Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

AAA protocol to use for communications with the WLC

Dear,

Can you give me more information about the AAA protocol to use for communication between the Radius (ACS 4.2) and the WLC (7.0.98.0)?

We use PEAP, MSCHAPv2 as authentication method via the wired network. Therefore I must use the same authentication method 'over the air'

According to the

Cisco Wireless LAN Controller Configuration Guide (7.0),

               chapter 6: configuring Security Solutions

                                        Configuring Radius on the ACS,

"RADIUS (Cisco Aironet)" has to be selected from the Authenticate using list.

However when I look at the

User Guide for Cisco Secure Access Control Server 4.2

     Configuring AAA clients

          AAA Client Configuration Options,

There is a note: If all authentication requests from a particular Cisco Aironet Access Point are PEAP or EAP-TLS requests, use RADIUS (IETF) instead of RADIUS (Cisco Aironet). ACS cannot support PEAP authentication by using the RADIUS (Cisco Aironet) protocol.

My questions are:

What AAA protocol should I use for communication between the ACS and the WLC when using MSCHAPv2 as authentication method  ?

What is the difference between RADIUS (Cisco Airespace) and RADIUS (Cisco Aironet)? Is RADIUS (Cisco Aironet) for LEAP or EAP-TLS only?

Thank you.

Everyone's tags (6)
3 REPLIES

Re: AAA protocol to use for communications with the WLC

Hi Louis-Philippe,

RADIUS (IETF) is always a safe bet :-)

RADIUS (Airespace) is made for WLCs so I'd advise you use that one. It brings a few extra attributes that allow to know which SSID was selected and to assign QoS roles.

peap-mschapv2 works fine with the 2 above.

Regards,

Nicolas

Re: AAA protocol to use for communications with the WLC

Dear Nicolas,

Thank you for your quick answer!

If I understand well, RADIUS (Cisco Aironet) is only for Standalone APs or WLCs when user authenticate with LEAP or EAP-TLS only, otherwise choose RADIUS (Cisco Airespace). Is that correct?

Kind regards,

LPL

Re: AAA protocol to use for communications with the WLC

Correct.

Let me paste the part of the ACS 4 config guide talking about this :

RADIUS (Cisco Aironet)—RADIUS  using Cisco Aironet VSAs. Select this option if the network device is a  Cisco Aironet Access Point used by users who authenticate with the  Lightweight and Efficient Application Protocol (LEAP) or the Extensible  Authentication Protocol-Transport Layer Security (EAP-TLS) protocol,  provided that these protocols are enabled on the Global Authentication  Setup page in the System Configuration section.

When an authentication request from a RADIUS (Cisco Aironet) AAA client  arrives, ACS first attempts authentication by using LEAP; if this fails,  ACS fails over to EAP-TLS. If LEAP is not enabled on the Global  Authentication Setup page, ACS immediately attempts EAP-TLS  authentication. If neither LEAP nor EAP-TLS is enabled on the Global  Authentication Setup, any authentication attempt received from a Cisco  Aironet RADIUS client fails. For more information about enabling LEAP or  EAP-TLS, see Global Authentication Setup, page 9-21.

Using this option enables ACS to send the wireless network device a  different session-timeout value for user sessions than ACS sends to  wired end-user clients.

Users accessing the network through a Cisco Aironet network device can only be authenticated against the:

ACS internal database

Windows user database

ODBC user database

MCIS database


Note If  all authentication requests from a particular Cisco Aironet Access  Point are PEAP or EAP-TLS requests, use RADIUS (IETF) instead of RADIUS  (Cisco Aironet). ACS cannot support PEAP authentication by using the  RADIUS (Cisco Aironet) protocol.

1137
Views
15
Helpful
3
Replies