Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AIRONET 350 -- TOKENCARD AUTHENTICATION

I'm testing Aironet 350 AP for an italian company.

In particular I'm checking the wireless NICs authentication with the AP using a radius server.

In the first step we created a user database with username/password resident on the radius server (Cisco Secure 3.0). NO PROBLEM, it works.

BUT.... For security policy, we would like to treat wireless connections such as a RAS connection with strong authentication, so we tried to use the Radius database for the user-id and an ACE server to verify the password-code given by a secure-id token card by RSA.

IT DOES NOT WORK.

The same configuration is currently in use (and it works!!) for remote dial-up connections to our network.

I'm asking myself if anybody encountered the same trouble and if he found a solution or a workaround about.

Sorry for my worst english, please contact me for more details

Anyway TANX in advance.

2 REPLIES
New Member

Re: AIRONET 350 -- TOKENCARD AUTHENTICATION

The reason it isn't working is because the AP only supports MSCHAP. (i.e. CiscoSecure 3.0 or 2.6 databases, NT domain controllers, etc.)

NOTE (from help on my ASC 2.6 server):

RADIUS (Cisco Aironet). Select the RADIUS (Cisco Aironet) option when using a Cisco Aironet Access Point as a NAS. This option enables you to make use of the Cisco Aironet RADIUS VSA.

Note: Users accessing the network through a Cisco Aironet network device can only be authenticated against the CiscoSecure user database, a Windows NT/2000 user database, an ODBC user database, or an MCIS database.

New Member

Re: AIRONET 350 -- TOKENCARD AUTHENTICATION

I verified that at this moment it is not possible to use an OTP(One Time Password) with LEAP protocol 'couse this kind of authentication uses a One Way process while link between AP and NICs is Two-way kind: client is autenticated by AP --> and viceversa <--- .

So is not a Cisco secure bug, instead a security policy for wireless to block a "stranger" AP.

I contact RSA (secure-id manifacture) and Cisco italia, both told me they are going to develope a new protocol (PEAP) to solve the problem.

196
Views
0
Helpful
2
Replies
CreatePlease to create content