Is Cisco Aironet Desktop Utility (ADU) is required in the above mentioned Scenario 1? Is that free or licensed?
We don't need ADU specifically because we would need the Cisco wireless card for that, but most of the cards out there support PEAP. Depending on the wireless card, we can configure PEAP. Here is one example for windows.
Cisco aironet 1142n (APs are standalone) access point without ACS / WLC. Is it possible to authenticate end users 802.1x with Active directory 2003/2008 using RADIUS (IAS/NPS)? So "How to authenticate end users with active directory using Cisco 1142n Standalone (Without WLC/ACS)".
Here it is a configuration example of EAP with wep encryption if you want you can change the encryption and key management to WPA or WPA2 and that will be it...
Also Use these other documents as reference for setting up the Microsoft side. So whether you use AP as standalone or unified with a WLC this will be helpful.
PEAP uses Transport Level Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a Wireless laptop, and a PEAP authenticator, such as Microsoft Internet Authentication Service (IAS) or any RADIUS server. PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MSCHAPv2, that can operate through the TLS encrypted channel provided by PEAP. The PEAP authentication process consists of two main phases:
PEAP phase one: TLS encrypted channel
The Wireless client associates with the AP. An IEEE 802.11-based association provides an Open System or Shared Key authentication before a secure association is created between the client and Access Point (LAP). After the IEEE 802.11-based association is successfully established between the client and the Access Point, the TLS session is negotiated with the AP. After authentication is successfully completed between the Wireless client and IAS server, the TLS session is negotiated between them. The key that is derived within this negotiation is used to encrypt all subsequent communication.
PEAP phase two: EAP-authenticated communication
EAP communication, which includes EAP negotiation, occurs inside the TLS channel created by PEAP within the first stage of the PEAP authentication process. The IAS server authenticates the Wireless client with EAP-MS-CHAP v2. The LAP and the Controller only forward messages between the Wireless client and RADIUS server. The WLC and the LAP cannot decrypt these messages because it is not the TLS end point.
After PEAP stage one occurs, and the TLS channel is created between the IAS server and the 802.1X Wireless client, for a successful authentication attempt where the user has supplied valid password-based credentials with PEAP-MS-CHAP v2, the RADIUS message sequence is this:
The IAS server sends an identity request message to the client: EAP-Request/Identity.
The client responds with an identity response message: EAP-Response/Identity.
The IAS server sends an MS-CHAP v2 challenge message: EAP-Request/EAP-Type=EAP MS-CHAP-V2 (Challenge).
The client responds with an MS-CHAP v2 challenge and response: EAP-Response/EAP-Type=EAP-MS-CHAP-V2 (Response).
The IAS server sends back an MS-CHAP v2 success packet when the server has successfully authenticated the client: EAP-Request/EAP-Type=EAP-MS-CHAP-V2 (Success).
The client responds with an MS-CHAP v2 success packet when the client has successfully authenticated the server: EAP-Response/EAP-Type=EAP-MS-CHAP-V2 (Success).
The IAS server sends an EAP-TLV that indicates successful authentication.
The client responds with an EAP-TLV status success message.
The server completes authentication and sends an EAP-Success message using plaintext. If VLANs are deployed for client isolation, the VLAN attributes are included in this message.
in case of PEAP under Unified Wireless Networks with ACS 4.0 and Windows 2003
HiFollowing mibs are available in older Cisco WLCs running AireOS. // bsnAPTable// cLApEntry// bsnMobileStationTable// bsnTransientdata Are there any equivalent snmp mibs available to pull this information from Cisco 9800-40 WLCs? please advise....
I have two WLC 5520 on HA SOO with flexconnect APs 702i, and I have configured SSID corporate flexconnect local switching with 802.1x authentication using ISE server 2.3 as AAA server. so when we tested the network, we have faced a problem of ...
We want to implement a CAT9800-40, and have a 5508 as a foreign controller, to offload a guest WLAN. Is it possible to have both platforms part of the same Mobility Group?If so, how do I go about configuring it?
Cisco 9117 &9115 Access Points (5520 WLC)Hi All, Recently installed new access (Cisco 9100 series) and continuing to have issues with roaming using laptops running Intel AX200/AX201 wireless chipset (HP Laptop G5/6/7), iPhones or older...
vWLC and AIR-CAP3602E-A-K9Hi, I a trying to set up a wireless lab. - vWLC- AIR-CAP3602I-A-K9 AP is unable to join as WLC gives log messages as *spamApTask3: Mar 03 19:04:53.505: %CAPWAP-3-JOIN_UNSUPP_AP: capwap_ac_sm.c...