I am in the process of implementing LWAPP's using 4404 controllers. I want to implement wireless authentication based on active directory accounts.
I have a ACS appliance running version 3.3 of the software. I've installed the Remote Agent on one of my Domain controllers.
My question is this: I have a mixed environment of Windows XP / Vista and OS X clients. Additionally the XP Boxes are currently authenticating with Novell clients to eDirectory (which is synced to AD).
What types of configurations are supported on both platforms? I'm still a bit shady on my 'EAP' options -- currently we are using a 64 character PSK and that's simply insecure and annoying. I -really- need a AD related solution because Novell is going away at some point.
What are the next steps for coming up with a full proof solution to allowing network access using supplicants for both platforms that actually work pretty well and are invisible as possible to the user?
PEAP-MSCHAPv2 is pretty well supported by AD / ACS / Novell / XP / Vista, but I'm afraid I don't know anything about OS X. I've got PEAP on my mobile phone, so I'd be surprised if a modern OS didn't support it.
PEAP will require a certificate on your ACS box. I'd also suggest that if you're going Lightweight, that you upgrade your ACS to v4.1 - I've had no end of problems with 3.3 and LWAPP.
For Microsoft clients, PEAP is supported natively, and can be configured through Domain Policy providing you've got a Win2k3 (or newer) Server. The user experience is one of 'Single Signon', so basically, there's no difference in sign-on procedure over wireless as compared to the wire.
Another easy addition is to support Machine Authentication, and enforce "Machine Access Restrictions" on ACS (again, certainly works with MS, no idea about OS X). This will mean that only Machines registered with your AD will be able to get access, and subsequently, user credentials will only be accepted from authenticated machines. Doing this will stop people from using their own machines on your WLAN.
If OS X won't work (suspect it won't) then you can create expections to the "Machine Access Restrictions" rule. So presuming it's a subset of users that use OS X, map them to an ACS group, and allow that group to be exempt from the Machine Authentication requirement.
I am also running this environment and have found that ACS 4.1 in the domain works great. I had nothing but problems with 3.3. PEAP MSCHAP V2 is a great fit with the Domain authentication. I use the ACS generated Certs as well and they work very well. You can enable WPA2 on all the clients that you have listed, if they are current on patches, can authenticate. The only problem I have found so far is making Vista Home Premium use WPA2 enterprise. Some others on here can probably give you more insight to that.
Using self-signed certs is fine, but you're better off running your own CA / buying a cert off a well-known public CA.
Using a Self Signed Cert usually means the client isn't able to authenticate the RADIUS server as part of the mutual authentication components within PEAP. Without mutual authentication, it's much easier for people to start trying to steal user credentials.
We see lots of problems with authentication, 99% of which are fixed by installing the latest drivers and / or service-packs on the client. Even some new machines seem to come with drivers over a year old!
Good luck, you'll be fine i'm sure, I do about 4 installations a month like this :o)
Well, first off you're very helpful and I appreicate it immensely. The problem I'm having is that I don't know exactly what the "best practices" are.
My goal is to completely move away from this PSK situation and have users login to AD and wallah they get access to the WLAN. There seems to be so many options and it has to bee seemless across the network -- add that to the fact that my DC's are currently Win2K (someday to be 2003) and my ACS is running 3.3. I'd love a "best practicies guide" or a "howto" guide that would walk me through this so I could at least get a test setup going with my LWAPs. I've also got 200 or so fat access points that I'd love to convert and add to this so they can be managed by the WLC. There's simply so much WRONG with the way it's currently implemented and so much I can't seem to get clear directions on I feel hopeless.
I'm done whining. Thanks so much again for your replies.
3. Migrate a few test Access Points over to the WLC
4. Configure a WLAN for 802.1x with WPA-TKIP / WPA2-AES.
5. Configure PEAP-MSCHAPv2 on the ACS
6. Configure WLAN settings on test client machine(s)
7. Start Testing :o)
Don't worry too much about broadcasting or hiding your SSID name, it doesn't count as security, nor does MAC Address Filtering. That said, keep your SSID naming convention ambiguous; use "apples" and "pears" instead of "Bank Data" and "Bank Voice"
Win2k3 is only required if you want to configure your clients using Domain Policy.
PEAP-MSCHAPv2 is generally considered to be the best mid-point of security, usability, versatility & ease of deployment. More secure is EAP-TLS with user smart cards & machine certificates, but lets get you walking before you try to run!
There are lots of documents on CCO that will tell you how to configure various things, and failing that there's always NetPro :o)
Failing that, Google "BT iNet" and ask for a Wireless guy called Richard ;o)
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...