Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Secured WLAN for mixed, unmanaged environment.

Hello,

I'm in charge of setting up a WLAN for macintosh and windows computers that are not managed by the local staff. The goal is to provide access to local servers. At first we went for a webvpn on an ASA, but it currently does not support Macs.

So I'm trying to setup a username/password authentication against LDAP with some kind MACOS free radius.

The WLC is configured like that :

wlan create 1 wifi-intranet.fonctionnaires wifi-intranet.fonctionnaires

wlan aaa-override enable 1

wlan radius_server auth add 1 1

wlan security static-wep-key encryption 1 104 <mode unknown> <passwd hidden> 1

wlan security wpa wpa1 enable 1

wlan security wpa wpa1 ciphers tkip enable 1

wlan enable 1

The freeradius has a self signed certificate, the mac users get prompted to trust that certificate, then authenticate with ldap credentials and it works just fine.

The windows computer is stuck on 'eap,request identity'. It just doesn't go any further.

It is configured as in the configuration guides for PEAP with WLC and ACS.

To summarize, authenticate windows computers with an ldap username/password, without other supplicant than the one provided with XP sp1.

The radius is a mac product named Elektron.

The wlan runs on a WLC4402 with 1130 AP's.

3 REPLIES
New Member

Re: Secured WLAN for mixed, unmanaged environment.

the issue is that the windows peap supplicant uses MS-CHAPv2, which does an nt-hash on the pwd before it sends it to the AAA server...your ldap would need to store nt-hashes of the pwd, or you need to point the AAA to an AD to auth windows users.

New Member

Re: Secured WLAN for mixed, unmanaged environment.

hi, thanks for your attention.

I made some progress today by removing some machine-authentication registry keys (authmode = 2, supplicantmode = 3) that seemed to prevent me using peap.

it works fine now, the problem is, as I said, that the windows computer are not managed. the users just have a ldap username.

Now, which is the lowest version of windows to support peap ?

is it xp/sp1 or sp2 ???

Bronze

Re: Secured WLAN for mixed, unmanaged environment.

Yes, XP SP1 will support PEAP. PEAP has been around since 2002 and it just barely made the cut for SP1.

However, keep in mind that SP2 is required if you want to run PEAP with WPA, since WPA didn't come out until 2003.

209
Views
0
Helpful
3
Replies
CreatePlease login to create content