Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PEAP+Radius

This is my network setup

cisco ACS4.0(radius)

aironet 1100

3rd party client adapter using winXp

My objective is to authenticate my users(created on the ACS) via the Radius server. Im not quite sure how EAP-MSCHAPv2 and EAP-GTC works. From my understanding MSCHAP is authenticate via windows username n password. So which is my best opinion?

4 REPLIES
Hall of Fame Super Silver

Re: PEAP+Radius

You can go either way, the only thing is that if you want to go with Cisco PEAP (EAP-GTC) you will have to install Cisco PEAP on all wireless stations. It might be easier to just stick with EAP-MSCHAPv2. You should be able to authenticate users locally on the ACS.

-Scott
*** Please rate helpful posts ***
Community Member

Re: PEAP+Radius

u mentioned "install Cisco Peap on all wireles stations". That means i would need Cisco client adapters on my wireless stations. Is that correct? Anyway thanks for ur reply :)

Hall of Fame Super Silver

Re: PEAP+Radius

there is a small executable that you must run on wireless client devices (that are supported) if you want to run Cisco PEAP. you proboble can fond it somewhere on cisco's web site.

-Scott
*** Please rate helpful posts ***
Community Member

Re: PEAP+Radius

If you're going to use PEAP (or even say it!) then you're stuck with CHAP.

PEAP stacks a bunch of stuff onto other stuff... between client and Radius server (vi AP) you get a protocol stack that looks like this...

EAPOL

EAP

Radius sever asks for PEAP (Server side cert TLS)

CHAP inside TLS.

If XP is booted and user not logged on, then machine ID is exchanged in CHAP.

When user logs onto XP client, user credentials are exchanged in CHAP.

When CHAP is successful, Radius server provides encryption keys to both client and AP.

peter

321
Views
5
Helpful
4
Replies
CreatePlease to create content