Has anyone successfully implemented a PEAP wireless solution? I have PAEP authentication working with a client using Cisco ACS 3.1 and authenticating with OTP (SecureID). Everything works great, except that when the user logins into windows 2000 the first time after booting up the pc, they are logging in with a cached account. This is due to the fact that the cisco interface in which you enter your username and passcode does not appear untill after logging into windows. Is there a way to authenticate the wireless network conneciton before logging into the windows domain?
I was at the same situation in aproject i had, and I was forced to change the equipment to one that work with EAP standart, 802.1x. as you know, cisco aironet works with PEAP/ LEAP, which are not fully compatible.
We ended up going with authentication through Microsoft IAS with the client-side peap support supplied by the Microsoft XP and 2000 supplicants. There were a few issues with password exiprations that required a MS pre-SP4 hotfix and we may have found a bug in the 12-series code for APs that may be throwing bad RADIUS packets at IAS after a password change... 11.56 code appears to work beautifully though. The client PC logs in as a computer before the user's login occurs...
I am also having the same issues with PEAP not authenticating prior to domain authentication. LEAP works correctly but I told I need the added security of the SSL tunnel (the EAP-TLS part of PEAP). If PEAP authentication cannot occur before domain authentication, it there a way to make it authenticate imidiately afterwards. It seems the client sits associated to the AP and never tries to authenticate till traffic is passed. This presents a bad user expirence.
I am running a AP1100 with Aironet 350 PCMCIA cards, and Secure ACS as the authentication server.