ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
Showing results for 
Search instead for 
Did you mean: 

Wirless /PEAP / Radius / Scenario type question !

I suspect the answer to the question is simply ?No? but you guys may know better

The scenario is as follows:

A wireless infrastructure with Cisco Aironet 1200 access points in over 50 different locations. Each location has a connection back to one central site. There is no wireless coverage between locations, so it's a kind of a hub and spoke topology. The connections back to the central site are Internet based VPN tunnels which are not entirely reliable and may have some latency issues.

The Wireless clients will be installed on Buses. These buses will be moving from location to location. Each time they come within range of an AP they should be automatically authenticated with no manual intervention ? this part is pretty straightforward (I think)

The client devices on the Buses must use PEAP authentication they authenticate to a Windows 2003 server with IAS (Radius) and CA services running at the central site


If the Link to the central site goes down and the IAS server is unavailable, is there any way the clients can authenticate and be given access to the Wireless network?




Re: Wirless /PEAP / Radius / Scenario type question !

I don't think it'll happen, as described.

Even if you made each of fifty site a separate subnets and each of the fifty APs a WDS or used a WLSM to get L2/L3 mobility or used the LWAP stuff ... everything relies on access to, or through, a central site.

Without access to the central site for handoff information and/or authentication, the system would fail.

If you can swing some sort of redundant connection (maybe a wireless backbone?) then there are a couple approaches.

If you're dealing with a fairly static client base, then you may want to look into using certificates versus PEAP ... it might make the auth process a little more seamless (and it still works with the MS IAS/CA system).

If you engage a commercial CA (like Verisign), then you could do the authentication against the commercial CA from each of the fifty sites via the Internet (eliminates the need for auth access to the central site).

I believe you can also establish a CA hierarchy such that if access to one is blocked, the client can try the next in line.

This is the only way I can think of to get around your "central site" single point of failure.

Good Luck



Re: Wirless /PEAP / Radius / Scenario type question !

Two ways i see this happening.

Take radius out of the picture and use local authentication. Granted this is likly not the best scenario for obvious reasons.

The other would be as stated earlier by the other gentlemen to setup another wireless link for redundancy....

Content for Community-Ad