04-19-2006 02:18 AM - edited 07-04-2021 11:57 AM
Hi,
we have implemented a Cisco ACS, and have a Microsoft Active Directory implementation.
I would like to know what is the best security method to use for authentication and encryption
without the need to buy any Certificate or client software?
We would like to use the standard Microsoft Windows XP features, without installing any WLAN Clients.
Thanks
Jorge Sousa
06-29-2006 03:03 PM
WPA-PSK is what you are looking for, but it does not use AD. For that you will probably need to use a third party client. I have yet been able to get any of my cards, including the Cisco ABG card to work using username and password against AD using the XP client, but works like a charm with the Cisco client software. I can connect quickly and easily with the XP client using WPA-PSK though.
06-29-2006 04:05 PM
You can use Microsoft CA to generate a free cert. Then you can configure the ACS for PEAP that is compatible with XP. Depending if your XP users support WPA2 AES or WPA TKIP, Either one will be secure, of course WPA2 would be the better choice. I know if xp doesnt have the WPA2 option, there is a hotfix out ther for that. You then crate a policy on the ACS to authenticate users to AD. There is a lot of information on how to set this up int ACS or even Microsoft IAS...
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
06-30-2006 04:27 AM
Isnt the WPA2 or AD authentication card dependant? Some cards dont support AES, or WPA for that matter.
06-30-2006 06:54 AM
Go with PEAP and WPA. Users can authenticate against the AD adn be done with it. As for what, the native Windows Client will do PEAP, and if you find a client that can't do WPA, upgrade the drivers. WPA is a standard and should be there. WPA2 on the other hand is not standard yet, but with WPA2 you get a stronger encryption, WPA you get rotating key. I'd personally go with rotating key, any encryptio can be broken given enough time.
my 2cents
06-30-2006 07:49 PM
Well, IEEE ratified 802.11i in June 2004 and the WIFI alliance started certifying WPA2 devices in September 2004, so there is plenty of support for WPA2. Just got back from Networkers 2006 and they were recommending WPA2 in the following order:
Platinum - WPA2-AES
Gold - WPA-TKIP
Lead - WEP
The big player's (Cisco, Intel, Broadcom) AG cards will do WPA2-AES and CCX3 or better just fine with the latest drivers. Don't forget the MS WPA2 patch KB893357 if you are going to use the MS PEAP client. IAS or ACS will work equally well, just don't forget the MS fast reconnect patch when used with ACS.
WPA2 provides better encryption and PMK caching, which is a standards based fast roaming similar to Cisco CCKM. The only drawback that I know is WPA2 XP client configuration is not yet available to be pushed out via AD group policy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide