Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Layer 3 WebAuth to Layer 2 authentication

Hello,

We are planning to move from layer 3 to layer 2 802.1x security integrated with radius server. Since we are observing slowness in network so we have decided to configure layer 2 802.1x security for all staff and student accounts.

Could you please help us how to carry out this activity, we need to establish the same authentication methods as Students will be authenticated only on Student SSID and same for Staff.

What all configs are to be done on radius i will need in order for clients to supply their AD username and Password for the authentication?

I have tried it and the only way in getting to work is having client certificate installed on the client computer, but this will not be good as we are targeting BYOD clients which we cannot predicted their devices and we don't want to take the hassle of installing certificates on the client computers.

Thanks,

12 REPLIES
VIP Purple

Layer 3 WebAuth to Layer 2 authentication

why you are yusing EAP-TLS(this need both side certificate- client and server side).

Use PEAP with radius server and connected to AD, then you only need server side certificate.

Regards

Dont forget to rate helpful posts

New Member

Hello Guys,thanks for yout

Hello Guys,

thanks for yout cooperation, I have done this configuration and still it asks for certificate to be installed. as whenever I connect to this test SSID, it ask for username and password when I supply it, it doesn't connect at all.

Please find the attached configuration of both IAS and WLC on this particular SSID.

 

Highly appreciate your response.

Regards,

Hussain

 

New Member

Hi Sandeep,How this can be

Hi Sandeep,

How this can be accomplished?

In the WLC SSID configuration I have the following;

WPA+WPA2

WPA2 Policy

WPA2 Encryption = ASE

Authentication Key Management
 
802.1X Enable

 

In the IAS configuration, I do have the following configuration;

NAS-Port-Type matches "Wireless - IEEE 802.11 Or Wireless - Other" AND

Windows-Groups matches "DomainName\Domain Users"

Dial-in Constraints:
Allow access only thrgh these media (NAS-Port-Type)
* Wireless - IEEE 802.11
* Wireless - Other

Advanced Tab:

Vendor-Specific ---- Radius Standard Cisco
Service-Type ------- Radius Standard Login


In the Authentication Tab:
Microsoft Encyrpted Authentication version 2 Enabled

EAP Methods:

Protected EAP (PEAP)

 

Thanks,

 

VIP Purple

Hi,Your SSID config is right

Hi,

Your SSID config is right.

You must check the setting on IAS server.

you can only configure PEAP as the authentication method for a remote access policy when you are using IAS

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100397-peap-ias.html

http://technet.microsoft.com/en-us/library/cc784383(v=ws.10).aspx

 

Regards

Dont forget to rate helpful posts

Layer 3 WebAuth to Layer 2 authentication

Hi Hussain,

1) Use EAP-Peap .. this setup does not need the client certificate.

2) The DNIS attribute defines the SSID that the user is allowed to access. The WLC sends the SSID in the DNIS attribute to the RADIUS server. You can use this feature  on the ACS to resrtict students ONLY to their SSID.

Thanks !!

Regards
Victor V

*****Help out other by using the rating system and marking answered questions as *****Answered"*****

Regards Victor V *****Help out other by using the rating system and marking answered questions as *****Answered"*****
New Member

Re: Layer 3 WebAuth to Layer 2 authentication

Hi Victor,

we have tried configuring EAP-PEAP but we are unable to get connected to that specific SSID. I am attaching Radius config snapshot , config on controller SSID and mentioned below is event viewer error. please suggest if we can do something more into it so as to avoid clients to install certificates by just using layer 2 authentication without any certificates installation

On the client side we are getting the prompt to supply the credentails and whatever  we supply in any form of credentails such as domain.com\username, domain\username and FQDN username@domain.com is not accepting and IAS register WARNING even as username or password is not valid.

Thanks,

***********************************************************************************

User [Domain.xxxx]\maa13334 was denied access.

Fully-Qualified-User-Name = xxxx.com/DomainUsers/Students/Disabled Stud Accnt./Mohammad A Kh A Alkhadhr

NAS-IP-Address = x.x.x.x

NAS-Identifier = xxxxx

Called-Station-Identifier = 50-17-ff-34-7c-60:ICT

Calling-Station-Identifier = 00-26-5e-09-87-d7

Client-Friendly-Name = ciscowlan

Client-IP-Address = x.x.x.x

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 13

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = ICT SSID

Authentication-Type = PEAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Re: Layer 3 WebAuth to Layer 2 authentication

First  we need to have the user authenticate against the IAS.

Then we can try the SSID based restriction.

On the IAS --> Select Mschapvs under Authentication

On the client --> enter just the username (no domain)

On the WLC  --> Use WPA2-AES ( recommended)

Then get the same screenshot from the Server.

Regards
Victor V

*****Help out other by using the rating system and marking answered questions as *****Answered"*****

Regards Victor V *****Help out other by using the rating system and marking answered questions as *****Answered"*****
New Member

Hi Victor, Any help on this?

Hi Victor,

 

Any help on this? I have replied yesterday with the required screen shots.

 

thanks,

 

New Member

Hi Victor,Any recommendation

Hi Victor,

Any recommendation on the below updates that I just posted?

 

thanks,

 

Hall of Fame Super Silver

Re: Layer 3 WebAuth to Layer 2 authentication

802.1x is really meant for your internal devices to secure them and to secure the wireless from accessing your internal network. For BYOD/Guest, you never want a layer 2 encryption. The reason being is that... Your team will end up supporting users who have trouble connecting to that WLAN. Believe me... This will happen. I have seen this in the past with many of my clients. Layer 3 with an open authentication is the best way to treat guest users.

If you have an issue with slowness, then it's something else on the network and moving to 802.1x will not help. Layer 2 being open is the best way to connect and test your network as your not dependent in the device supporting the type of layer 2 encryption properly.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Layer 3 WebAuth to Layer 2 authentication

Hi Scott,

Appreciate if you can elaborate on your recommendation.

thanks,

Hussain

Hall of Fame Super Silver

Re: Layer 3 WebAuth to Layer 2 authentication

If you test with an open SSID which means that layer 2 encryption is set to none, and you have slowness, you need to look at your design or your configuration. Changing the encryption is not going to help you unless your broadcast domain is large. Bottom line, you need to look at your overall design and troubleshoot the slowness.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
357
Views
13
Helpful
12
Replies
CreatePlease to create content