Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WPA2-Enterprise w/ IAS - Easy deployment?

I am tasked with trying to implement wireless for a client using wpa2-enterprise tied in with Microsoft IAS. Everything I am reading so far points me to the requirement for using certificates. A lot of these computers will either be running out of the domain (kind of like guests) and will be a mix of operating systems. So to keep administration of end user computers down, I was trying to find a solution that either does not use certificates or only requires me to do something with the certificate on the head end (IAS). Is this possible?


Re: WPA2-Enterprise w/ IAS - Easy deployment?

Well, any WPA-Enterprise setup is going to require some client configuration. However, that doesn't have to mean certificate installation.

If you use PEAP as your EAP method, a certificate is required on the RADIUS server, but client-side certificates are not required.

There is another wrinkle, though. You could use a self-signed certificate on the IAS, but your clients have no way to recognize it unless you manually install that certificate on each client. So you would have to disable the client setting for "validate the server certificate". This opens you to MITM attacks: bad idea.

The way to forestall this issue is to purchase a commercial certificate for your RADIUS server- Verisign or whoever- for which your clients already have the appropriate root CA certificate installed.

New Member

Re: WPA2-Enterprise w/ IAS - Easy deployment?

Thank you. That's exactly what I needed to know. PEAP looks like my answer for now. Any drawbacks to using this method?


Re: WPA2-Enterprise w/ IAS - Easy deployment?

Well, there's the root certificate issue I mentioned above. Also, there are issues with using PEAP to authenticate against an LDAP where passwords are not hashed. However, assuming you're authenticating against an AD that's a non-issue.

Other than that, PEAP is very easy to work with. I've deployed it at multiple sites and in general it "just works".

Re: WPA2-Enterprise w/ IAS - Easy deployment?

Since you have a diverse group of user types, it doesn't look like you'll be able to enforce machine authentication. This means that someone with valid logon credentials can connect any WPA2/PEAP-capable machine to your wireless network. That behavior appears to be what you want, but I thought I'd mention it (even an iPhone will do PEAP!).

New Member

Re: WPA2-Enterprise w/ IAS - Easy deployment?

Ok. I tried doing this on my own plus the help of Google but I am not getting it to work. Below is the configuration of one of the access points, and a basic description of how I have IAS setup.

The SSID in question is WIFISEC

I started IAS and added the host as a RADIUS client. Then created a new wireless policy, added in a Certificate that was purchased for the IAS server from GoDaddy. Added in Domain Users so they can authenticate and then changed the encryption to 128bit only.

I thought this would have been simple but I guess I was wrong. The logs on the RADIUS server say I'm not even attempting authentication, but on the server under "System Logs" I can see things happening but auth is failing. On the AP, it just tells me that auth failed.

Please help :)

CreatePlease login to create content