You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.
Welcome to Cisco Support Community. We would love to have your feedback.
Hope everyone had a good weekend!
I was hoping someone could point me in the right direction regarding a lab setup I
am trying to put together in order to learn more about how Cisco Aironet devices work
with Radius authentication.
I want to setup Radius authentication against my lab 1142N Aironet device, this
is how I want it to work:
1. Mac-auth and user loing / password (I can use Active Directory)
2. Client / server certificates (for additional security)
3. DHCP scope, managed by the Radius server
4. BIND / dns also managed by the Radius server
First question is, what is the common accepted authentication level on radius
nowadays, is EAP-TLS? what do you guys recommend? I need to do this using
freeradius2 (I cannot pay for anything else) - but it seems almost impossible
to find a good guide that explains how this is setup (along with the aironet
If you guys have any tips that would be hugely appreciated, thanks
we had a good weekend and I hope you had a good one too
I don't exactly understand your request, do you want to know how to implement the configuration on the AP? or you want to know what security type to use with the radius?
I've seen most people use PEAP-MSCHAPv2 as a security method.
If you look about how to configure things on APs you may consider those links:
You may ask about any specific point that you may still have.
Glad you had a nice weekend, I did too thank you - though it seemed to go very quickly!
Apologies for the confusing post, I am looking for some advice on what would security type to use with Radius that would provide something along the lines of the following:
client & server certificates
user / login password
integrated using freeradius2 and microsoft active directory (which would provide only the login and password element) and any guides that anyone may know of so that I can test this in my lab.
The only element I want to use Active Directory for is the DOMAIN login and password, I want Radius to take care of all of the security.
Thanks very much for your help
Ya. nice things last less.
well, I think you need to use EAP-TLS because it supports client & server certificates.
That should work with either mac authentication or user credentials.
PEAP-MSCHAPv2 needs a certificate on the server but not on the clients.
If you are looking at all three, then no. Mac filter can be done, but not really affective and used much. EAP-TLS uses a client and radius server certificate, so you will need a CA or a 3rd party cert. AD username and password like AA mentioned is PEAP MSCHAP. You will not be able to do the last two mentioned together as they are seperate types of authentication methods. Client devices can only also do one or the other.
You can search the Internet when you decide on what you want to do, as there are many docs on how to do each one. Why freeradius, why not just bring up a Microsoft IAS or NPS radius server?
Sent from Cisco Technical Support iPhone App
Scott: I've never implemented EAP-TLS in practice but can't credentials be also used beside the certificates?
The issue is wireless clients. When you enable certificate instead of mschap PEAP, the credential goes away and the client will only send its valid certificate. So when you implement EAP-TLS, you don't have the option to send user credentials. I know that EAP chaining with the latest AnyConnect client and ISE 1.1.1 will do a true to factor using EAP-FAST and PEAP, but that's a different story:)
Sent from Cisco Technical Support iPad App
So there is no way to combine TLS-EAP with user based authentication? I was really hoping to be able to implement this.
What I want to ensure is that I employ enterprise / paranoid level of security at the AP, is EAP-TLS good enough for this purpose? it reads like it is but unfortunately I don't yet have the experience which is why I wanted to deploy it here.
If there are better ways to do this, any pointers would be much appreciated but the tools that I can use are:
freeradius2 (not microsoft products)
The certificate / CA side is not a problem, I have an internal / test certificat authority setup already - most of the freeradius guides I find look very old.
The ideal scenario is: EAP-TLS (client / server certs) with some kind of mac-authentication (which can be controlled manually) and user authentication. I also wanted to be able to revoke certificates / expire them, which I believe is what CRL may provide.
Now way of combining... It's the client side also you need to look at and all of them do not support doing both. I don't know free radius, so I can't help out there. I've only used Microsoft radius and Cisco ACS or ISE. I'm guessing just look for EAP-TLS guide, even though it's old, things haven't changed.
Sent from Cisco Technical Support iPad App
Thank you very much for your advise above on the differences between EAP-TLS and user authentication, I've setup EAP-TLS configuration in freeradius and it looks good when tested with rad_eap_test
I'm trying to find a guide for the access point side of the configuration, does anyone have an existing config as a general pointer that they wouldn't mind sharing?
I already have two SSID's running on this AP but since its at home it doesn't matter, but if i could do this without interfering with those that would be great.
I am assuming though that enable Radius auth on the AP is not going to be a global modification (in that it won't affect existing SSIDs authentication) since I believe you can set the Radius EAP auth method against a specific SSID? (the new one I will create) - is that correct?
Thanks again for all your help