01-29-2009 08:45 AM - edited 07-03-2021 05:04 PM
I am begging to migrate all of my wireless links to WPA, currently they are unencrypted. I have a few computers that recieve there connectivity via wireless link. I need to have these computers establish an ecyrpted wireless link so domain users can log on to them with cached credentials. I have 1100 series Ap that establish wireless link with an ACS using WPA and MS-CHAPv2.
I was told i have to set up 802.1x the allow computer to establish link but have not been able to figure this out.
Mike
01-29-2009 12:51 PM
Mike
Can your clients support WPA2 (AES)?
If not you will need to use WPA TKIP
You have the option of using 802.1x
EAP-TLS - considered most secure but you need a PKI infrastructure
EAP-PEAPv0
EAP-PEAPv1
EAP-FAST
or
EAP-TTLS - not that common now
You mentioned MS-CHAPv2 so I think you want a single sign on functionality which PEAP offers.
01-29-2009 12:58 PM
I haven't heard of the single sign on feature but yes that sounds like what I want. I have established wireless connectivity using WPA and MS-CHAPv2 byt don't believe our equipment supports WPA2. I have a CISCO ACS but do not know how to configure 802.1x, and how I can get domain computers to establish connectivity with campus network and allow user to use domain credentials to log in.
Mike
01-29-2009 01:09 PM
Mike
With EAP-PEAP the wireless supplicant uses your windows username / password and the laptop/desktop machine account that exists in the window active directory database to authenticate
With EAP-TLS the wireless supplicant uses the
digital certificate installed on the laptop/desktop to authenticate
Both methods use WPA or WPA2 to encrypt data
take a look at this link
Mark
01-30-2009 09:19 AM
Mark,
Is LEAP the only way to do single sign on? IS there a way to do machine authenication? I really don't want to use LEAp, but i need the computer to establish a network connection before user logs on.
Mike
02-03-2009 02:16 AM
Mike
PEAP with MSCHAPv2 allows for active directory machine and active directory user authentication. You can select machine access restrictions so the user can only use a domain laptop combined with domain username and password. This EAP method also allows users with non cached profiles on the laptop to login.
Mark
02-03-2009 07:27 AM
Mark,
Do you have any materials that can assist me in setting this up? Do I need a 3rd party suplicant to make this?
Mike
02-03-2009 07:41 AM
Mike
Take a look at this
http://www.cisco.com/application/pdf/paws/43486/acs-peap.pdf
The Microsoft XP sp2 supplicant has PEAP
Mark
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: