Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
710
Views
0
Helpful
2
Replies

WLC 5508 Web Auth and EAP / PEAP

Sean Haynes
Level 1
Level 1

‎09-15-2013 12:10 AM - edited ‎07-04-2021 12:50 AM

   Morning all, I'm looking for some clarification.

Current setup:

I work in a school, a few years age I installed a 4400 WLC and several APs as a proof of concept exercise to see whether wireless technology would be of benefit to teaching and learning. It was deemed to be so.

This summer I installed 2 x 5508 WLCs and increased AP coverage to 50 - copied over the configs from the old controller - all works fine.

Currently only the staff can access the WLANs with the exception of a public WLAN in the canteen area.

Because there are a limited number of devices, WPA2 in conjunction with MAC filtering was used. However the school wants to open the wireless network to all of the students - potentially this means up to 1000 devices that will no doubt change on a regular basis so MAC filtering is out.

In line with child protection policies I need an 'auditable' trail when students access wireless resources.

Planned setup:

I have setup a test WLAN that uses Web Auth - the WLC is configured to pass authentication requests  ( through an ASA ) onto a RADIUS server which is tied into AD. I have a CA setup as well as a NAP server.

There is no layer 2 security set on the test WLAN and layer 3 is just web authentication. From any mobile device I can authenticate against AD and gain access to the Internet.

Clarification:

With no layer 2 security the WLAN is exposed so I need to introduce some form of end to end encryption - so I am looking at deploying EAP / PEAP.

Would the introduction of EAP / PEAP keep the network as secure as if I was using WPA2 ?

Many thanks.

Labels:
0 Helpful
2 Replies 2

maldehne
Cisco Employee
Cisco Employee

‎09-15-2013 02:46 AM

If you are web authentication you cannot use dot1x as L2 security , so EAP is not an option.

But you can use preshared security , like WPA2 AES with web auth to insure that the traffic is encrypted.

or you can define a wlan profile with dot1x security on l2 and nothing on l3 , by doing so you would definetely hit the utmost security poossible.

Check the following link which contain couple of EAP config examples:

http://www.cisco.com/en/US/partner/tech/tk722/tk809/tech_configuration_examples_list.html

------------------------------------------------------------------------------------------------------

Please make sure to rate correct answers

0 Helpful

Sean Haynes
Level 1
Level 1
In response to maldehne

‎09-16-2013 12:05 AM

Unfortunately I can't get to that document...but thaks anyway.

So can I use WPA2 with AES and 802.1x  that authenticates against the RADIUS Server?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card