I am tasked with trying to implement wireless for a client using wpa2-enterprise tied in with Microsoft IAS. Everything I am reading so far points me to the requirement for using certificates. A lot of these computers will either be running out of the domain (kind of like guests) and will be a mix of operating systems. So to keep administration of end user computers down, I was trying to find a solution that either does not use certificates or only requires me to do something with the certificate on the head end (IAS). Is this possible?
Well, any WPA-Enterprise setup is going to require some client configuration. However, that doesn't have to mean certificate installation.
If you use PEAP as your EAP method, a certificate is required on the RADIUS server, but client-side certificates are not required.
There is another wrinkle, though. You could use a self-signed certificate on the IAS, but your clients have no way to recognize it unless you manually install that certificate on each client. So you would have to disable the client setting for "validate the server certificate". This opens you to MITM attacks: bad idea.
The way to forestall this issue is to purchase a commercial certificate for your RADIUS server- Verisign or whoever- for which your clients already have the appropriate root CA certificate installed.
Well, there's the root certificate issue I mentioned above. Also, there are issues with using PEAP to authenticate against an LDAP where passwords are not hashed. However, assuming you're authenticating against an AD that's a non-issue.
Other than that, PEAP is very easy to work with. I've deployed it at multiple sites and in general it "just works".
Since you have a diverse group of user types, it doesn't look like you'll be able to enforce machine authentication. This means that someone with valid logon credentials can connect any WPA2/PEAP-capable machine to your wireless network. That behavior appears to be what you want, but I thought I'd mention it (even an iPhone will do PEAP!).
Ok. I tried doing this on my own plus the help of Google but I am not getting it to work. Below is the configuration of one of the access points, and a basic description of how I have IAS setup.
The SSID in question is WIFISEC
I started IAS and added the host as a RADIUS client. Then created a new wireless policy, added in a Certificate that was purchased for the IAS server from GoDaddy. Added in Domain Users so they can authenticate and then changed the encryption to 128bit only.
I thought this would have been simple but I guess I was wrong. The logs on the RADIUS server say I'm not even attempting authentication, but on the server under "System Logs" I can see things happening but auth is failing. On the AP, it just tells me that auth failed.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...