I have Cisco WLC 4404 with 100 LWAP access points. Currently I am using shared WEP authentication. I like to migrate it WPA. I want the clients to have authenticated using Individual username / password to get into the network. I am using LDAP for username password repository. I also have Cisco ACS (AAA) server kept unused.
I think it can be achieved using
1. web authentication configured in WLC itself. But i donot want this as WLC may be loaded unnecessarily. Is this correct.
2. Another option I read is 802.1x authentication with WPA. Since I am integrating with LDAP, I also learned that only EAP-FAST can be used.
The question is, whether windows XP supports EAP-FAST client by default (I didn't the option in win XP). Or otherwise should i load a third party clients in all the client laptops. Whether cisco aironet client is free to download and use?
I'm assuming your user account are from the windows NT domain/Active directory, so Windows PEAP will become your choice as well. By using windows PEAP, you're not necessary to install 3rd party wireless supplicant on user machine. You can refer to the link below:
Let me list your requirements, to better define them:
1) Clients must log in (each time?) with their username and password
2) You don't have, and don't want to implement, a certificate server
3) You are using a non-Windows AD LDAP directory for user authentication
4) You have a Cisco ACS (version ?) that you can use for RADIUS, to interact between the client and the LDAP server
5) You want to avoid web authentication if you can, because of concerns about overloading the WLC.
One thing - what is your supplicant? Are these standard Windows XP, SP2 machines? Also, what are your encryption requirements? Web authentication provides no encryption for the data after authentication.
And, without a certificate on at least the ACS server (plus appropriate Certificate Authority server), you're out of luck for EAP.
EAP-FAST generally requires a certificate on the server side (if you want it to be at least somewhat secure). And, it requires a Cisco supplicant, such as the Aironet Desktop Utility with the Cisco CB21AG PCMCIA card (or can potentially use the EAPHost supplicant in Windows Vista.)
If you don't need encryption, go with web authentication. The WLC should not have a problem handling the requests (how many simultaneous logins are you looking at?) If you do need encryption, you are going to need some additional components, whether supplicants or a certificate server.