There is no LEAP-FAST. There is LEAP, or EAP-FAST. Neither one is built into Windows, so the first step is to make sure that your users have a software client which supports your desired EAP method.
On the 4404, you'll just set up a WPA or WPA2 network using 802.1X, and configure the address and shared key for the ACS server in your RADIUS entries. The specific EAP method is not configured on the controller.
On the ACS server, you will configure the controller as a AAA client with the appropriate shared secret, using Cisco Airespace as the RADIUS type, and make sure that EAP-FAST is enabled and set up in the Global Encryption section. And of course, you'll have to set up external authentication to your Novell LDAP.
I mean EAP-Fast.
Where do I type in the RADIUS entries? In the security tab and I see RADIUS on the left.
I also see EAP-FAST Method Parameters under local EAP
Do I need RADIUS Key Wrap?
Also what ip should I use in ACS? should I use the web auth ip or the ip I use to get the the web page?
You do not need RADIUS key wrap.
Use the controller's management address as the IP address for the AAA client.
RADIUS servers are configured under Security: AAA: Radius servers; then, select the servers under WLANs: your SSID: Security: AAA. You are not using Local EAP; don't configure anything there.
Heres what I have done so far.
I went to the security tab in the controller and under aaa>RADIUS>Authentication
I clicked new
typed in the ACS IP
Shared Secret Format ACSII
Shared key (for a test): aaabbbccc
I left everything else as default
I was able to use the blue arrow on the next screen to ping the ACS server. It worked.
I went to Wlan
Clicked on my ssid
went to security
went to aaa servers
Picked the Authentication Servers from the drop down menu.
I try to connect with my laptop with the settings:
OK, so what happens then? If you're not getting online successfully, what errors do you see on the controller and/or in the ACS authentication logs?
I disabled windows firewall. It was blocking the ports.
I also Had to enable eap-fast on the acs and turn on anonymous pac/authenticated pac.
I'm using a user I made on the ACS.
My next step is to allow Eap-fast to use my novell user name and password with LDAP... This works for our other ssid that uses web auth.
How do I do this?
its setup like that. I assume that you also need LDAP Servers drop down box filled in to right?
I'm picking the same LDAP in the drop down box as I did when I use LDAP to web auth.
Do I need to configure LDAP on the ACS? Also Do I have to have manual PAC generation to use ldap or can I use automatic?
The LDAP boxes on the right are only used if you are using Local EAP- i.e. if you do not have a RADIUS server. If you're using an ACS, then you are not using Local EAP and will leave those options blank.
ok, so what would be my next step?
I can connect with GTC and MSChapv2. I thought I read MSCHAPv2 can't be used with LDAP.
I can type a username and password in my laptops client. If I connect how do I know its LDAP that let me in?
The MSCHAP+LDAP issue only comes into play when you are using Local EAP. Again, because you are using an ACS server this is not a Local EAP implementation.
If you are able to connect successfully, doesn't that resolve your problems? Is there a specific reason why you are concerned about verifying that the LDAP protocol is being used? I suppose you could sniff the traffic between the ACS and your Novell server if you wanted to be really sure.
I can only connect with the username I made on the ACS server. When I try to use my novell user name and password It doesnt work.
Hmm. This page says that EAP-FAST + LDAP requires manual PAC provisioning:
ok. I looked up how to generate a PAC file manually but the steps its telling me to do dont jive with my menu. Must be from an old version. It said
Go to system configuration and click EAP-Fast PAC file Generator. Its no there though....
Do you know where I should go to generate a manual pac?
I'm not seeing any way to do it in the GUI in 4.1; this link is instructions to do it with the command line utility.