Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PEAP with ACS & Ap1200 and XP

I know in theory this stuff all works together, but let me ask the question.

My customer has Compaq EVO Laptops with the Compaq W200 wLAN module attached.

They have bought ACS3.1 and AP1200s, and want to run PEAP authenticating with their Windows AD environment.

Has anyone tried PEAP from a non Cisco card to AP1200/ACS 3.1 and does it work, are there any show stopping issues?

Has anyone tried the Evo Laptop/XP and W200 in particular with this environment?

I understand a Cisco patch is required for XP to make it use PEAP version 1 format and not version 0, so (if I can find it) we will use that.

Thanks for the input,

Tim

  • Security and Network Management
7 REPLIES
Cisco Employee

Re: PEAP with ACS & Ap1200 and XP

You can have Microsoft peap supplicant or Cisco Peap supplicant .

If you have windows 2000 OS , than if you load service pack3 , Microsoft peap supplicant is installed . On top of this if you install ACU 5.05 microsoft supplicant wil be overwritten by Cisco supplicant .

In case of XP , if you install service pack 1 , it will install microsoft peap supplicant , if you install ACU 5.05 it will be overwriteen by Cisco Peap supplicant .

Microsoft peap supplicant send eap-Chap in EAP tunnel and Cisco support EAP-GTC in eap tunnel .

with non cisco card it depends on which radius server and database you are running .

At present ACS 3.1 supports EAP-GTC so it will not interoperate with Microsoft supllicant . In later release ACS will have support for EAP-Chap so

that you can use 3rd party card with Microsoft supplicant and ACS3.2

http://www.cisco.com/warp/public/779/smbiz/wireless/wlan_security.shtml

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a008014626b.html

New Member

Re: PEAP with ACS & Ap1200 and XP

Great reply, thanks!

One question, what is EAP-GTC? Not one I have come across before.

Also, we are looking at using the Odyssey supplicant from Funk, which has several options - PAP, CHAP, MS-CHAP, and EAP. Are any of these supported on ACS3.1? (clearly not MS-CHAP but what about the others?)

Regards

Tim

Cisco Employee

Re: PEAP with ACS & Ap1200 and XP

Q. What is the difference between the Microsoft PEAP supplicant and the Cisco PEAP supplicant?

A. Both supplicants support PEAP, but each supports different methods of client authentication through the TLS tunnel. The Microsoft PEAP supplicant supports client authentication by only MS-CHAP Version 2, which limits user databases to those that support MS-CHAP Version 2, such as Windows NT Domains and Active Directory. The Cisco PEAP supplicant supports client authentication by OTPs and logon passwords, enabling support for OTP databases from vendors (such as RSA Security and Secure Computing Corporation) and logon password databases (such as LDAP and Novell NDS) as well as Microsoft databases. In addition, the Cisco PEAP client includes the ability to hide user name identities until the TLS encrypted tunnel is established. This provides additional confidentiality that user names are not being broadcast during the authentication phase.

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008010018c.shtml

New Member

Re: PEAP with ACS & Ap1200 and XP

Hello,

I would be interested in your results with the integration of a non Cisco 802.11b card with Cisco AP and ACS 3.1.

Are you still able to use OTP's with

Dynamic WEP with ACS defineable WEP refresh period

Did you use the MS or Cisco PEAP supplicant?

Any information would be appreciated.

Many Thanks

Abdul

New Member

Re: PEAP with ACS & Ap1200 and XP

Hi Abdul

I didn't try this myself, but a colleague did. Using a Compaq (Agere) NIC and the Funk Odyssey client that ships with Evo Laptops or by from Funk, you can use EAP/LEAP and token cards (plus a whole lot of other stuff). Pull a 30 day eval from the Funk website. However Odyssey doesn't work with Cisco TKIP or MIC - see the install notes in the kit.

Also, if you use Windows XP, we found if you installed the Cisco Aironet client and drivers, these over write the XP 802.1x supplicant and give you more options - even with a Compaq NIC!!

XP supplicant does not work with ACS3.1 - you will need 3.2 which hasn't been released yet.

Tim

New Member

Re: PEAP with ACS & Ap1200 and XP

Tim,

Thanks for that... I am going to try loading the Cisco Aironet drivers and ACU with a non-Cisco card, I will keep you posted!

Did you use the Funk Odessey client with the Odessey server/Steel belted RADIUS or with ACS? I don't think Funk support PEAP, as they developed TTLS along with Certicomm (I think!).

Your right in that the Microsoft PEAP supplicant is not supported in ACS 3.1 today, but will be in 3.2, which is released around May time. However, the Microsoft PEAP supplicant only allows the use of MS-CHAPv2 and Active Directory Authentication, there is no support for OTP's (e.g. SecureID). The only reason we waited around for PEAP was for the OTP support!!

Please keep me posted with you progress!

Abdul

New Member

Re: PEAP with ACS & Ap1200 and XP

Hi Tim, Abdul

Test with the AEGIS Client, this is a PEAP Suplicant that works well with Eap-gtc.

http://www.mtghouse.com/products/index.shtml

good luck

Daniel

211
Views
4
Helpful
7
Replies
This widget could not be displayed.