Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

remote office wireless

Good evening everyone. I have a requirement for wireless access in our state offices. There are all over Wide Area Links frac T-1 to T-3's. The requirement is for AES using EAP-FAST. The wireless users must be able to work if the WAN link goes down.

I have looked at the wireless module for the 2800 I have had one working in the lab. I have over 130 different office domains and forrests. I need a genric type certificates to allow the users to work and that I can change out at set intervals. The certs that are generated now dont appear to let me do this using MS CA.

ANy Thoughts on this would ge greatly appriciated.

4 REPLIES
New Member

Re: remote office wireless

sorry about the typo's ! here is the clearer copy

Good evening everyone. I have a requirement for wireless access in our state offices. They are all over Wide Area Links using frac T-1 to T-3's. The requirement is for AES using EAP-FAST. The wireless users must be able to work if the WAN link goes down. HREAP Right ….

I have looked at the wireless module for the 2800 I have had one working in the lab. I have over 130 different office domains and forests. I need a generic type certificates to allow the users to work and that I can change out at set intervals. The certs that are generated now don't appear to let me do this using MS CA.

Any Thoughts on this would be greatly appreciated.

Hall of Fame Super Silver

Re: remote office wireless

For H-REAP, you must undestand that any EAP type authentication has to be handled by a radius server or a wlc running local EAP. So even with H-REAP AP's, if the WAN goes down, there is no way to authenticate the users. Since the AP needs to validate the user via the radius server.

http://www.cisco.com/en/US/products/ps6521/products_tech_note09186a0080736123.shtml#t7

-Scott
*** Please rate helpful posts ***
New Member

Re: remote office wireless

and what auth types are supported in h-reap local auth,local switching then?

h-reap design guide says that it can support methods which can be 'handled localy' - what are they?

upd: found it - open, wep, wpa-psk or wpa2-psk

what if we place radius server on each remote site - can then h-reap aps use eap?

basicly what i want - it's to place radius server on each site and make WLC auth against it (each site to their own server), and when link goes down, everything would work as intended, like there was no wan fail - LAPs would auth against radius server which alredy on their site. is it possible?

Hall of Fame Super Silver

Re: remote office wireless

If you place a radius server in each remote site, then you can authenticate users via 802.1x. If you want to authenticate LAP's also, it is best practice to have a separate AAA server for that. I have not had a client deploy radius servers in each location, the reason being.... you have to sync all of them. Also, usually all services are centralized, so if the WAN goes down, email and file shares, etc are not available to the user. So take a look at your traffic flow and see if putting a radius server in each site is worth the cost or not. You can still use 802.1x but have the radius server centralized, but again... depends on what you are trying to accomplish.

-Scott
*** Please rate helpful posts ***
134
Views
5
Helpful
4
Replies