Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

EAP-FAST and MAC authentication with WPA2 on Local RADIUS for 1242AG access point

Hi,

Does any one has a working configuration for this combination?

Regards

VP

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: EAP-FAST and MAC authentication with WPA2 on Local RADIUS fo

Hi EAP-FAST doesnt need any certs.. we need to generate PAC.. here is the link.. which gives the comparison between various EAPs

http://ciscosystems.com/en/US/prod/collateral/wireless/ps5679/ps5861/prod_qas09186a00802030dc_ps4555_Products_Q_and_A_Item.html

here is the link to generate or Use the PAC

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/configuration/guide/s38local.html#wp1050270

lemme know if this helps..

Regards

Surendra

7 REPLIES
Cisco Employee

Re: EAP-FAST and MAC authentication with WPA2 on Local RADIUS fo

Why not go for LOCAL EAP with MAC filtering?? here is the configuration example..

LOCAL LEAP

===========

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml

and

MAC FILTERING

============

https://supportforums.cisco.com/docs/DOC-13767

lemme know if this answered your question..

Regards
Surendra

======

Please dont forget to rate the post if this answered your question
New Member

Re: EAP-FAST and MAC authentication with WPA2 on Local RADIUS fo

Hi and thank you for your reply.

I already have tried LEAP with MAC on Local RADIUS and works fine! But I'm sure that EAP-FAST provides a more secure way (PACs) to protect the communication between the radio interface and clients in terms of possible dictionary or man-in-the middle attacks.

Regarding the ACL , how can I specificaly implement for my radio 802.11g interface an ACL which exclude ALL TIME all IPs except those 2 static IPs assigned to my handheld clients and further more, permits the association, authentication and traffic of those 2 IPs with the AP on a daily basis but from 14:00 till 07:00 assuming though that the AP will be administratively reachable via WEB Console or Telnet any day/time?

Regards

VP

Cisco Employee

Re: EAP-FAST and MAC authentication with WPA2 on Local RADIUS fo

Hi,

In the local server settings you can select EAP-FAST as well instead of LEAP..

Now the access list part of it..

here is the configuration..

en
conf t
time-range hi
period weekdays to [eg = periodic daily 14:00 to 19:00

end

config t

ip access-list extended 111

access-list 111 permit ip host any time-range hi
access-list 111 permit ip host any time-range hi

eg-


access-list 111 permit ip host 10.10.10.10 any time-range hi
access-list 111 permit ip host 10.10.10.11 any time-range hi

end

conf t

int dot11 0

ip access-group 111 in

lemme know if this answered your question..

Regards

Surendra

========

Please dont forget to rate the post if this was helpful for you or usefull

New Member

Re: EAP-FAST and MAC authentication with WPA2 on Local RADIUS fo

Hi again,

Regarding the ACL everything is OK but I still have problems with EAP-FAST setup. Does EAP-FAST demand a private certificate?

On our site there're 2 MC5574 handheld clients. When I try to setup a WLAN profile on both of them and select EAP-FAST the system ask me to select one of the 3 protocols MS-CHAP, EAP-TLS, EAP-GTC for tunneling Authentication. In either case then asks for a User Certificate to install.

This is weird because I thought that EAP-FAST establishes a tunneling authentication via PACs and that's it!. In case a PAC stands for a private certificate and the AP has the default settings for EAP-FAST meaning that it will create and provide the PAC upon client request, what is the point for a private certificate authority involvement?

Regards

VP

Cisco Employee

Re: EAP-FAST and MAC authentication with WPA2 on Local RADIUS fo

Hi EAP-FAST doesnt need any certs.. we need to generate PAC.. here is the link.. which gives the comparison between various EAPs

http://ciscosystems.com/en/US/prod/collateral/wireless/ps5679/ps5861/prod_qas09186a00802030dc_ps4555_Products_Q_and_A_Item.html

here is the link to generate or Use the PAC

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/configuration/guide/s38local.html#wp1050270

lemme know if this helps..

Regards

Surendra

New Member

Re: EAP-FAST and MAC authentication with WPA2 on Local RADIUS fo

Hi,

these were very helpful links

Thank you very much for your support

Regards

Vasilis

Cisco Employee

Re: EAP-FAST and MAC authentication with WPA2 on Local RADIUS fo

In the LOCAL LEAP config example, you can select EAP-FAST as well if you dont want the LEAP to be configured..

Regards

Surendra

1920
Views
0
Helpful
7
Replies
CreatePlease to create content