Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1238
Views
0
Helpful
5
Replies

2504 Wireless Controller and Server 2008 NPS

Joe Conklin
Level 1
Level 1

‎03-22-2013 08:25 PM - edited ‎03-10-2019 08:13 PM

I want to configure a simple NPS/RADIUS server for wireless authentication. I've read well over the EAP setup, and becaues it makes use of certificates it isn't going to work for non-domain computers. I'm looking for a way to copy what I have to VPNs, where when a user tries to login it ask for their username and password.

Ergo, when a computer, ipad, iphone, android, or mac connects to the wireless I want them to be asked for their domain username and password. If possible I'd like to keep it so they do not need to specify domain\username but rather just their username.

Is what I'm looking to do possible? I've configured it with EAP but again in this deployment I cannot make use of certificates or a domain CA. I am also not able to touch every machine that comes in to connect to the wireless. I am also looking to use LDAP/RADIUS in place of a PSK or WEP key so that user passwords can be changed per the domain policy every so often. We also have a wireless users group so not just anyone can connect. For every other non-company employee we already have a restricted SSID for guest with a PSK.

Thanks in advance for any and all suggestions!

Labels:
0 Helpful
5 Replies 5

Amjad Abdullah
VIP Alumni
VIP Alumni

‎03-22-2013 10:09 PM

Joe:

Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.

EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.

PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).

for PEAP-MSCHAPv2, Your options are:

- Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.

- Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.

- If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).

You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Joe Conklin
Level 1
Level 1
In response to Amjad Abdullah

‎03-23-2013 04:33 AM

Are there any options for authenticating users when connecting wireless through active directory without the user of certificates that I didn't think of?

My concerns with EAP are not all of the machines are domain computers so I can't push the cert to them. E.g. ipads, iphones, androids, etc. This site is a hot bed for byod.

My concerns with PEAP is certificate expiration. Specifically because this is a retail location if the cert expires because someone forgot or wasn't alerted then down comes the wireless. For this reason alone it is not ideal.

I'm really surprised there isn't someway to configure RADIUS like you would for a VPN since the RADIUS communication is going across a LAN. Like, let's say CHAP or MSCHAP.

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to Joe Conklin

‎03-23-2013 06:57 AM

Joe:
AFAIK NPS supports only PEAP and EAP-TLS. Both require server side certificates. EAP-TLS requires client side certificates as well.
Now, the use of certificate is for better security. There are some weaker EAP types that do not utilize certificates but they are considered weak. A stronger EAP type is EAP-FAST which is supported on Cisco servers only (you must have cisco ACS to get it to work).
Some weaker EAP methods without certificates are:
LEAP (cisco proprietary)
EAP-MD5.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

elodie.lu
Level 1
Level 1
In response to Joe Conklin

‎08-01-2013 01:38 AM

Hi Joe,

I've the same expectations, did you have solve the probelem with BYOD?

0 Helpful

Ravi Singh
Level 7
Level 7

‎08-05-2013 08:23 PM

Please see the below link to configure NPS/radius with 2504 WLC.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

0 Helpful
Customers Also Viewed These Support Documents