https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270676#M12220 <HTML><HEAD></HEAD><BODY><P>It can be addressed with IAS and NPS if we have the right chain installed.</P><P></P><P></P><P>Jatin Katyal <BR /> <BR /> <BR />- Do rate helpful posts -</P></BODY></HTML> Mon, 06 May 2013 20:17:46 GMT Jatin Katyal 2013-05-06T20:17:46Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270665#M12209 <P>What is the best method for controlling access to a wlan with a 5508 wlan controller</P><P></P><P>The requirments are </P><P></P><P>-Needs to support all types of clients (Mac, PC, smartphones, tablets)</P><P>-Clients need to be able to connect easily and without errors or installing certs or wireless profiles etc..</P><P>-Secure</P><P></P><P>This doesn't seem like alot to ask but I keep running into problems. </P><P></P><P>What are people using?</P><P></P><P></P><P>Thanks</P> Sun, 04 Jul 2021 07:00:48 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270665#M12209 johnfplut 2021-07-04T07:00:48Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270666#M12210 <HTML><HEAD></HEAD><BODY><P>Well, this is easier than you would think actually.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">-Needs to support all types of clients (Mac, PC, smartphones, tablets)&nbsp; --- Limits you to PEAP and EAP-TLS all devices should support these EAP types</P><P></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">-Clients need to be able to connect easily and without errors or installing certs or wireless profiles etc..&nbsp; -- This removes TLS as you do not want to deal with certificates, and leaves you with PEAP.&nbsp; Now the user will still have to create a profile but that only takes a minute or so.</P><P></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">-Secure&nbsp; -- PEAP is secure if you are using the right type of encryption as well, I would recommend WPA2/AES.&nbsp; And it since it's EAP the user just needs to have valid domain credentials.</P><P></P><P></P><P></P><P></P><P>HTH, <BR />Steve <BR /> <BR />------------------------------------------------------------------------------------------------ <BR />Please remember to rate useful posts, and mark questions as answered</P></BODY></HTML> Wed, 01 May 2013 18:50:35 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270666#M12210 Stephen Rodriguez 2013-05-01T18:50:35Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270667#M12211 <HTML><HEAD></HEAD><BODY><P>I agree with stephen. Peap Mschapv2 suits your requirements.</P><P> This would help you while implementing PEAP with ACS 5 in your enviornment.</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml">http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml</A></P><P></P><P>Let me know if you have some other radius server and you need help on it.</P><P></P><P></P><P>Jatin Katyal <BR />- Do rate helpful posts -</P></BODY></HTML> Wed, 01 May 2013 19:47:09 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270667#M12211 Jatin Katyal 2013-05-01T19:47:09Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270668#M12212 <HTML><HEAD></HEAD><BODY><P>I have been trying to set up PEAP with MS/Chap2 with a Windows Radius server but all the clients get cert errors. I have tried many different certs and types of certs and all clients still get cert errors.</P><P></P><P><SPAN style="font-size: 10pt;">-Is it possible to get it working without cert errors for all clients? Am I just having a problem with my cert or is this a known issue? </SPAN></P><P></P><P><SPAN style="font-size: 10pt;">-Do I need to buy ACS to get it working without cert errors?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Thanks for your help.</SPAN></P></BODY></HTML> Wed, 01 May 2013 20:05:44 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270668#M12212 johnfplut 2013-05-01T20:05:44Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270669#M12213 <HTML><HEAD></HEAD><BODY><P>Could you please share the error you're getting while authenticating?</P><P>are you looking inside the event viewer logs?</P><P></P><P>What all certs have you installed on the radius server and client?</P><P></P><P>Jatin Katyal <BR />- Do rate helpful posts -</P></BODY></HTML> Wed, 01 May 2013 20:12:12 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270669#M12213 Jatin Katyal 2013-05-01T20:12:12Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270670#M12214 <HTML><HEAD></HEAD><BODY><P>I am using a Geotrust QuickSSL Premium cert. I have tried generating it many different ways. When I put the cert on a wesite on my Radius server and hit it with a cert checker it says the cert chain is good.