Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3744
Views
4
Helpful
14
Replies

802.1x EAP-PEAP - Radius Question

Go to solution
JohnTylerPearce
Level 7
Level 7

‎10-15-2012 10:12 AM - edited ‎07-03-2021 10:50 PM

We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,

1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement

802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just

getting a Cisco ACS to run a simple RADIUS server which is all I need.

Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username

and how does it differ from the username you provide after the secure TLS tunnel has been configured.                  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to JohnTylerPearce

‎10-16-2012 10:27 AM

Hey John,

Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.

http://www.youtube.com/watch?v=YIxG4OEfwtY

The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..

http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html

So yes it sounds right and you should be good.

Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?

Thanks John!

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

0 Helpful
14 Replies 14

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎10-15-2012 10:25 AM

You have a few options ..

FREE RADIUS -- Which is Linux based

ACS EXPRESS -- Cisco Product

RADIUS/WLC -- You could deploy radius on the WLC. Not sure how many users you will have but this might be an option

PEAP has a outer and a inner identity.. The outer can be ANYTHING and isnt actually used in vaildation efforts.Also, keep in mind this outer ID is sent in the clear and can be sniffed.  The inner, this is the actual ID that the radius will validate.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to George Stefanick

‎10-15-2012 10:27 AM

We should have less than 50 users I would think, most likely less than 20. So, if we were doing a Cisco WLC 2500 Series, can yo udo RADIUS on the actual WLC? Also, is ACS express an appliance or software based? SOrry for all the question George.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to JohnTylerPearce

‎10-15-2012 10:40 AM

You know I just checked it its showing the Express EOL. Learn something new everyday.

Yup, 2500 can do radius. When doing radius on the WLC its more geared for small environments. Its a cost effective way of doing it .. Ive done it, but with local accounts on the WLC. Dont know if it can talk back to AD. Perhaps Steve or Scott can comment on that ..

http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to George Stefanick

‎10-15-2012 10:40 AM

BTW -- Ask all the questions you want .. Thats why we are here ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to George Stefanick

‎10-15-2012 11:01 AM

Thanks Geroge, I appreciate it. I think after I upgrade my MCITP EA 08 to 2012, I may go for my CCNP in Wireless. I've got it in R&S but out of all the different tracks you can take I like wireless the best outside of R&S.

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to George Stefanick

‎10-15-2012 11:00 AM

LDAP calls to AD is a rotten pain in the arse. 

If your DB is AD, then there are issues, as the WLC can't decrypt the  hash that MSFT stores the passwords in.  there are workarounds but I  don't know any company that is willing to store the password in the  clear.

If your Domain User DB is a LDAP server(other than AD) you can do it pretty easily.

You could also enable IAS/NPS one your DC if you are a windows shop.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to Stephen Rodriguez

‎10-15-2012 11:02 AM

Yeah, I need to ask how many people this will be supporting, I know it's pretty small. If it's as small as I think I may just incorporate RADIUS on the WLC.

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to JohnTylerPearce

‎10-15-2012 11:09 AM

The one thing that's always configured me is, what is the different between sending the NAI in the EAP-RequestResponse packet and the username/password you enter after the EAP-TLS tunnel is setup.

I'm assuming the local user account you setup and or LDAP-Query to AD, is the second login/password combo but what exactly makes the up NAI?

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to JohnTylerPearce

‎10-15-2012 11:26 AM

Great question on the NAI. So the radius server will allow you to strip off the DOMAIN. So only the ID is sent. However, this becomes a challenge with ACS 5.x. Its not as easy like 4.x. You have to proxy the request to another ACS server to strip it ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to George Stefanick

‎10-16-2012 10:03 AM

Thanks for all the help George. I just got off the phone with Cisco Partner Pre-Sales support, but I'm not sure if what the guy told me is correct.

He said I could have up to 2000 users on the WLC 2500 Series.

I just wanted to make sure I could incorporate 802.1x EAP-PEAP as a security model. We will have one 2500 Series WLC, several 1140 LAPs, and a 2960-s Series PoE Switch. Now, I'm assuming I can create in theory lets say up to 2000 local user accounts on the WLC, and have it point to itself for user authentication and everything should work?

Does this sound like it should be true?

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to JohnTylerPearce

‎10-16-2012 10:27 AM

Hey John,

Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.

http://www.youtube.com/watch?v=YIxG4OEfwtY

The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..

http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html

So yes it sounds right and you should be good.

Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?

Thanks John!

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to George Stefanick

‎10-16-2012 10:29 AM

In fact. This video is done on a 2504 controller .. good stuff

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to George Stefanick

‎10-16-2012 10:38 AM

Damn Geroge, talking about being on target.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to JohnTylerPearce

‎10-16-2012 10:41 AM

Yup ... nothing like seeing it, reading it and then feeling good about doing it .. Good Luck my friend .. Stop back if you have issues.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card