can also establish a CA hierarchy such that if access to one is blocked, the client can try the next in line.


This is the only way I can think of to get around your "central site" single point of failure.


Good Luck


Scott


Actions

This Discussion

 

 

Trending Topics - Security & Network