</P><P></P><P>## On the Mac I get ##</P><P>Before authenticating to the server "corp-vs-ca2.#####.com" you <SPAN style="font-size: 10pt;">should examine the certificate to ensure that it is appropriate for this </SPAN><SPAN style="font-size: 10pt;">network.</SPAN></P><P></P><P></P><P>## On Windows I get ##</P><P><SPAN style="font-size: 10pt;">The credentials provided be the server could not be validated.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Under the details it says</SPAN></P><P><SPAN style="font-size: 10pt;">The server corp-vs-ca2.#####.com" presented a valid certificate </SPAN><SPAN style="font-size: 10pt;">issued by "GeoTrust Global CA", but GeoTrust Global CA" is not configured </SPAN><SPAN style="font-size: 10pt;">as a valid anchor for this profile.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">I think I can fix the Windows error by pushing the cert out with a group policy, but am trying to fix all the other clients. </SPAN></P><P></P><P></P><P><SPAN style="font-size: 10pt;">Thanks.</SPAN></P></BODY></HTML> Wed, 01 May 2013 20:33:49 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270670#M12214 johnfplut 2013-05-01T20:33:49Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270671#M12215 <HTML><HEAD></HEAD><BODY><P>Could you please provide the whole cert chain?</P><P></P><P>Also, what error are you getting on radius server &gt; event viewer tab?</P><P></P><P></P><P>Jatin Katyal <BR /> - Do rate helpful posts -</P></BODY></HTML> Wed, 01 May 2013 20:36:28 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270671#M12215 Jatin Katyal 2013-05-01T20:36:28Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270672#M12216 <HTML><HEAD></HEAD><BODY><P>Mac should allow you to install teh certificate into the keychain.</P><P></P><P>for windows, yes you can push it via GPO, and if you're going to do that you might as well push the profile config as well.</P><P>alternately you can just uncheck the validate server certificate checkbox in WZC.</P><P></P><P></P><P>HTH, <BR />Steve <BR /> <BR />------------------------------------------------------------------------------------------------ <BR />Please remember to rate useful posts, and mark questions as answered</P></BODY></HTML> Wed, 01 May 2013 20:43:30 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270672#M12216 Stephen Rodriguez 2013-05-01T20:43:30Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270673#M12217 <HTML><HEAD></HEAD><BODY><P>I can't find an errors in any area of the event viewer.</P><P></P><P>Here is these files cat'd together.</P><P></P><P>GeoTrustGlobalCA</P><P>GeoTrustDVSSLCA</P><P>corp-vs-ca2.########-export</P><P></P><P></P><P></P><P>-----BEGIN CERTIFICATE-----</P><P>MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT</P><P>MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i</P><P>YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG</P><P>EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg</P><P>R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9</P><P>9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq</P><P>fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv</P><P>iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU</P><P>1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+</P><P>bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW</P><P>MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA</P><P>ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l</P><P>uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn</P><P>Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS</P><P>tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF</P><P>PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un</P><P>hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV</P><P>5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==</P><P>-----END CERTIFICATE-----</P><P>-----BEGIN