Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ACS and AD ? auth and encryption?


we have implemented a Cisco ACS, and have a Microsoft Active Directory implementation.

I would like to know what is the best security method to use for authentication and encryption

without the need to buy any Certificate or client software?

We would like to use the standard Microsoft Windows XP features, without installing any WLAN Clients.


Jorge Sousa


Re: Cisco ACS and AD ? auth and encryption?

There are so many flexible 802.1X authentication type support, including Extensible Authentication Protocol Transport Layer Security (EAP-TLS), Protected EAP (PEAP), Cisco LEAP, EAP-Flexible Authentication via Secure Tunneling (EAP-FAST), and EAP-Message Digest Algorithm 5 (EAP-MD5).

Certificate is just an additional level of security. It is not the only level of security available. So, I believe all the above methods can provide authentication without requiring any additional level of certficate.

Re: Cisco ACS and AD ? auth and encryption?

You can use MS Cert Services to generate an SSL cert for the clients and the ACS box to use. The best bit is that you can use Group Policies to deploy the cert and the WLAN SSID settings to the clients but this will only work if you use the built-in XP client (SP2 is a must) and PEAP security. Cisco do a pretty good how to:

New Member

Re: Cisco ACS and AD ? auth and encryption?

The only thing about going that route is if you have a large deplyment and you are not using Enterprise edition 2k3 you will not be able to create templates for autoenrollment.

It's not that bad if you only have a handful of people, but if you have a large deployment you may want to either move to Enterprise or plan a new route of attack.

New Member

Re: Cisco ACS and AD ? auth and encryption?

Your main constrainer, is that you want to use XP Zero. In order for this to work "properly" (I've deployed it some places improperly against my recommendations), you NEED certificates. "wbrowne" is correct, and you'll need 2003 Enterprise server to make the certifcate deployment managable. I'd aim to use PEAP(EAP-TLS) with machine authentication if I were you, and run WPA2/AES on the radio if all your client device adapters will handle it.