LEAP,EAP-TLS and PEAP

onejepp · ‎01-22-2003

I have 6 Aironet 350 Access Points and bought some 350 Aironet PCMCIA adapter for users. All APs are connected back to a ACS. Authentication is using LEAP with connecting to Windows NT domain controller as the RADIUS from the ACS. By this way, I only can use Cisco client PCMCIA adapter.

Now customers want it to be open and can buy any types of Wireless LAN PCMCIA adapter from other vendors such as Proxym, Linksys and 3COM. The customers PC are mixed of Windows XP, 2000, 98 and even some Windows 95.

My questions:

1. What is the best choice of EAP protocol to use to enable me to make the network safe but can use other brands of PCMCIA adapter. Certainly LEAP is out of choice. While EAP-TLS requires me to buy certificates. So I'm narrowing to PEAP. Is it a right choice? Any advice?

2. If I decided to use PEAP, it only works with Windows XP clients. or can I run it concurrently with LEAP? so my clients with non-XP client will be supplied with Cisco adapter (and using LEAP) while the XP clients can buy their own chioce of PCMCIA adapater (and using PEAP)?

3. If I decided to use PEAP, what are configurations needed at my ACS and WinNT domain controller?

Thanks

tepatel · ‎01-23-2003

PEAP is not a cisco dependent. You can use ANY operating system on a PC as long as the Wireless Client card in that PC supports PEAP.

So for PEAP, you don't have to have XP.

Cisco card running LEAP can also run PEAP.

But for LEAP, you need to have Cisco client cards and ACU. For PEAP you can use any client cards with any OS.

chuahs · ‎01-24-2003

for PEAP, I thought it is client OS dependent??

only XP and Win2000 with SP3 can support peap

please advise

derwin · ‎01-24-2003

PEAP is client OS dependent for native support however there are new supplicants being release all the time for the other OS's

At this point in time as far as I know it is only 2k with SP3 and XP but I am sure there will be more supplicants as the market grows

Other protocols is in the 802.1x suite have wider support and for most will do the job

Please see the SAFE white paper for a full discussion on the various security methods

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a008009c8b3.shtml

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b469f.shtml

onejepp · ‎01-24-2003

Thanks guys.

Can anyone answer my question on does the network can have both LEAP and PEAP runnning at the same time ?

Thanks.

derwin · ‎01-25-2003

You can not use both LEAP and EAP (PEAP is a form of EAP) on the same AP

This link will show you a sumary of the settings for each authentication type

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm#1065625

If you do not see a combination here then it is not a suported combination.

You could run it on the same network but then you would need 2 AP's for every cell and careful freq management. One running LEAP and the other EAP, you would use 2 different SSIDs and configure your LEAP clients on one SSID and the PEAP clients on another.

This does beg the question as to why you would want to run both ??? The only valid reason I could think was if you had NON win XP or 2K clients that also had Cisco client cards, they could use LEAP

sagenung · ‎01-29-2003

According to my SE, the previous posting is incorrect. According to TAC case D346983 you can use LEAP and PEAP together, as long as ACS is configured to handle them. They both are EAP-based authentication mechanisms. The RADIUS server is what decides whether it is a LEAP request or a PEAP request.