## Environment

Client:

Win XP SP1 or SP2 laptop computers

Wireless AP:

Cisco Lightweight 1020 AP

Wireless Controller:

Cisco 4112 Controller, software version 3.2.78.0

Radius Auth.:

Microsoft IAS server and

Microsoft Active Directory

## Questions:

What I want is to use EAP-PEAP, instead of the current static WEP setup. We know that we will need a radius server for EAP-PEAP, and so we setup a MS IAS server that allow us to tag to the AD for user authentication. Following are some specific questions:

(a) For the Win XP laptop (SP1), I should be able to use the MS built-in Wireless Zero Configuration services for the EAP-PEAP wireless connection, right? Or, I would have to use the Cisco Aironet Client Utility (ACU) software?

(b) Any specific info about how I should setup the WLAN config at the wireless controller? I am thinking to set "802.1X" at the "Layer 2 Security" box, sounds right?

(c) I know that a server-side certificate is needed for EAP-PEAP. I am thinking to enable the Microsoft Certificate services at the MS IAS server and have it issued a self-signed cert., this should work, right?

(d) If using the self-signed cert for the MS IAS server, do I need to manually import the root cert on each of the wirless client (laptop)? Any special configuration I need to be aware of?

Again, thanks in advance for any information on this setup.

-Raymond

Hey Raymond,

Thanks for the details. Well I'll mail you a doc tonite with a walkthrough on this one. And the for now,

here are the answers in brief to your queries:-

(a) We can use both. I had used wireless zero config on xp with sp1 & odyssey client, so it should be easy using the ACU too.

(b) Any specific info about how I should setup the WLAN config at the wireless controller? I am thinking to set "802.1X" at the "Layer 2 Security" box, sounds right?

Yup! there's really not much config on the wireless controller other than this setting that you've highlighted alongwith radius server configuration as in: it's ip address & shared secret and then specifying the wlan to use this radisu server. The doc will probe into details on this setting.

I'll check MS IAS setup stuff for the last 2 queries & get back to you. I'll try to get some screen shots in the docs too if possible for clarity.

And also let me know if you are using this controller in layer 2 or layer 3 lwapp mode?

That's all for the moment.

Will post the doc tonite for sure.

Thanks & Regards,

Karthik N

We are using layer 2 lwapp mode.

-Raymond (p4em@yahoo.com)

=======WLAN Controller 802.1x Configuration=======

Note: If you’ve already configured your WLAN controller initially with a wlan, you may skip over to step 5.

And please remember to click on apply on every page after making the changes and finally saving the configuration.

Step # 1:

Connect through console using a serial cable and it’d ask you for all configuration parameters for the first time. After finishing save the config & reload the controller.

Step # 2:

Connect to the controller using a cat5 cable through the service port interface of the wireless LAN controller/switch from a terminal.

Logon to the web interface of the WLAN controller by launching a browser & typing the IP address of the service port interface

Step#3:

Log on using the username & password which’s been configured through console.

Step#4:

Navigate to the wlans tab

Create a new wlan with id = 1, ssid = secure1, use the management interface for the moment & no dhcp servers we’d go ahead with static IP addressing for the moment.

Step#5:

Navigate to the Security tab on the web interface

Now click on new for radius authentication servers.

Mention the server index as 1

Enter the shared secret which would be the same as in the radius server’s configuration.

Confirm the shared secret and use the port # 1812

Set the Server Status to enabled.

Try pinging the radius server from the controller, to verify that it’s reachable through the management interface port which should be connected to the auth server terminal.

Step#6:

Now go back to wlan tab & edit wlan 1 which was created.

Under layer 2 security settings, select 802.1x by clicking on the drop down menu

Mention a hexadecimal wep key string for static wep key appropriately for 40/104/128 bit key and select the radius server which has been configured to be used by this wlan.

Note: I remember an option of dynamically assigned WEP keys too in the native airspace web interface but am not sure if it’s available yet in the Cisco version. If that was available I’d use that setting.

Step # 7:

Plug in the AP after saving the controllers configuration.

Step # 8: Once the AP boots up & downloads the configuration for wlan id 1 which we’ve created, the WLAN controller is all set for 802.1x authentication [LEAP, PEAP, etc.]

And using a self signed cert will also require importing the cert & installing it on the clients.

I'lll post the client side & server side configs by this weekend [since my website's down cudn't upload the docs. sorry for that]

Thanks & Regards,

Karthik Narasimhan

Just an updates.

We have done the above config at the Controller. Further, we have setup Microsoft CA services on a Windows 2003 server, and have it to issue a server certificate for our Microsoft IAS server. The cert. is now imported to the IAS server. We also import the root cert of the Microsoft CA server to a laptop (Win XP). We use Microsoft Wireless Zero Configure to setup the laptop. We see the laptop trying to authenticate, but the authentication process breaks. From the IAS server log, we see the laptop trying to get authenticated, but somehow its auth request got rejected or denied. We don't know why at the moment. We are thinking if the Microsoft CA server need to be setup as a domain CA isntead of a standalone CA. More testings is trying now.

