I have an environment where I have 25 Laptops connected to my wireless network using PEAP and TKIP over an XP wireless client with a certificate. I also just purchased 25 IPAQ's with built-in wireless and they have the ability to do LEAP or PEAP. I am having issues getting the certificate to take up residence on the IPAQ's, so I thought I could do LEAP instead. What are the caveats of running both protocols at the same time and what configuration issues will I run into with this on the IPAQ's?
I tried to setup LEAP yesterday without success, basically because I don't know what step I am leaving out. Maybe its TKIP that is causing the problem, I don't know.
Any help would be greatly appreciated.
The access point doesn't know or care which EAP flavor you're using; LEAP vs PEAP is configured on the client, and you have to specify on your server which flavor(s) you'll allow.
Supporting both PEAP and LEAP is inelegant, though, and exposes some of your clients to the dictionary attacks LEAP is subject to. You'd be better served by getting PEAP working correctly on your iPaqs.
You don't need clientside certificates for PEAP, and you don't need to put the server certificate on the iPaq unless you're self-signing. If you are and the problem is that the iPaq isn't accepting your root cert, then the problem may be that it's not in a format the iPaq recognizes. Try importing the root cert into IE and then re-exporting it in DER format, then see if the iPaq will take that.
Also make sure that your pda's are flashed with the latest OS and firmware patches. I've got PEAP working just fine on my HP 5500, but it did take a little tweaking to get it there.
I have a different concern altogether.. What if i dont want to support both.. How do i disable LEAP for client auth..??
I'm using the Funk Odessey on my iPaq 2795; it does both LEAP and PEAP with no problems.
It came with the unit on the included CD.
Otherwise it can be purchased, and Funk (now part of Juniper) has a 30 day non-crippled trial so you can check it out.