Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WDS and Microsoft IAS authentication

Hi all,

I have a WiFi environment with a WDS AP (local RADIUS) and about 10 infrastructure AP's. The WDS does LEAP authentication/fast roaming for the 7921G phones.

Now I have to build up a new SSID/VLAN with 802.1x/PEAP/MS-CHAP V2 (on IAS) authentication.

Unfortunately, each infrastructure AP can authenticate the client only when wlccp is deactivated.

Is there a way to use the WDS/LEAP as a local raduis and send Infrustucture authentications to it, but still send user authentications to the IAS?

The 7921G can't be authenticated on the IAS (security issue).

Thanks,

Norbert

5 REPLIES

Re: WDS and Microsoft IAS authentication

Hi Norbert,

WDS certainly does support PEAP-MSCHAPv2, so I'd suggest it's just a case of troubleshooting the setup until you get it all working. A few references you may find useful...

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml

http://supportwiki.cisco.com/ViewWiki/index.php/Special:Search?ns0=1&ns100=1&ns102=1&ns106=1&search=peap+wds&searchx=Search

New Member

Re: WDS and Microsoft IAS authentication

Hi,

Thanks for the reply. I've found the "hint".

On the WDS-AP (IAS is 192.168.1.3):

-----------------------------------

aaa group server radius GRP-DOT1x

server 192.168.1.3 auth-port 1645 acct-port 1646

aaa authentication login method_GRP-DOT1x group GRP-DOT1x

radius-server host 192.168.1.3 auth-port 1645 acct-port 1646 key 7 00xxxxx

wlccp authentication-server client eap method_GRP-DOT1x

ssid vlanfordot1x

On the infrastructure AP:

-------------------------

aaa group server radius GRP-DOT1x

server 192.168.1.3 auth-port 1645 acct-port 1646

aaa authentication login method_GRP-DOT1x group GRP-DOT1x

radius-server host 192.168.1.3 auth-port 1645 acct-port 1646 key 7 00xxxxx

dot11 ssid vlanfordot1x

vlan 10

authentication open eap method_GRP-DOT1x

authentication network-eap method_GRP-DOT1x

interface Dot11Radio0

ssid vlanfordot1x

encryption vlan 10 mode wep mandatory

wlccp authentication-server client eap method_GRP-DOT1x

New Member

Re: WDS and Microsoft IAS authentication

Hi, I have found this

Note By default, the access point sends reauthentication requests to the authentication server with the service-type attribute set to authenticate-only. However, some Microsoft IAS servers do not support the authenticate-only service-type attribute. Changing the service-type attribute to login-only ensures that Microsoft IAS servers recognize reauthentication requests from the access point. Use the dot11 aaa authentication attributes service-type login-only global configuration command to set the service-type attribute in reauthentication requests to login-on

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_3g_JA/configuration/guide/s43auth.html

Re: WDS and Microsoft IAS authentication

Nice! 5 points.

New Member

Re: WDS and Microsoft IAS authentication

I use:

interface Dot11Radio0
no ip address
ip access-group 100 in
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 210 mode ciphers aes-ccm  (important feature)

will it work if  I config WDS with IAS as I can see above ?

712
Views
8
Helpful
5
Replies