Thanks in advance for any comments or suggestions.

-Raymond

Hi Raymond,

Wish you a Happy New Year. Sorry again for the delay in replyin.

Well I guess we need not enter any domain names while autheticating from the client. So it should work fine with standalone CA. So let it be for the moment, we can add it up after our setip works fine with standalone ca.

Wel, here's a walkthrough, please verify if you've missed out anything out of these steps.

============MS IAS Server Configuration===========

1] Install the Certificate on IAS server & Wireless Clients

a) For IAS server installation procedures, refer the following url:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/60fa5de5-58a0-4673-be1e-dd24fb1014a4.mspx

b) Wireless Client side installation,

Copy the certificate from its location to the client.

Right-click the .cer file and click install certificate.

Click Next.

Select Place all certificates in the following store and click Browse.

Check show physical stores.

Expand Trusted Root Certification Authorities, select Local Computer, and click OK.

Click Next, click Finish, and click OK.

2] For configuring IAS Server, refer the following url

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/ecb5c750-9917-48eb-b33b-8404a57e396b.mspx

3] Wireless Zero Configuration for PEAP:

On the wireless Zero Configuration window,

Specify the ssid.

Put a Check mark for data encryption (Wep enabled)

Put a Check mark for the option automatic key provision

Proceed further to the authentication tab.

Put a Check mark for the option Enable 802.1x Auth.

Select EAP Type as PEAP

Please confirm that the last 2 check boxes on this windows are unchecked.

Now, Click on Properties to enter PEAP properties.

Put a check mark against validate server certificate & select the certificate installed by you on this client.

Now, Select Authentication method as MS-CHAP v2 & click on configure.

In the window that popped up, When Connecting option , should be unchecked.

Now, your client is ready for PEAP [MS CHAP v2]Authentication.

You may either disable & enable your wireless connection or restart to get the prompt for username & password & cert check for first login.

Now at this point the domain name matter if you are entering one & the IAS server should belong to the same domain.

Even after checking these settings you face an issue then check the shared secret on the controller & confirm that it is correct.

And retry.

For different configurations on different O.S.'s refer the following URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t18

4] More details on PEAP is available here:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/ecb5c750-9917-48eb-b33b-8404a57e396b.mspx

That'd be all fr the moment,

Feel free to contact us if you need any more assistance.

Thanks & Regards,

Karthik Narasimhan

Thanks for the info.

Things are finally working now. You are right that standalone CA will be fine. The added benefit for domain CA is that the trusted root cert can be pushed to domain client (laptop) automatically, which is very nice in large scale deployment.

The problem we had was related to step a), which is what type of CA we need to create for the IAS. I think (but not sure since I am not the one create cert.) we ended up creating Server Certificate and Client Certificate for the IAS server so things would work. I have yet to try out excactly if we need both cert or we only need the Client Certificate. I am ignorant about CA and so don't know much to tell here, except that now it is working.

And BTW, we have managed to patch (MS KB826942) our test XP laptop so now we are running PEAP-MS-CHAP2 using TKIP (i.e. WPA specification) instead of WEP. Just a note for others.

Thanks again for your help.

Hi Raymond,

I see that you finally got your wireless connection to work. I am having some of the problems that you had encountered previously. Our specs appear to be the same. I am using the same model APs and Controller, The ACS server is Microsoft Windows 2000 server. We have received Could you please send me an outline of your settings on your controller, and ACS server? Where did you load your client certificates? How is the stand-alone CA deployed? At this point I have a guest wireless connection that uses WPA-PSK. This connection does not authenticate to the ACS server. It works. I also have another 'Student' wireless connection that I am attempting to authenticate to ACS via PEAP authentication. It shows, in the ACS log, that the authentication was successful, however, the DHCP does not issue an IP address to the laptop. What have I overlooked? Thank you for your help.

Hi Raymond,

I am using 2006 contoller, 1030 AP's W2K3 CA server and IAS server.

standalone CA will also be able to push the certificate to domain client (laptop) automatically.

The way to implement this is via GPO (look at Microsoft Technet)

If you configure your client WLAN 802.1x peap proprties - untag server certificate (you don't want this) and you'll notice it works fine.

I am using a 4402 and Cisco ACS...does the 4402 get setup in ACS as a AAA Client? Do I use the "RADIUS(Cisco Aironet)" setting? I had WPA2 and PEAP working fine with the thick APs but once we converted the 1200s to lites and started using the 4402 the authentication stops at "Validating Identity". The controller gives me the error "no response from Radius". Any thoughts.

Travis

Yes and use RADIUS(Cisco Aironet). RADIUS(IETF) does not work.