The Cisco Secure Services Client supports âevery protocol known to manâ, including EAP-FAST. Cisco Secure Services Client is a better product compared to the default Windows client, but it is not âfreeâ like the Windows client. The licensing costs can add up especially for large deployments.
I had heard that XP service pack 3 was supposed to have EAP-FAST support and was wondering if anyone else had heard the same. We've tested it and it doesn't appear to have the support without something called "EAP-FAST modules" that are supposed to be available from Cisco. I haven't found anything on it so I figured I'd post it here.
I'd read the article linked in your response and didn't read it as "passionately against EAP-FAST".... just not what Cisco advertises. It is easy to deploy and would be easier if supported by Windows without third party supplicants. We've been using the Intel and Dell wireless clients but were hoping to simplify things.
You obviously did quite a bit of work, I am still in the user testing phase.
Tell me please if the default Windows XP wireless client (the XP Zero Configuration utility) did not work for you. I use Linksys wireless network cards. The Linksys wireless software client was disabled, and I use the Windows built-in client with PEAP authentication against a Cisco ACS RADIUS server.
The built-in client in Windows seems to work quite well. Because it comes âby defaultâ with Windows, it does not require any third-party supplicant. Microsoft has extensive documentation explaining how to configure PEAP in an Active Directory environment (Active Directory is not required, it is just nice to place everything under one umbrella).
PEAP requires SSL certificates on the RADIUS server (Cisco ACS in my case). We have two ACS boxes, two Verisign certificates are not that expensive. If ârealâ SSL certificates are not an option, you can build your own Certification Authority using software that comes by default in Windows 2000 Server. You just have to deploy the certificate identifying your local Certification Authority to all wireless clients (the cert deployment can be automated in Windows environments).
I miss the extensive debug traces from Cisco Secure Services Client, but the Windows PEAP client works (and it's free).
No... the XP wireless client doesn't work because of it's lack of EAP-FAST support. Intel ProSet clients and Dell wireless clients work fine with the config utility that comes with the cards. We also have authentication forwarded to AD though ACS. We were looking for something to ease deployment to clients and EAP-FAST seemed to fit the bill since the automatic deployment of PACs made things seem easy. I'm not sure if I had it to do again if I would go that route due to the added complexity of having to configure one client differently from another. The hope and impression based on information I can't locate at this time was that XP SP3 would have EAP-FAST support and all of the problems would go away since the zero config utility with XP could be used. I'm really bothered / concerned that this isn't the case and will have to determine what to do now. We have significant time invested in making EAP-FAST work in our network and changing will be an incredible hassle. I understand that a third party supplicant sold be Cisco partners would alleviate this issue but is a cost that isn't necessary if you use PEAP. The software isn't cheap either.
I'll add that although Linksys is a Cisco company their clients don't support EAP-FAST authentication out of the box which blows my mind. They are listed as CCX compatible but only with third party supplicants.
Funny you ask.... it's the one Intel card that has given me some trouble. I just ordered a new Dell for myself and had that card installed for it figuring it would work as well as the 3945 ABG and 2200 BG and also give me N radio capability for later. I wished I hadn't. I was able to get it to work with EAP-FAST and AES but I cannot create multiple profiles with the Intel client using these settings or it will not work. Try to "disable EAP-FAST enhancements" when setting up the profile. It will probably work.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...