I recently implemented Cisco Aironet Wireless in my office. EAP is the industry standard authentication protocol. LEAP is Cisco's proprietary protocol for 802.1x. 802.1x authentication has been included in the XP OS to tie in with Radius. As you are using 2000 then yes, you will need the ACS as the authentication gateway to your AD. When the access point is setup you enter a WEP key. From this key dynamic user sessions are set up for the clients (different every time they log in and therefore more secure than static keys). You can set the ACS to authenticate against your 2000 AD and won't have to set up a seperate DB on the ACS.
Setup ACS and configure to authenticate against external DB (2000 AD)
Set up access point and set authentication to the ACS with network EAP enabled.
Even with LEAPs dynamic WEP keys, you still need to configure WEP key 1 on the AP. This key is used for all broadcast and multicast traffic, which needs to be understood by all clients on the WLAN. This key does not need to be configured on the clients as it is passed to the clients over the secure channel established after their session key has been negotiated.
I've also recently implemented wireless client access using AP340's and ACS authenticating our SAM. Bobby: one thing you may need to do if you wish to restrict access (not sure if this applies to 2K) is create CiscoSecure groups and map those groups to NT groups. One additional security measure I'm using is VMPS/dynamic vlan membership on our switched network. I configured a separate vlan and DHCP scope on my network for wireless devices. I then configured lease reservations for the MAC addresses of my APs and WNICs, and added those same MAC addresses to the VMPS database, associating them with my Wireless_VLAN. I configured the VMPS database for no fallback vlan, so if the MAC isn't recognized it gets a connection denied response.
For successful authentication and receipt of a DHCP-assigned IP address - a wireless client must meet the following criteria:
1. LEAP and WEP Key 1 configuration must be correct on client.
2. Client's account must be a member of the NT local group that has been mapped to a CiscoSecure group (again, may not apply to Win2K).
3. Client's MAC address must be stored in VMPS database to receive an IP address.
One additional step you may want to consider is setting the WEP reauthentication timeout to a value less than the amount of time it would take to transmit enough packets for someone with a wireless sniffer to build your WEP key. A little confusing.. Check out http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1515_pp.htm for a better explanation.
Don't be fooled into thinking you NEED Cisco's ACS to tie your clients into a Radius server, that backends into a Windows Domain ....
Not that I am suggesting the use of Microsoft's IAS (Internet Authentication Server "Radius"), but it does support several flavors of EAP as mentioned by the 802.11x spec and barring the lack of acceptable documentation, it is a good solution.
Since the initial authentication is in clear text, it is possible to view the NT Domain username in clear/text.
When the password is transmitted (remember that we don't have a WEP session key yet) a hash is created using the challenge and the NT password, how does CiscoSecure ACS then proxy authenticate the user to the Domain if it is not possible to decrypt the packets?
In this scenario (ACS with domain authentication) does LEAP transmit the username and password in cleartext ?
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...