Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Getting Started: PEAP w/ SecureACS

Kind of new to the more advanced Wireless stuff, and must making sure I'm on the right track. We have the following:

4400 series WLCs w/ 4.1 software

1242 APs

SecureACS 4.0 servers

Unix LDAP servers

Windows 2000 servers running AD

Mix of Windows, Linux, and Mac clients

Given the above list, we'd like to have secure (encrypted + authenticated) wireless access for users. I'm thinking PEAP with the SecureACS servers is the way to go. Does this sound right, and where should I look for configuration documentation?

3 REPLIES
Gold

Re: Getting Started: PEAP w/ SecureACS

PEAP would work fine with that setup. Here's a link to the doc on setting up the controllers and ACS to use PEAP.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00807917aa.shtml

Bronze

Re: Getting Started: PEAP w/ SecureACS

Good Stuff. Thanks for the link.

What I'm curious about is the CA setup. If we already have a CA, can't we just generate, sign, and install a cert for each ACS server and then be good to go?

Or, could we even use self-signed certs, assuming that the PEAP client allows it?

New Member

Re: Getting Started: PEAP w/ SecureACS

Don't use self signed certs. I've gotten them to work, but it can be spotty depending on the supplicant. Even on the same PC.

Since you have a PKI infrastructure you should use that. The exception would be if you had a lot of user that are not members of your domain (at least the PCs). In that case you would have to import the root CA cert into the PCs. Given the low cost of commercial certs it we be worth it to loose the hassle factor.

You could also use IAS on the DC's as this is an AD environment. It is a simpler configuration and I find authentication to be faster using IAS. The exception would be if the users access the network are not members of AD. In that case ACS makes more sense. You can add the users to AD, but you would have to purchase a CAL to be legal, whereas ACS wouldn't care.

128
Views
0
Helpful
3
Replies