Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
0
Helpful
2
Replies

Wirless /PEAP / Radius / Scenario type question !

davidjkent
Level 1
Level 1

‎08-01-2006 03:47 AM - edited ‎07-04-2021 12:45 PM

I suspect the answer to the question is simply ?No? but you guys may know better

The scenario is as follows:

A wireless infrastructure with Cisco Aironet 1200 access points in over 50 different locations. Each location has a connection back to one central site. There is no wireless coverage between locations, so it's a kind of a hub and spoke topology. The connections back to the central site are Internet based VPN tunnels which are not entirely reliable and may have some latency issues.

The Wireless clients will be installed on Buses. These buses will be moving from location to location. Each time they come within range of an AP they should be automatically authenticated with no manual intervention ? this part is pretty straightforward (I think)

The client devices on the Buses must use PEAP authentication they authenticate to a Windows 2003 server with IAS (Radius) and CA services running at the central site

Question

If the Link to the central site goes down and the IAS server is unavailable, is there any way the clients can authenticate and be given access to the Wireless network?

Thanks

David

Labels:
0 Helpful
2 Replies 2

scottmac
Level 10
Level 10

‎08-01-2006 05:22 AM

I don't think it'll happen, as described.

Even if you made each of fifty site a separate subnets and each of the fifty APs a WDS or used a WLSM to get L2/L3 mobility or used the LWAP stuff ... everything relies on access to, or through, a central site.

Without access to the central site for handoff information and/or authentication, the system would fail.

If you can swing some sort of redundant connection (maybe a wireless backbone?) then there are a couple approaches.

If you're dealing with a fairly static client base, then you may want to look into using certificates versus PEAP ... it might make the auth process a little more seamless (and it still works with the MS IAS/CA system).

If you engage a commercial CA (like Verisign), then you could do the authentication against the commercial CA from each of the fifty sites via the Internet (eliminates the need for auth access to the central site).

I believe you can also establish a CA hierarchy such that if access to one is blocked, the client can try the next in line.

This is the only way I can think of to get around your "central site" single point of failure.

Good Luck

Scott

0 Helpful

robert.wright
Level 1
Level 1

‎08-31-2006 11:34 AM

Two ways i see this happening.

Take radius out of the picture and use local authentication. Granted this is likly not the best scenario for obvious reasons.

The other would be as stated earlier by the other gentlemen to setup another wireless link for redundancy....

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card