CERTIFICATE-----</P><P>MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT</P><P>MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i</P><P>YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG</P><P>EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh</P><P>bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ</P><P>KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8</P><P>KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE</P><P>60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m</P><P>cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh</P><P>w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1</P><P>SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB</P><P>2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw</P><P>sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI</P><P>MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j</P><P>b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB</P><P>hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR</P><P>NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/</P><P>ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ</P><P>lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy</P><P>YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e</P><P>vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM</P><P>IIi0tWeUz12OYjf+xLQ=</P><P>-----END CERTIFICATE-----</P><P>-----BEGIN CERTIFICATE-----</P><P>MIIFaDCCBFCgAwIBAgIDBo5UMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBAYTAlVT</P><P>MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRh</P><P>dGVkIFNTTDEbMBkGA1UEAxMSR2VvVHJ1c3QgRFYgU1NMIENBMB4XDTEzMDQyNTA4</P><P>NTEzNVoXDTE1MDQxNTA0NDcyOVowgdQxKTAnBgNVBAUTIHNZbkoyTG0tb2dGZnZC</P><P>aFlodWRqWVZIMndEek43MGdOMRMwEQYDVQQLEwpHVDU3NDYxMTU1MTEwLwYDVQQL</P><P>EyhTZWUgd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzIChjKTEzMTcwNQYD</P><P>VQQLEy5Eb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgLSBRdWlja1NTTChSKSBQcmVt</P><P>aXVtMSYwJAYDVQQDEx1jb3JwLXZzLWNhMi5wb3BtdWx0aW1lZGlhLmNvbTCCASIw</P><P>DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM4jgpKBeo8rtM/zJIEyho3HppeU</P><P>tZeK+wmLfPeBTJxr2UmQFOmcniQblgsHREAGyJR0KT5yrYzxx6wpZaqCUcZlxl1Z</P><P>lUz5mfxHnL5Oc14sUnqwaJuxprXV5Rnclci6W6BMFjI4QoxXjQwSa+3A1enf+ZsO</P><P>sXUojQbQx62MX8rINuQ+srgdDielK/mJqTAMt11x6+NqIpwlGAgOxKd7vjG6aKRf</P><P>a2efvS/hK4Pi0ieWPGn1GXz/AlYpHQv0cppUr8huL/+2+9cEvd1sp8XN/ASN3YTm</P><P>WWo//fVpbXIlzp8mU4Q7t8+7LglxFQabhl4eMBarMi8SnNuh2zYKQxJRPvsCAwEA</P><P>AaOCAbMwggGvMB8GA1UdIwQYMBaAFIz02ZMKR7wAoErOS3VuoLawsn78MA4GA1Ud</P><P>DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwKAYDVR0R</P><P>BCEwH4IdY29ycC12cy1jYTIucG9wbXVsdGltZWRpYS5jb20wQQYDVR0fBDowODA2</P><P>oDSgMoYwaHR0cDovL2d0c3NsZHYtY3JsLmdlb3RydXN0LmNvbS9jcmxzL2d0c3Ns</P><P>ZHYuY3JsMB0GA1UdDgQWBBSODVVgPunABo61x13N20tEP66egDAMBgNVHRMBAf8E</P><P>AjAAMHUGCCsGAQUFBwEBBGkwZzAsBggrBgEFBQcwAYYgaHR0cDovL2d0c3NsZHYt</P><P>b2NzcC5nZW90cnVzdC5jb20wNwYIKwYBBQUHMAKGK2h0dHA6Ly9ndHNzbGR2LWFp</P><P>YS5nZW90cnVzdC5jb20vZ3Rzc2xkdi5jcnQwTAYDVR0gBEUwQzBBBgpghkgBhvhF</P><P>AQc2MDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291</P><P>cmNlcy9jcHMwDQYJKoZIhvcNAQEFBQADggEBAC2Kadfzc6X/3dI//J5SGR9fnCa7</P><P>6NVl8SV5aAYAvmOdkZBiurIYa1eHYYaDUGmOO8awTOXTfc4QzX75QwBUmcZeZKdj</P><P>ZMPiJlm7Bsz/3Q1eolxHCqkAiDZIEohoT0o8Spw6+Eq8KcPnhf+K5+rIzJnWBZ9P</P><P>tmpS4SEtrGHIfj3+638eqTydxuOCZ0Be9EanVK0ERav25fTRgRoZ+yEDiFP/MjQd</P><P>rAgW7SyLOjm4I6bTmzjugmXf2Axm2kFuoyyZdrvdrJ+GBku5F6DOufGdGu13j80S</P><P>lp148qh7gCREWrCqn3pH14qPKeHwC47jAQ3+ikRDfB090h9HGRi/8+w7Tx4=</P><P>-----END CERTIFICATE-----</P></BODY></HTML> Wed, 01 May 2013 21:38:40 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270673#M12217 johnfplut 2013-05-01T21:38:40Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270674#M12218 <HTML><HEAD></HEAD><BODY><P>Does ACS solve the issues of the cert errors on the client when you connect?</P></BODY></HTML> Wed, 01 May 2013 22:21:32 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270674#M12218 johnfplut 2013-05-01T22:21:32Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270675#M12219 <HTML><HEAD></HEAD><BODY><P>Are you using IAS or NPS. I can tell you where to look at logs.</P><P></P><P>The cert you provided only shows root CA somehow.</P><P></P><P>With Peap, you should have server, root CA and intermediate certificate (if any) instaled on the radius server.</P><P>On the client you should only have root CA and intermediate if (any)</P><P></P><P>To best way to check this is to uncheck the validate server certificate from the client machine and select PEAP mscahp v2 as an authentication eap method.</P><P></P><P>Jatin Katyal <BR /> <BR /> <BR />- Do rate helpful posts -</P></BODY></HTML> Fri, 03 May 2013 09:21:35 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270675#M12219 Jatin Katyal 2013-05-03T09:21:35Z https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270676#M12220 <HTML><HEAD></HEAD><BODY><P>It can be addressed with IAS and NPS if we have the right chain installed.</P><P></P><P></P><P>Jatin Katyal <BR /> <BR /> <BR />- Do rate helpful posts -</P></BODY></HTML> Mon, 06 May 2013 20:17:46 GMT https://community.cisco.com/t5/wireless/best-authentication-method-for-controlling-access-to-wlan/m-p/2270676#M12220 Jatin Katyal 2013-05-06T20:17:46Z