Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best security options for 2106 controller on Server 2000 RADIUS?

First, a thank you to all that stop to offer advice.  I am getting my feet soaked learning how to deploy an enterprise level wireless solution.  I have seen one work in the past, so I was trying to mimic the configuration I was familiar with.  The only drawback is I am working off a Server 2000 DC and the PEAP authentication is not available to me (at least from what I have read).  I believe this points me to EAP-TLS, but having never deployed something like this, I am at the mercy of searching for advice.  I am working with our firewall person and we have already created VLANs for the 2 SSIDs I want to use.  I have the guest user SSID all figured out.  I have them on a web authorization with a nice custom splash page and all that.  The ACLs are all locked down so no access is allowed back in to our network.  The second SSID is for our AD users and this is the one I am having an issue with.  I'll set the stage:

We are in a mixed domain environment.  That is to say that we are not only using 3 domains, but each domain is at a different level (our location is Server 2000, mail Server 2003, and corporate is 2008).  Our present configuration for local users is WPA-Personal using home type routers and a shared password.  We obviously want to improve on this, so with the new WLC I wanted to go WPA2-Enterprise, AES, and PEAP.  Since PEAP is out due to the domain resrtrictions, I figured EAP-TLS was the next best solution.

I know this is going to sound crazy, but is there a method that could be used where users from the corporate domain could also authenticate?  I see I can put in up to 3 RADIUS server entries, so if I were to configure a RADIUS on the corporate DC, can I also authenticate to it?  I have to assume that the protocol needs to remain the same or does the WLC not care so long as it authenticates to the RADIUS server (can I use PEAP on the 2008 and EAP-TLS on the 2000)?   I am also going to have to make our DC a CA so I can create the certificates.  I know that once it's rooted there can be a lot of cert issues in the future if something happens to it.  Any advice on that?

On the other end, I understand that for EAP-TLS to work I will need to get the cert on both the client system and the server.  I plan on using GP to place the cert on the approved devices (basically the Notebook group in our AD).  I am also going to create a Wireless Auth group for users and then authenticate the RADIUS against that (second layer of user security).  This was the practice I was used to at my previous employer. 

Sorry if there were too many questions in there, but I have been mulling over this quite some time. Thank you to all.

Everyone's tags (3)
3 REPLIES

Best security options for 2106 controller on Server 2000 RADIUS?

With EAP-TLS you need a per-device/user certificate.  So you would want to have your own CA to request the certificate from.  All the users would need to have the root CA in their trust, pushable via GPO.

with the three domains, is there a federation or bi-directional trust between them?

If so, you should be able to still use PEAP, so long as the AD you hit for the username/password can reach across the boundary and validate them.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Best security options for 2106 controller on Server 2000 RADIUS?

Steve,

Thank you for the quick response.  There is a two-way trust between the domains.  The functional level is at 2000 though, so will that impact my ability to use PEAP from the newer server? 

We are also using WS08 Standard. Since this is internal I have to assume that it is still valid for our purposes, but I thought I would toss that out there. 

Best security options for 2106 controller on Server 2000 RADIUS?

to my knowledge, so long as the IAS/NPS can reach across the domains to validate the user PEAP should work.  And you don't need to validate the server certificate which makes it a bit easier.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
362
Views
0
Helpful
3
Replies