Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WPA and ACS

I try to setup WPA/WPA2 based on the Cisco document where the Radius is pointing to itself as Local Radius server. But when client wireless is up, it can't get connect and the Windows message about try to acquire certificate is in progress. Does it mean WPA need certificate ??

If yes then which setting on AP and also Cisco ACS need to be done to setup WPA ?

I really need this urgently, the AP using WPA and user is authenticated by ACS servers. Ant good document how to setup above requirement.

4 REPLIES
Green

Re: WPA and ACS

WPA is not really an Auth system, it's an encryption system.

Inside WPA, you need something like PEAP, LEAP, EAP-TLS, MS-CHAPv2, EAP-MD5 ....

If you use PEAP or EAP-TLS, you'll need a certificate or two (PEAP or EAP-TTLS = Server side only, EAP-TLS - Server side AND Client side).

LEAP (if your RADIUS supports it) only needs a username & password.

EAP-FAST (if your RADIUS suports it) Would take a while to explain.

MS-CHAPv2 is usually used with Microsoft IAS or RADIUS using a MS Active Directory backend.

EAP-MD5 us usable, but generally not recommended.

If you use WPA-PSK (no RADIUS server needed, just a "passphrase") then you should come up with a nice long, strong password (no complete words, mix caps & lc, toss in some punctuation - like: "Sc03TTm@c" something you can't find in a dictionary, and longer is better; the example I posted is way too short but it's just an example).

Which authentication system are you using with WPA?

Let us know and we can give you some specific tips.

Good Luck

Scott

New Member

Re: WPA and ACS

Thanks Scotts.

I had Cisco ACS as Radius server, and was thinking to totally avoid to have using certificate as it is complicated. I just need the user when associate to AP, it will authenticated by Cisco ACS Radius with username and password.

From you explaination sound like the LEAP is the solution. However I need this setup can support also non-Cisco wireless client , I mean any third party clients which support WPA.

Best Regards.

Green

Re: WPA and ACS

If your clients are MS Windows, PEAP would probably be the most generic (and supported by Windows Wireless Zero Config; as long as it's a fairly recent NIC, and supported by Windows, you should be OK.

I'm pretty sure that ACS can generate a self-signed certificate for the server-side.

I believe it'll also support MS-CHAPv2 (no cert needed).

Good Luck

Scott

New Member

Re: WPA and ACS

I try to setup WPA/PEAP/MS-CHAPv2 , but it never work. I follow the Cisco document but does not seen work at all.

As I know , PEAP only ACS need to generate certificate. The client is not reqire.

Do you have sample setup config for Windos client / PEAP /WPA .....that working and can share with us,

Thanks

241
Views
0
Helpful
4
Replies
CreatePlease to create content