I am trying to get XP w/350 card communicating to an AP350 and Cisco ACS (for authentication) using EAP but I am not successful.
Any hints on what I need to use EAP on XP with this setup? I have a Win98 client working fine (w/LEAP).
Must one have a Microsoft RADIUS server for XP EAP support?
If so, how do I use ACS with the RADIUS server?
Thanks for any suggestions.
W2K as far as i know is the only EAP enabled server out there. I would suggest an incremental approach. Can you get on the network with no autherntication? You should be able to. I have a client running without eap who is able to authenticate to a radius server - running XP on laptops - Aironet 340. If you are only having a problem with EAP then maybe the security module is not being installed. Try uninstalling the client sware, and re-installing make sure you have eap enabled as an authentication option. I would also check Cisco for an updated version of the client utility. I don't remember XP as bieng one of the listed sware platforms.
Windows XP supports EAP-TLS. The following should help you set it up to use LEAP as an alternative.
Make sure that you install Aironet the ACU, and make sure that the option to enable the LEAP functionality is selected during the install.
The other issue with XP is that by default it is set to control the wireless network. You will have to go into the properties of the Aironet adapter and make sure that you tell it not to have windows control the wireless network....this should allow you to make the settings in the ACU.
I recently implemented the LEAP solution using AP340's, ACS 6.2(3), and Cisco wireless NICs. What kind of problems are you having with EAP on the client? You simply can't get authenticated?
You don't need a Microsoft RADIUS server, ACS has RADIUS built-in. I'm going to reference a Cisco doc that has very concise AP, ACS, and client configuration instructions. http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/salep_an.htm
Hope this helps. Good luck!
I'm running into the same problem that you are describing, and I can't find any documentation at all for configuring EAP (not LEAP) with a 350 card and XP. I am using Funk's Steel Belted RADIUS for our central authentication vs. ACS.
I have tried every combination of the XP wireless settings as I can think of when selecting EAP in the Cisco client utility, and still no go. I've tried letting XP handle the wireless settings, and I've tried unchecking that option to let the Cisco client utility handle the wireless settings...still nothing. With EAP, I don't get an EAP logon box upon bootup either, but that may be something behind the scenes since EAP is really within the XP O/S vs. the Cisco software. When I switch back to LEAP, I get authenticated just fine and my login box pops up before any other GINA login. Cisco doesn't seem to have any documentation yet for XP anyhow, especially concerning EAP vs. LEAP. I'm hoping to get EAP to work because we may have some XP laptops running another vendor's wireless NIC (that won't run LEAP obviously). Definitely post any info. you can find out, and I'll do the same.
Thanks a lot!
I don't now if this link will help, but here it is anyways.
This is a link to an artical that talks about problems with 802.11b and Win XP
Well I'm not exactly sure if this will help you any, but I will tell you what I've found..
I have looked at both LEAP and EAP-TLS (win XP) for authentication schemes and each has their advantages as I'm sure you already know. I ended up using LEAP instead of waiting for the new service pack to Win2K that offers EAP-TLS (I hear they are working on it though).
I'm pretty sure you need to use a Microsoft RADIUS server for EAP-TLS authentication. I don't think you can configure Funk's Steel Belted to work with it. You can use Funk RADIUS for LEAP authentication though, which is what we are doing.
Now we are now trying to integrate SecureID logins to LEAP via Funk RADIUS and can't seem to get it working or find any documentation on it, so if anyone has any incite please pass it on.
I finally did get XP's EAP to work with Funk's SBR last week with SBR v3.0 only, and only using the native SBR user database (vs. an NT or SQL Server user database). If anyone is interested, it's a very simple setting in the eap.ini file under the SBR service directory. Funk's RADIUS will allow you to use either LEAP only, EAP only, are you can put in a primary and secondary authentication order. If you choose the latter configuration, you have to be careful how you set it up if you're using clients other than XP (which is virtually all of us). You'll want to select LEAP as the primary and EAP MD-5 Challenge as the secondary. This is because XP (as far as I know) is the only client O/S that is capable of retrying the second authentication method if the first one fails. So, if your XP client is using EAP with MD-5 challenge, and Funk's SBR is configured to try LEAP first then EAP MD5, XP will resend it's authentication request after failing the LEAP authentication, and the SBR server will then be expecting the EAP MD-5 format from that client.
Now I'm back to a gina problem with XP. When using EAP, I can't get the Microsoft EAP login screen to come up before my other gina's (such as Novell). This, of course, bombs out the Novell and NT domain login, forces me to login locally and then click the friendly dialog box that says "click here to logon to the wireless network". I can't seem to find what I'm looking for in the registry similar to the LEAP gina problem with XP that others have been posting. Any help on how to get that dialog box up first would be greatly appreciated. Thanks again!
I agree that if using EAP, it will be more troublesome as the logon portion is not integrated into a 1-step thing like in the case of Cisco's LEAP. Which then brings us to another problem, i.e how can you do a network logon if EAP login comes only after the local login??
I verified that at this moment it is not possible to use OTP(One Time Password)of the SecureID with LEAP protocol 'couse this kind of authentication uses a One Way process while link between AP and NICs is Two-way kind: client is autenticated by AP --> and viceversa <--- .
This is not a Cisco secure bug, instead a security policy for wireless to block a "stranger" AP.
I contact RSA (secure-id manifacture) and Cisco italia, both told me they are going to develope a new protocol (PEAP) to solve the problem.
Hope this will help to understand.
I have for the most part the same setup with Cisco ACS 3.0 and I cannot make the XP client authenticate using MD-5 or EAP-TLS? Has anyone made ACS 3.0 work with XP yet and if so how??
yes i just configured 2 xp clients and they work fine.
I'm using Cisco Secure 3.0 and LEAP authentication
Only one strange note one of the two client has the red cross on the wireless connection icon in system try but it works any way, no trouble instead on the other
DON'T ask me why ....... MS=mistery systems :-)