Great Information Surendra. Thanks again.

Vinay Sharma

Community Manager - Wireless

Thanks Surendra,  Can you comment on adding Machine Authentication to the ACS configuration?  We occasionally run into an issue where we have to plug clients into the wired network to re-establish their Machine account password and are curious whether there is any ACS feature to troubleshoot or facilitate machine password renewal.  Thanks for your forum support!

Thanks a lot bjohnson!! sure.. i will help u out in that..

Regards

Surendra

so this is local authentication against ACS, rather than to ACS then LDAP?

Yes we are using the UN / PW on the ACS not on  the LDAP.. I am planning to come up with the integration of the LDAP as well along with the Machine auth as well!!

Regards

Surendra

When will that be tentatively?

Regards

Hi Surendra,

Don't you need to enroll ACS to CA and install CA root cert on wireless client?

Hi Surendra,

Instead of using a local user account on ACS, can we use dynamically mapped groups (AD) on ACS? If yes will the user have to type the username password again or it will automatically connect to the SSID?

Also most of the PEAP documentation available on the net mention that we need a CA server or self signed certificates for PEAP implementation. Can this CA server be installed on any member server or it has to be installed on the DC?

Regards

Hi Sundeep,

You can dynamically map AD groups on the ACS and this is done in the External User Database menu. The ACS forward the authentication requests to AD which authenticates the client. Also it advisable to have a CA server and not use self signed certificate. The CA will registered to the DC. A simple explanation of PKI is that all devices on the domain will have to trust each other through the certicates. Hence the AD will trust the ACS which will also trust the wireless client after it has downloaded the certificate. After you have the trust relationship working, I would recommend that you implement auto renewal, so that when a Cert is about to expire, the wireless client is automatically issued a new Cert.

Thanks for replying, as per the video we can implement peap with mschapv2 without implementing any PKI if yes then I will proceed implementing peap without the use of certificates. Another thing I want to know is will users get logged in to wireless automatically after logging into the computer or do they have to enter AD credentials again?

I have not looked at the video; however peap is built on 802.1X framework which I believe requires certificates in a domain environment. Regarding authentication, as log as in the wireless properties on the client you have set to automatically use Windows logon then there would not be any double authentication.

Hi,

for using PEAP with MS-CHAPv2 you will need a certificate on your RADIUS server, but not on your clients.

Using a certificate that is not known (trusted) by your clients is possible, but of course you reduce your level of security by that - actually it's like skipping the certificate request in your web browser when opening a https page with an unknown cert ...

regards

Stefan

This is exactly what I understand that for PEAP MSCHAPV2 you need a certificate on our Radius server either self signed or from a CA server. The video in that case could be misleading a bit as Surendra did not talk anything about certificates. Regardless of that I guess in that case I will have to install and configure a CA server on one of our member server, hope I dont have to do it on the DC as the system guys will not allow me to do so. They are quite hesitant to do anything on the DC.

Regards

If you install your CA server AD integrated you have the advantage that your root cert will be distributed automatically to all your AD member - which I would highly recommend! Please note that you also should think about installing your CA on a windows 2003/2008 enterprise server (instead of a windows standard edition machine), because that will give you later the opportunity to allow certificate autoenrollment for your clients if you want to change to EAP-TLS.

Anyway, if you can't install a CA in your AD, you can also create a certificate using OpenSSL on any machine - but, again, certificate validation will be quite difficult then.

regards

Stefan

We have Enterprise edition servers which has been assigned to our Network team, so I will use one of these for installing and configuring CA. The only major concern I had whether this CA service has to be installed on the DC or whether I can install it on any member server. I feel I should be able to install it on any member server, whats your opinion?

Regards