05-16-2006 09:32 AM - edited 07-04-2021 12:05 PM
I try to setup WPA/WPA2 based on the Cisco document where the Radius is pointing to itself as Local Radius server. But when client wireless is up, it can't get connect and the Windows message about try to acquire certificate is in progress. Does it mean WPA need certificate ??
If yes then which setting on AP and also Cisco ACS need to be done to setup WPA ?
I really need this urgently, the AP using WPA and user is authenticated by ACS servers. Ant good document how to setup above requirement.
05-16-2006 03:01 PM
WPA is not really an Auth system, it's an encryption system.
Inside WPA, you need something like PEAP, LEAP, EAP-TLS, MS-CHAPv2, EAP-MD5 ....
If you use PEAP or EAP-TLS, you'll need a certificate or two (PEAP or EAP-TTLS = Server side only, EAP-TLS - Server side AND Client side).
LEAP (if your RADIUS supports it) only needs a username & password.
EAP-FAST (if your RADIUS suports it) Would take a while to explain.
MS-CHAPv2 is usually used with Microsoft IAS or RADIUS using a MS Active Directory backend.
EAP-MD5 us usable, but generally not recommended.
If you use WPA-PSK (no RADIUS server needed, just a "passphrase") then you should come up with a nice long, strong password (no complete words, mix caps & lc, toss in some punctuation - like: "Sc03TTm@c" something you can't find in a dictionary, and longer is better; the example I posted is way too short but it's just an example).
Which authentication system are you using with WPA?
Let us know and we can give you some specific tips.
Good Luck
Scott
05-16-2006 06:35 PM
Thanks Scotts.
I had Cisco ACS as Radius server, and was thinking to totally avoid to have using certificate as it is complicated. I just need the user when associate to AP, it will authenticated by Cisco ACS Radius with username and password.
From you explaination sound like the LEAP is the solution. However I need this setup can support also non-Cisco wireless client , I mean any third party clients which support WPA.
Best Regards.
05-16-2006 06:44 PM
If your clients are MS Windows, PEAP would probably be the most generic (and supported by Windows Wireless Zero Config; as long as it's a fairly recent NIC, and supported by Windows, you should be OK.
I'm pretty sure that ACS can generate a self-signed certificate for the server-side.
I believe it'll also support MS-CHAPv2 (no cert needed).
Good Luck
Scott
05-22-2006 08:43 AM
I try to setup WPA/PEAP/MS-CHAPv2 , but it never work. I follow the Cisco document but does not seen work at all.
As I know , PEAP only ACS need to generate certificate. The client is not reqire.
Do you have sample setup config for Windos client / PEAP /WPA .....that working and can share with us,
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: