PEAP MSCHAP V2 using WLC and ACS configuration example
In this video we are going to configure the WLC for PEAP MSCHAPV2 Username / Password authentication using Cisco ACS and WLC.
Hope this video was helpful and please feel free to drop in a comment and I will be more than happy to assist you!
Great Information Surendra. Thanks again.
Community Manager - Wireless
Thanks Surendra, Can you comment on adding Machine Authentication to the ACS configuration? We occasionally run into an issue where we have to plug clients into the wired network to re-establish their Machine account password and are curious whether there is any ACS feature to troubleshoot or facilitate machine password renewal. Thanks for your forum support!
Thanks a lot bjohnson!! sure.. i will help u out in that..
so this is local authentication against ACS, rather than to ACS then LDAP?
Yes we are using the UN / PW on the ACS not on the LDAP.. I am planning to come up with the integration of the LDAP as well along with the Machine auth as well!!
When will that be tentatively?
Don't you need to enroll ACS to CA and install CA root cert on wireless client?
Instead of using a local user account on ACS, can we use dynamically mapped groups (AD) on ACS? If yes will the user have to type the username password again or it will automatically connect to the SSID?
Also most of the PEAP documentation available on the net mention that we need a CA server or self signed certificates for PEAP implementation. Can this CA server be installed on any member server or it has to be installed on the DC?
You can dynamically map AD groups on the ACS and this is done in the External User Database menu. The ACS forward the authentication requests to AD which authenticates the client. Also it advisable to have a CA server and not use self signed certificate. The CA will registered to the DC. A simple explanation of PKI is that all devices on the domain will have to trust each other through the certicates. Hence the AD will trust the ACS which will also trust the wireless client after it has downloaded the certificate. After you have the trust relationship working, I would recommend that you implement auto renewal, so that when a Cert is about to expire, the wireless client is automatically issued a new Cert.
Thanks for replying, as per the video we can implement peap with mschapv2 without implementing any PKI if yes then I will proceed implementing peap without the use of certificates. Another thing I want to know is will users get logged in to wireless automatically after logging into the computer or do they have to enter AD credentials again?
I have not looked at the video; however peap is built on 802.1X framework which I believe requires certificates in a domain environment. Regarding authentication, as log as in the wireless properties on the client you have set to automatically use Windows logon then there would not be any double authentication.
for using PEAP with MS-CHAPv2 you will need a certificate on your RADIUS server, but not on your clients.
Using a certificate that is not known (trusted) by your clients is possible, but of course you reduce your level of security by that - actually it's like skipping the certificate request in your web browser when opening a https page with an unknown cert ...
This is exactly what I understand that for PEAP MSCHAPV2 you need a certificate on our Radius server either self signed or from a CA server. The video in that case could be misleading a bit as Surendra did not talk anything about certificates. Regardless of that I guess in that case I will have to install and configure a CA server on one of our member server, hope I dont have to do it on the DC as the system guys will not allow me to do so. They are quite hesitant to do anything on the DC.
If you install your CA server AD integrated you have the advantage that your root cert will be distributed automatically to all your AD member - which I would highly recommend! Please note that you also should think about installing your CA on a windows 2003/2008 enterprise server (instead of a windows standard edition machine), because that will give you later the opportunity to allow certificate autoenrollment for your clients if you want to change to EAP-TLS.
Anyway, if you can't install a CA in your AD, you can also create a certificate using OpenSSL on any machine - but, again, certificate validation will be quite difficult then.
We have Enterprise edition servers which has been assigned to our Network team, so I will use one of these for installing and configuring CA. The only major concern I had whether this CA service has to be installed on the DC or whether I can install it on any member server. I feel I should be able to install it on any member server, whats your opinion?
I'm pretty sure it's even recommended not to install it on a DC !
But it definitely doesn't need to be there.
Thanks a ton Stefan, appreciate your help.
Auto enrollment is not only for EAP TLS. With PEAP, the clients also receive certificates and you set a group policy for clients to automatically receive a new Cert once the old one is due to expire. Also no matter which server hosts the CA, the PDC or whatever server hosts the container of machine credentials and user credentials must have a copy of the Cert to establish the trust relationship.
Sorry for maybe being a bit inaccurate.
PEAP itself comes in many flavors, one of them is PEAP-MSCHAPv2 - using that there is no need for client certificates. But you could also use EAP-TLS as inner authentication in a PEAP tunnel, and then of course you need client certificates as well.
Again, since this video is about PEAP-MSCHAPv2, there is no need to have a certificate for all your clients; but you should tell your clients about your root and mabye even your intermediate CA so they can trust your RADIUS server's cert.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.