AAA protocol to use for communications with the WLC
Can you give me more information about the AAA protocol to use for communication between the Radius (ACS 4.2) and the WLC (184.108.40.206)?
We use PEAP, MSCHAPv2 as authentication method via the wired network. Therefore I must use the same authentication method 'over the air'
According to the
Cisco Wireless LAN Controller Configuration Guide (7.0),
chapter 6: configuring Security Solutions
Configuring Radius on the ACS,
"RADIUS (Cisco Aironet)" has to be selected from the Authenticate using list.
However when I look at the
User Guide for Cisco Secure Access Control Server 4.2
Configuring AAA clients
AAA Client Configuration Options,
There is a note: If all authentication requests from a particular Cisco Aironet Access Point are PEAP or EAP-TLS requests, use RADIUS (IETF) instead of RADIUS (Cisco Aironet). ACS cannot support PEAP authentication by using the RADIUS (Cisco Aironet) protocol.
My questions are:
What AAA protocol should I use for communication between the ACS and the WLC when using MSCHAPv2 as authentication method ?
What is the difference between RADIUS (Cisco Airespace) and RADIUS (Cisco Aironet)? Is RADIUS (Cisco Aironet) for LEAP or EAP-TLS only?
Re: AAA protocol to use for communications with the WLC
Let me paste the part of the ACS 4 config guide talking about this :
RADIUS (Cisco Aironet)—RADIUS using Cisco Aironet VSAs. Select this option if the network device is a Cisco Aironet Access Point used by users who authenticate with the Lightweight and Efficient Application Protocol (LEAP) or the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) protocol, provided that these protocols are enabled on the Global Authentication Setup page in the System Configuration section.
When an authentication request from a RADIUS (Cisco Aironet) AAA client arrives, ACS first attempts authentication by using LEAP; if this fails, ACS fails over to EAP-TLS. If LEAP is not enabled on the Global Authentication Setup page, ACS immediately attempts EAP-TLS authentication. If neither LEAP nor EAP-TLS is enabled on the Global Authentication Setup, any authentication attempt received from a Cisco Aironet RADIUS client fails. For more information about enabling LEAP or EAP-TLS, see Global Authentication Setup, page 9-21.
Using this option enables ACS to send the wireless network device a different session-timeout value for user sessions than ACS sends to wired end-user clients.
Users accessing the network through a Cisco Aironet network device can only be authenticated against the:
–ACS internal database
–Windows user database
–ODBC user database
Note If all authentication requests from a particular Cisco Aironet Access Point are PEAP or EAP-TLS requests, use RADIUS (IETF) instead of RADIUS (Cisco Aironet). ACS cannot support PEAP authentication by using the RADIUS (Cisco Aironet) protocol.