Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

Aironet security using freeradius2

Hi all

Hope everyone had a good weekend!

I was hoping someone could point me in the right direction regarding a lab setup I

am trying to put together in order to learn more about how Cisco Aironet devices work

with Radius authentication.

I want to setup Radius authentication against my lab 1142N Aironet device, this

is how I want it to work:

1. Mac-auth and user loing / password (I can use Active Directory)

2. Client / server certificates (for additional security)

3. DHCP scope, managed by the Radius server

4. BIND / dns also managed by the Radius server

First question is, what is the common accepted authentication level on radius

nowadays, is EAP-TLS? what do you guys recommend? I need to do this using

freeradius2 (I cannot pay for anything else) - but it seems almost impossible

to find a good guide that explains how this is setup (along with the aironet

configuration).

If you guys have any tips that would be hugely appreciated, thanks

  • Getting Started with Wireless
9 REPLIES

Aironet security using freeradius2

Hi,

we had a good weekend and I hope you had a good one too

I don't exactly understand your request, do you want to know how to implement the configuration on the AP? or you want to know what security type to use with the radius?

I've seen most people use PEAP-MSCHAPv2 as a security method.

If you look about how to configure things on APs you may consider those links:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/prod_configuration_examples_list.html

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_configuration_examples_list.html

http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html

You may ask about any specific point that you may still have.

Greetings,

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Aironet security using freeradius2

Hey Amjad

Glad you had a nice weekend, I did too thank you - though it seemed to go very quickly!

Apologies for the confusing post, I am looking for some advice on what would security type to use with Radius that would provide something along the lines of the following:

client mac-authentication

client & server certificates

user / login password

integrated using freeradius2 and microsoft active directory (which would provide only the login and password element) and any guides that anyone may know of so that I can test this in my lab.

The only element I want to use Active Directory for is the DOMAIN login and password, I want Radius to take care of all of the security.

Thanks very much for your help

Aironet security using freeradius2

Ya. nice things last less.

well, I think you need to use EAP-TLS because it supports client & server certificates.

That should work with either mac authentication or user credentials.

PEAP-MSCHAPv2 needs a certificate on the server but not on the clients.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
Hall of Fame Super Silver

Re: Aironet security using freeradius2

If you are looking at all three, then no. Mac filter can be done, but not really affective and used much. EAP-TLS uses a client and radius server certificate, so you will need a CA or a 3rd party cert. AD username and password like AA mentioned is PEAP MSCHAP. You will not be able to do the last two mentioned together as they are seperate types of authentication methods. Client devices can only also do one or the other.

You can search the Internet when you decide on what you want to do, as there are many docs on how to do each one. Why freeradius, why not just bring up a Microsoft IAS or NPS radius server?

Sent from Cisco Technical Support iPhone App

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****

Aironet security using freeradius2

Scott: I've never implemented EAP-TLS in practice but can't credentials be also used beside the certificates?

Rating useful replies is more useful than saying "Thank you"
Hall of Fame Super Silver

Re: Aironet security using freeradius2

Amjad,

The issue is wireless clients. When you enable certificate instead of mschap PEAP, the credential goes away and the client will only send its valid certificate. So when you implement EAP-TLS, you don't have the option to send user credentials. I know that EAP chaining with the latest AnyConnect client and ISE 1.1.1 will do a true to factor using EAP-FAST and PEAP, but that's a different story:)

Sent from Cisco Technical Support iPad App

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
New Member

Re: Aironet security using freeradius2

Thanks guys

So there is no way to combine TLS-EAP with user based authentication? I was really hoping to be able to implement this.

What I want to ensure is that I employ enterprise / paranoid level of security at the AP, is EAP-TLS good enough for this purpose? it reads like it is but unfortunately I don't yet have the experience which is why I wanted to deploy it here.

If there are better ways to do this, any pointers would be much appreciated but the tools that I can use are:

freeradius2 (not microsoft products)

active directory

aironet 1142n

The certificate / CA side is not a problem, I have an internal / test certificat authority setup already - most of the freeradius guides I find look very old.

The ideal scenario is: EAP-TLS (client / server certs) with some kind of mac-authentication (which can be controlled manually) and user authentication. I also wanted to be able to revoke certificates / expire them, which I believe is what CRL may provide.

Thanks again

Hall of Fame Super Silver

Re: Aironet security using freeradius2

Now way of combining... It's the client side also you need to look at and all of them do not support doing both. I don't know free radius, so I can't help out there. I've only used Microsoft radius and Cisco ACS or ISE. I'm guessing just look for EAP-TLS guide, even though it's old, things haven't changed.

Sent from Cisco Technical Support iPad App

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
New Member

Re: Aironet security using freeradius2

Hi guys

Thank you very much for your advise above on the differences between EAP-TLS and user authentication, I've setup EAP-TLS configuration in freeradius and it looks good when tested with rad_eap_test

I'm trying to find a guide for the access point side of the configuration, does anyone have an existing config as a general pointer that they wouldn't mind sharing?

I already have two SSID's running on this AP but since its at home it doesn't matter, but if i could do this without interfering with those that would be great.

I am assuming though that enable Radius auth on the AP is not going to be a global modification (in that it won't affect existing SSIDs authentication) since I believe you can set the Radius EAP auth method against a specific SSID? (the new one I will create) - is that correct?

Thanks again for all your help

396
Views
0
Helpful
9
Replies