We recently purchase a Cisco 4200 LAN Controller and 1131ag access points. We also have a Cisco ACS with 3.3.3 installed. I have been researching what is the best security option and PEAP MSCHAPv2 with WPA2 seems to make the most sense for us since it is highly secure and does not require client side certificates. I am running into a bit of trouble with this implementation because we do not have an in house CA. Can I install a certificate from a third party, such as versign on the ACS? What type of certificate do I need? Do I need to use the Cisco client utility or can I just use windows with the builtin laptop wireless adapters?
ACS can generate a "self-signed" certificate. For many/most security implementations, it is sufficient.
If you want to go with a third-party cert (like Verisign), talk to them and see what they offer. They may have a package price for a variety of certificates (server-side auth, email verificatation ...).
The MS wireless driver should work fine, but make sure you are using XP w/ Service Pack2 on the clients. If you have Win2K, *nix, or (probably, maybe?) Mac, you'll want/need to use the Cisco drivers & client application.
The windows clients will trust them if they trust the root CA. A trusts B, B trusts C so therefore A trusts C. 1. Install Root Cert on ACS box. 2. Install Identity Cert on ACS. 3. Make sure your windows clients trust the root from where you received the indentity cert for your ACS box.
BTW: The self signed cert from ACS is only good for 1 year.
Where you aware that Cert services are offered with Windows 2000/2003 server? It's fairly easy to setup. One drawback with 2003 is that you have to create a web template for the cert for ACS but's there are plenty of doc's out there. Search for "ACS Certificate Windows PEAP". Just post again if you have any questions...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...