Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WPA2 on 1220-B with MS IAS (2003 server)

All -

I have a Win2003 server running IAS. I have a 1220-B AP running 12.3(8)JA2.

I am trying to create two VLANs/SSIDs; one for guest mode - fully open without encryption, and one for secure mode WPA2.

The two segments will be firewalled using an ASA-5510.

I have followed the guidelines provided in the WPA2 sample configuration (though AES is not available to me in the encryption Cipher settings - only TKIP), and the using VLANs on wireless access points.

However - the clients (Intel Pro Set 3945 ABG running 10.1.0.3 client) are not able to associate to the secured segment as expected - even when using the AP's local radius server (to eliminate IAS as a source of problems).

Anyone have any suggestions - or known working configs they would care to share?

5 REPLIES
Green

Re: WPA2 on 1220-B with MS IAS (2003 server)

You can update our radio (to a "G") for a little over a hundred dollars, that would give you AES encryption. It requires a hardware encryption processor that your radio module does not have.

WPA2 / 802.11i rquires AES.

Are you using the Microsoft Wireless Zero Config, or the Intel ProSet utilities?

In either case, make sure the clients are hard-set for TKIP, and force them to 802.11b (they may hunt into the 802.11a band).

What authentication are you using? IAS does not support LEAP or EAP-FAST, only PEAP, EAP-TLS, TTLS (I think), MD5, and MAC. It's also happiest using MS-CHAP v2 for authentication.

The local RADIUS can support user login (users added to the APs "user list")LEAP or EAP-Fast, but not EAP-TLS, TTLS, PEAP (anything needing a certificate), or MD5.

Let us know ...

Scott

New Member

Re: WPA2 on 1220-B with MS IAS (2003 server)

Scott -

The radio units for use in production include the G radio module. The test environment does not (my bad!). I'll have to see about taking one of the upgraded units out of production to further test WPA2. This concerns me though because we have a cache of 350 PCMCIA adapters - and this suggests that they will never be able to do WPA2 because they cannot associate as G devices. I've got to come up with a workable solution for basic B devices (both Cisco and non) and our newer A/B/G devices.

I've used both the ProSet Utilities and WZC to attempt this on the test environment laptop.

Authentication will be testing/proven in two sequences.

The first sequence for authentication will be against the AP's local user database using LEAP.

The second sequence (and ultimately final) will require authentication against the Win2003 IAS AD domain due to multiple APs in the production environment, likely using PEAP.

If I can successfully go directly to the second sequence, that would be nice, but I'm concerned about the simplicity of troubleshooting - in the event something is wrong with the IAS configuration.

For the record, I'm a router/switch head - with only moderate skills with wireless, and virtually no experience with Win 2003 Server. I may need some hand-holding .

Green

Re: WPA2 on 1220-B with MS IAS (2003 server)

It'll be fun, honest!

Microsoft has some very good config white papers on their site... usualy search terms (IAS, Cisco, Wireless, etc.).

I got my config from a Microsoft Press "Small Business Server 2003 Administrator's Guide" and it worked right out of the book (EAP-TLS & Certificates too).

I believe the Intel client software has a checkbox for "Wait for wirless connectivity before attempting login" (paraphrase) config box.

For straight-up wireless authentication, in the "PEAP" config, do not fill in the "Domain" box.

Post whatever questions you come up with, there's a pretty good range of smart folks here.

Good Luck

Scott

New Member

Re: WPA2 on 1220-B with MS IAS (2003 server)

It appears I've made it properly through the IAS configuration. I have promulgated the GPO containing the certificate, and have verified it's receipt on the client machine. I also updated the intel adapter drivers to the current release.

I think I am now trying to get the AP properly configured. Here's the pertinent components of the config as it stands right now:

aaa group server radius rad_eap

server 192.168.2.247 auth-port 1812 acct-port 1813

aaa group server radius rad_acct

server 192.168.2.247 auth-port 1812 acct-port 1813

aaa authentication login eap_methods group rad_eap

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

dot11 ssid MEOC-Secure

vlan 10

authentication open eap eap_methods

interface dot11radio0

encryption vlan 10 mode ciphers tkip

broadcast-key vlan 10 change 3000

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.2.247 auth-port 1812 acct-port 1813 key 7

radius-server vsa send accounting

I had network connectivity with the connection wide-open (no auth/eap).

Any suggestions regarding the AP config?

New Member

Re: WPA2 on 1220-B with MS IAS (2003 server)

I found the problem in the config - and in the interest of putting the right information in the forum for someone else to find in the future, here are the changes from the config above:

dot11 ssid MEOC-Secure

vlan 10

authentication open eap eap_methods

! remark Below is the new config statement

authentication key-management wpa

239
Views
0
Helpful
5
Replies
CreatePlease to create content