Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

radius

hallo i have version 3.2.78 on my wlc 4402 and i want to configure it for EAP-TLS. it should be secured by 802.1x and wpa2 but i dont know how to do it properly over the webinterface. every suggestion is appreciated.

23 REPLIES

Re: radius

Dave,

Please check this link,

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917a6.shtml

Regards,

~JG

Please rate helpful posts

Hall of Fame Super Silver

Re: radius

So you want to use EAP-TLS instead of PEAP. I other words, you want a certificate on each device. Here is a link that might help:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917a6.shtml#t20

I have always used WPA2 w/PEAP MSChapv2 and a single certificate on the radius server.

You should maybe upgrade to 4.1.185.0, just in case:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805f381f.shtml

-Scott
*** Please rate helpful posts ***
New Member

Re: radius

Hi thx for replies.

Why would you recommend me peap wit mschapv2 rather than eap-tls.

my problem in addition is that i cant update my wlc 4402 because i am out of warranty.

Re: radius

The reason for single side server certs is for you head. If you have to deal with all those client certs and manage them every single time a device is lost or stolen, your head will explode. By using PEAP or even the old legacy LEAP, you don't have that headache. Simpler management=fewer tylenols taken.

New Member

Re: radius

but the headache for Security lack will i have it or is it more or less the same security level.

Hall of Fame Super Silver

Re: radius

Exactly.... I worked on a project once doing eap-tls......NEVER AGAIN.

You have to look at it this way. Do you have a Root CA configured. If you do or you don't, you should see what MS best practice for having a CA... You will need Excedrin for tension headaches.

-Scott
*** Please rate helpful posts ***
New Member

Re: radius

I have to reach the result that the guys (students)using their (schoolowned)notebooks are not able to insert other personal notebooks. Is peap good for that?

So using peap how do i have to configure the stuff f.i. my CA?

Re: radius

That's a whole different scenario now. I would probably utilize PEAP for authentication and a MAC filter for association purposes. You could also validate a machine against RADIUS but again that could turn into a lot of work. Either way, the machine would be controlled and authentication would take place at a much more secure level.

New Member

Re: radius

i heard mac filters are not secure because the mac can be changed.

Re: radius

OK. Let's talk security here. The mac filter is not security. It is a method to dictate which laptop is allowed to associate to your access point. After the laptop has associated the user logs in to the network via PEAP and is authenticated. If the authentication fails, the user is not allowed a session on the network. This protects you if somebody steals the laptop they can't login to the network because their authentication fails. Never uses MAC filters as security, only access control.

New Member

Re: radius

but what if the guy takes another laptop changes the mac and copy the certificate (if possibe dont know) and log with his username and password. would it work?

Re: radius

hmmmm changes the MAC. That CAN be done but only by a very experienced computer guy and the laptop has to be using a flavor of linux. Windows OS does not allow for modification of mac addresses. Even if he gets access to the MAC he doesn't have the logon credentials to defeat your PEAP authentication. So what has he gained? A whole lot of work for absolutely no reward. I'm just trying to make life easy for you here. Certificates will work as well but Jeez at the headaches of managing certificates.

Re: radius

Here is the configuration for using PEAP to authenticate the machine instead of the user.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

New Member

Re: radius

ok will do. so you would not recommend eap-tls because of the huge amount of more work. and the same security level.

The peap mschapv2 just works only the certificate commponent doesnt work so i have to work on this.

Re: radius

It's what I would do. This keeps you free to do other things with your time.

New Member

Re: radius

i know sure it is my first wlan with cisco and radius so i had to speak with some who just did it.

i have to speak about it with my employer i suppose he wants tls anyway

Re: radius

Good luck in either way you choose to proceed.

New Member

Re: radius

thx dennis

last question about mac filtering because i'll do it independently of the eap version.

So mac filtering means register all macs in my wlc and look which of them is looged with wich username f.i.

Re: radius

Register each mac address to the controller. In the description us the user name so that when you look at clients associated you will see the username, mac address, and AP theyre attached to.

New Member

Re: radius

i know sure it is my first wlan with cisco and radius so i had to speak with some who just did it.

i have to speak about it with my employer i suppose he wants tls anyway

Hall of Fame Super Silver

Re: radius

WPA2 w/PEAP MSChapV2 is that way to go. If you want to authenticate via machine or user, that is up to you. Just remember, the type of encryption depends on your devices (supports the authentication type or not) and if you own those devices. Students, Guest, Users... whomever has their own devices is usually put on a guest type network since you don't want the overhead of setting them all up and taking responsibility if something breaks!

-Scott
*** Please rate helpful posts ***
New Member

Re: radius

oh could you explain that a bit easier i am italian and i only learned english at school in Germany :) so...

I have wlc 4402 and ibm notebooks r60e

can i authenticate users via certificate and peap i thought just server certificate and user auth via username password and domain.

New Member

Re: radius

will try it and see how it works. and which is the best version for us.

178
Views
0
Helpful
23
Replies
CreatePlease to create content