Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1271
Views
4
Helpful
10
Replies

EAP Authentication Configuration for EAP-FAST and PEAP

Go to solution
LJ Gabrillo
Level 5
Level 5

‎10-15-2014 09:01 AM - edited ‎07-05-2021 01:44 AM

Hi Everyone,

I pretty much got EAP working, however using LEAP 
When I get to EAP-FAST and PEAP, I just can't seem to get it to work

What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
Hope you guys can help me on this, stuck on this part xD

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to LJ Gabrillo

‎10-15-2014 08:19 PM

First I would make sure PEAP or FAST is configured correctly. When testing pay close attention to the logs on the WLC or do the necessary debugs to troubleshoot.

Good read on local eap..
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110010.html

To configure your client I will assume it windows 7 or newer?

https://supportforums.cisco.com/document/68096/peap-authentication-configuration-example-windows-7

 

 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Rasika Nayanajith
VIP
VIP

‎10-15-2014 11:44 AM

Typically no client side certs involve in PEAP (that's why it is most popular EAP method used in enterprise environment). For EAP-FAST no certificate involvement at all.

As long as you installed the certs on your RADIUS you should be able to do the PEAP. Here is a reference post for these using ACS 5.2

http://mrncciew.com/2013/03/03/peap-eap-fast-with-acs-5-2/

HTH

Rasika

**** Pls rate all useful responses ****

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎10-15-2014 12:09 PM

EAP is a complicated subject for sure. But it shouldn't be really once you know the foundation. 

EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed. 

Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.

The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password  back to AD for example. 

 

Hope this helps .. 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
Rasika Nayanajith
VIP
VIP
In response to George Stefanick

‎10-15-2014 12:09 PM

George is the wirelessguru  & master of EAP. 

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Rasika Nayanajith

‎10-15-2014 08:05 PM

LOL .. you've made me smile .. BTW your blog is awesome! 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
LJ Gabrillo
Level 5
Level 5
In response to George Stefanick

‎10-15-2014 05:51 PM

Thanks George,

So basically I need to have an ACS server? Because currently I do not have one
Anyway, is it possible to NOT use ACS?Basically EAP-FAST and PEAP only uses the WLC and no other devices

With regards to the authentication, I know local(duh haha) and as well AD(LDAP) is supported, so yeah.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to LJ Gabrillo

‎10-15-2014 07:32 PM

If you have a small deployment the WLC can also act as a local radius server, so yes. Or you can use other radius solutions like FREERADIUS, ACS, etc .. Check out this video by Richard http://www.youtube.com/watch?v=YIxG4OEfwtY

 

 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
LJ Gabrillo
Level 5
Level 5
In response to LJ Gabrillo

‎10-15-2014 08:08 PM

...

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to LJ Gabrillo

‎10-15-2014 08:19 PM

First I would make sure PEAP or FAST is configured correctly. When testing pay close attention to the logs on the WLC or do the necessary debugs to troubleshoot.

Good read on local eap..
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110010.html

To configure your client I will assume it windows 7 or newer?

https://supportforums.cisco.com/document/68096/peap-authentication-configuration-example-windows-7

 

 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
LJ Gabrillo
Level 5
Level 5
In response to George Stefanick

‎10-15-2014 08:19 PM

Thanks George,

Looking on your link I think I know what is my mistake.
I'll try this solution! haha :D

Thanks again! :))

0 Helpful

Go to solution
LJ Gabrillo
Level 5
Level 5
In response to George Stefanick

‎10-15-2014 07:58 PM

Hi George,

Thank you for your reply,
Basically, I have already tried EAP using LEAP, setup the connecting client(laptop) and poof! I was able to connect

However, when I switched to EAP-FAST or PEAP, I cannot connect anymore.
What steps do I need to do on the connecting client in order for it to work? It is more likely that I missed a step on the client setup side 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card