Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Silver

EAP Authentication Configuration for EAP-FAST and PEAP

Hi Everyone,

I pretty much got EAP working, however using LEAP 
When I get to EAP-FAST and PEAP, I just can't seem to get it to work

What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
Hope you guys can help me on this, stuck on this part xD

1 ACCEPTED SOLUTION

Accepted Solutions

First I would make sure PEAP

First I would make sure PEAP or FAST is configured correctly. When testing pay close attention to the logs on the WLC or do the necessary debugs to troubleshoot.

Good read on local eap..
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110010.html

To configure your client I will assume it windows 7 or newer?

https://supportforums.cisco.com/document/68096/peap-authentication-configuration-example-windows-7

 

 

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
10 REPLIES
VIP Purple

Typically no client side

Typically no client side certs involve in PEAP (that's why it is most popular EAP method used in enterprise environment). For EAP-FAST no certificate involvement at all.

As long as you installed the certs on your RADIUS you should be able to do the PEAP. Here is a reference post for these using ACS 5.2

http://mrncciew.com/2013/03/03/peap-eap-fast-with-acs-5-2/

HTH

Rasika

**** Pls rate all useful responses ****

EAP is a complicated subject

EAP is a complicated subject for sure. But it shouldn't be really once you know the foundation. 

EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed. 

Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.

The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password  back to AD for example. 

 

Hope this helps .. 

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
VIP Purple

George is the wirelessguru  &

George is the wirelessguru  & master of EAP. 

LOL .. you're made me smile .

LOL .. you've made me smile .. BTW your blog is awesome! 

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Silver

Thanks George,So basically I

Thanks George,

So basically I need to have an ACS server? Because currently I do not have one
Anyway, is it possible to NOT use ACS?Basically EAP-FAST and PEAP only uses the WLC and no other devices

With regards to the authentication, I know local(duh haha) and as well AD(LDAP) is supported, so yeah.

If you have a small

If you have a small deployment the WLC can also act as a local radius server, so yes. Or you can use other radius solutions like FREERADIUS, ACS, etc .. Check out this video by Richard http://www.youtube.com/watch?v=YIxG4OEfwtY

 

 

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Silver

and additionally, where can I

...

First I would make sure PEAP

First I would make sure PEAP or FAST is configured correctly. When testing pay close attention to the logs on the WLC or do the necessary debugs to troubleshoot.

Good read on local eap..
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110010.html

To configure your client I will assume it windows 7 or newer?

https://supportforums.cisco.com/document/68096/peap-authentication-configuration-example-windows-7

 

 

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Silver

Thanks George,Looking on your

Thanks George,

Looking on your link I think I know what is my mistake.
I'll try this solution! haha :D

Thanks again! :))

Silver

Hi George,Thank you for your

Hi George,

Thank you for your reply,
Basically, I have already tried EAP using LEAP, setup the connecting client(laptop) and poof! I was able to connect

However, when I switched to EAP-FAST or PEAP, I cannot connect anymore.
What steps do I need to do on the connecting client in order for it to work? It is more likely that I missed a step on the client setup side 

395
Views
4
Helpful
10
Replies