https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028314#M20127 <HTML><HEAD></HEAD><BODY><P>Yes, we have setup Guest access.</P><P></P><P>Send me the link (or I will look for it now with your usename) so I can hopefully help you out as you have so kindly helped me :))))</P><P></P><P>Will find and get back to u</P><P></P><P>Thx</P><P></P><P>Ken</P></BODY></HTML> Fri, 28 Mar 2008 08:15:57 GMT kfarrington 2008-03-28T08:15:57Z https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028307#M20120 <P>Hello all,</P><P></P><P>I am very confused as to the authentication method used for a wifi client logging into a windows domain.</P><P></P><P>802.1x supports EAP type eap-peap-mschap-v2, but active directory supports Kerberos and not MSCHAPv2 (I believe). </P><P></P><P>What do I have to do to get a wifi-client working to connect to active-directory using Kerberos whilst EAP only supports MSCHAPv2?</P><P></P><P>Please help, I am a tad confused <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Many thx indeed,</P><P></P><P>Kind regards,</P><P>Ken</P> Sat, 03 Jul 2021 22:35:32 GMT https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028307#M20120 kfarrington 2021-07-03T22:35:32Z https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028308#M20121 <HTML><HEAD></HEAD><BODY><P>I believe you need some sort of RADIUS server to perform the authentication.</P><P></P><P>In our enviorment - we use a Cisco ACS (RADIUS) server to authenticate our wireless clients.</P><P></P><P>Our clients all use PEAP auth, and the APs all point to the RADIUS server. The RADIUS server has agents that get installed on AD member servers - then those agents act as the go-between for ACS(RADIUS) and Active Directory.</P><P></P><P>I beleive M$ has a radius server (IAS) which should tie nicely into AD - I just have never used M$ RADIUS solution so I cant tell you how to make it work - although I can tell you how to make a Cisco ACS work</P></BODY></HTML> Wed, 26 Mar 2008 16:27:38 GMT https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028308#M20121 dewmancco 2008-03-26T16:27:38Z https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028309#M20122 <HTML><HEAD></HEAD><BODY><P>Many thx indeed for your reply. You are very kind.</P><P></P><P></P><P>So can I just have my WLCs pointing directly to the M$ IAS ? and does that run Kerberos?</P><P></P><P>Sorry, still a little confused?</P><P></P><P>Many thx</P><P>Ken</P><P></P></BODY></HTML> Wed, 26 Mar 2008 18:00:02 GMT https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028309#M20122 kfarrington 2008-03-26T18:00:02Z https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028310#M20123 <HTML><HEAD></HEAD><BODY><P>I just set this up and I'm still confused. Here is an overview of what you will need to do:</P><P></P><P>1) Install a Windows 2003 certificate server CA, and IAS/RADIUS.</P><P></P><P>2) Authorize your IAS server in active directory.</P><P></P><P>3) Create a wireless policy in IAS for PEAP Secure password (EAP-MSCHAP v2).</P><P></P><P>4) Configure your AP as a RADIUS client in IAS.</P><P></P><P>5) Deploy the certificate from your CA to all your wireless laptops either automatically through AD, through web-enrollment with IIS or manually.</P><P></P><P>6) I think all laptops must be members of the AD domain but I'm not positive.</P><P></P><P>Here are the best links that I could find that will guide you step by step.</P><P></P><P>Microsoft word document: Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab:</P><P><A class="jive-link-custom" href="http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&amp;DisplayLang=en" target="_blank">http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&amp;DisplayLang=en</A></P><P></P><P>Ultimate wireless security guide Automatic PEAP deployment with Microsoft Active Directory GPO:</P><P><A class="jive-link-custom" href="http://articles.techrepublic.com.com/5100-1035-6148576.html" target="_blank">http://articles.techrepublic.com.com/5100-1035-6148576.html</A></P><P></P><P>Checklist: Configuring the IAS server and wireless access points for wireless access</P><P><A class="jive-link-custom" href="http://technet2.microsoft.com/windowsserver/en/library/60fa5de5-58a0-4673-be1e-dd24fb1014a41033.mspx?mfr=true" target="_blank">http://technet2.microsoft.com/windowsserver/en/library/60fa5de5-58a0-4673-be1e-dd24fb1014a41033.mspx?mfr=true</A></P></BODY></HTML> Wed, 26 Mar 2008 21:16:51 GMT https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028310#M20123 rileymartin 2008-03-26T21:16:51Z https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028311#M20124 <HTML><HEAD></HEAD><BODY><P>I have configured all of the above from 1-6. </P><P>Access points which are wired are no problem to configure.</P><P>But I have two 1300 series bridges (1310),</P><P>one configured as a Root Bridge with wireless clients the other as a NonRoot Bridge with wireless clients. </P><P>The non-root cannot associate to the root and is giving the following error:</P><P>Interface Dot11Radio0, cannot associate: EAP authenticating.</P><P></P><P>How can I configure the nonroot?</P><P></P><P>Many thx in advance.</P></BODY></HTML> Thu, 27 Mar 2008 07:06:33 GMT https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028311#M20124 DUSANVAUPOTIC 2008-03-27T07:06:33Z https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028312#M20125 <HTML><HEAD></HEAD><BODY><P>This is absolutley fantastic. Many thx indeed,</P><P></P><P>One question if I may :-</P><P></P><P>4. Configure your AP as a RADIUS Client in IAS.</P><P></P><P>As I am using 1242 zero touch APs, and using 440x controlers (WLCs), I assume I just configure the WLCs as the RADIUS clients?</P><P></P><P></P><P>Can you or anyone else confirm that?</P><P></P><P>Then I beleive you have given me exactly what I need :)))))))))))))))</P><P></P><P>Many thx indeed,</P><P>Ken</P></BODY></HTML> Thu, 27 Mar 2008 08:48:51 GMT https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028312#M20125 kfarrington 2008-03-27T08:48:51Z https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028313#M20126 <HTML><HEAD></HEAD><BODY><P>I'm sorry but I'm new to Cisco as well as wireless so I'm really lost. I was lucky to get some good help to setup the PEAP. I wish I could help you further but I really don't know what I'm doing.</P><P></P><P>I'm still trying to get help with setting up some sort of 'Guest' access. I've posted a question but no one replied. I don't suppose you have any experience with that?</P></BODY></HTML> Fri, 28 Mar 2008 01:54:36 GMT https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028313#M20126 rileymartin 2008-03-28T01:54:36Z https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028314#M20127 <HTML><HEAD></HEAD><BODY><P>Yes, we have setup Guest access.</P><P></P><P>Send me the link (or I will look for it now with your usename) so I can hopefully help you out as you have so kindly helped me :))))</P><P></P><P>Will find and get back to u</P><P></P><P>Thx</P><P></P><P>Ken</P></BODY></HTML> Fri, 28 Mar 2008 08:15:57 GMT https://community.cisco.com/t5/wireless/peap-kerberos-active-directory-wifi-authentication/m-p/1028314#M20127 kfarrington 2008-03-28T08:15:57Z