cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
646
Views
0
Helpful
7
Replies

Establish encrypted wireless link with Domain computer

I am begging to migrate all of my wireless links to WPA, currently they are unencrypted. I have a few computers that recieve there connectivity via wireless link. I need to have these computers establish an ecyrpted wireless link so domain users can log on to them with cached credentials. I have 1100 series Ap that establish wireless link with an ACS using WPA and MS-CHAPv2.

I was told i have to set up 802.1x the allow computer to establish link but have not been able to figure this out.

Mike

7 Replies 7

mark.cronin
Level 2
Level 2

Mike

Can your clients support WPA2 (AES)?

If not you will need to use WPA TKIP

You have the option of using 802.1x

EAP-TLS - considered most secure but you need a PKI infrastructure

EAP-PEAPv0

EAP-PEAPv1

EAP-FAST

or

EAP-TTLS - not that common now

You mentioned MS-CHAPv2 so I think you want a single sign on functionality which PEAP offers.

I haven't heard of the single sign on feature but yes that sounds like what I want. I have established wireless connectivity using WPA and MS-CHAPv2 byt don't believe our equipment supports WPA2. I have a CISCO ACS but do not know how to configure 802.1x, and how I can get domain computers to establish connectivity with campus network and allow user to use domain credentials to log in.

Mike

Mike

With EAP-PEAP the wireless supplicant uses your windows username / password and the laptop/desktop machine account that exists in the window active directory database to authenticate

With EAP-TLS the wireless supplicant uses the

digital certificate installed on the laptop/desktop to authenticate

Both methods use WPA or WPA2 to encrypt data

take a look at this link

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html

Mark

Mark,

Is LEAP the only way to do single sign on? IS there a way to do machine authenication? I really don't want to use LEAp, but i need the computer to establish a network connection before user logs on.

Mike

Mike

PEAP with MSCHAPv2 allows for active directory machine and active directory user authentication. You can select machine access restrictions so the user can only use a domain laptop combined with domain username and password. This EAP method also allows users with non cached profiles on the laptop to login.

Mark

Mark,

Do you have any materials that can assist me in setting this up? Do I need a 3rd party suplicant to make this?

Mike

Mike

Take a look at this

http://www.cisco.com/application/pdf/paws/43486/acs-peap.pdf

The Microsoft XP sp2 supplicant has PEAP

Mark

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: