Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Wireless PEAP w/ ACS 3.1 & RSA Secure ID 5.0 on XP & W2K

I want to auth the W2K Client at Cisco AP (newest rel.) by PEAP.

I have

- AP 350

-Cisco W-Card

-Lucent W-Card

-Symbol W-Card

- WIN XP

- WIN2K

- RSA Secure ID Server 5.0

The ACS has already a cert. created by Windows CA - thats OK.

Secure ID can auth Routers / Switches by ACS

What are the settings in AP to communicate with ACS for PEAP w/ TACACS

- Port #49 ?

- EAP + 1.WEP key + ?

Can the 2nd Auth line be a W2k-Server, where the ACS is connected instead of RSA Scured ID ?

I heard, that this W2K / XP makes problems w/ SP1 regarding PEAP for none-cisco cards, cause some DLLS are exchanged and doesnt support MSCHAP-V2 - how works this in detail ?

ciao

Jens

1 REPLY
Silver

Re: Wireless PEAP w/ ACS 3.1 & RSA Secure ID 5.0 on XP & W2K

1.To get information about the settings in AP to communicate with ACS for PEAP w/ TACACS, you can go through the following URL:

http://www.cisco.com/en/US/products/hw/wireless/ps4555/products_installation_and_configuration_guide_chapter09186a008015486c.html

2)Since Microsoft uses PEAP-MSCHAPV2 and Cisco uses PEAP-GTC (generic token card), PEAP will not work from Win2K SP1/3 client through Cisco Secure ACS3.1. Both MS and Cisco support PEAP, but each supports different methods of client authentication through the TLS tunnel. The Microsoft PEAP supplicant supports client authentication by only MS-CHAPVersion 2, which limits user databases to those that support MS-CHAP Version 2, such as Windows NT Domains and Active Directory. The Cisco PEAP (GTC) supplicant supports client authentication by OTPs and logon passwords, enabling support for OTP databases from vendors and logon password databases as well as Microsoft databases. In addition, the Cisco PEAP client includes the ability to hide user name identities until the TLS encrypted tunnel is established. This provides additional confidentiality that user names are not being broadcast during the authentication phase. But, MS XP with no service pack should support the Cisco PEAP

131
Views
0
Helpful
1
Replies