I'm testing Aironet 350 AP for an italian company.
In particular I'm checking the wireless NICs authentication with the AP using a radius server.
In the first step we created a user database with username/password resident on the radius server (Cisco Secure 3.0). NO PROBLEM, it works.
BUT.... For security policy, we would like to treat wireless connections such as a RAS connection with strong authentication, so we tried to use the Radius database for the user-id and an ACE server to verify the password-code given by a secure-id token card by RSA.
IT DOES NOT WORK.
The same configuration is currently in use (and it works!!) for remote dial-up connections to our network.
I'm asking myself if anybody encountered the same trouble and if he found a solution or a workaround about.
Sorry for my worst english, please contact me for more details
The reason it isn't working is because the AP only supports MSCHAP. (i.e. CiscoSecure 3.0 or 2.6 databases, NT domain controllers, etc.)
NOTE (from help on my ASC 2.6 server):
RADIUS (Cisco Aironet). Select the RADIUS (Cisco Aironet) option when using a Cisco Aironet Access Point as a NAS. This option enables you to make use of the Cisco Aironet RADIUS VSA.
Note: Users accessing the network through a Cisco Aironet network device can only be authenticated against the CiscoSecure user database, a Windows NT/2000 user database, an ODBC user database, or an MCIS database.
I verified that at this moment it is not possible to use an OTP(One Time Password) with LEAP protocol 'couse this kind of authentication uses a One Way process while link between AP and NICs is Two-way kind: client is autenticated by AP --> and viceversa <--- .
So is not a Cisco secure bug, instead a security policy for wireless to block a "stranger" AP.
I contact RSA (secure-id manifacture) and Cisco italia, both told me they are going to develope a new protocol (PEAP) to solve the problem.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...