07-09-2008 03:42 AM - edited 07-03-2021 04:08 PM
Hello!
I need some help with the configuration of a wireless solution that includes an ACS and in which the authentication is based in an NDS database.
As I have seen in Cisco documents, the only authentication methods supported by NDS databases, are EAP-GTC, EAP-TLS and EAP-FAST Phase Two.
I have discarded EAP-GTC (the customer doesn't have a token server and so) and EAP-TLS (we don't want certificates to be used). So the only method we can use is EAP-FAST.
And here is my problem, NDS database doesn't support EAP-FAST Phase Zero, so it's necesary to manually provide the PAC. Is this correct? It's necesary to provide every client with a different PAC? How can I configure this?
Has anybody configured a deployment like the one I describe here?
Please, help!!
07-17-2008 02:21 PM
Phase zero is optional and PACs can be manually provided to end-user clients. (See Manual PAC Provisioning.) You control whether ACS supports phase zero by checking the Allow automatic PAC provisioning check box in the Global Authentication Configuration page.
For the further details for the PAC and configuration follow the URL :
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808e5d6b.shtml#nd
07-21-2008 04:32 AM
Thanks for your answer. But I have more doubts, I hope you could help me.
As I've read in Cisco documents, it's possible to generate PAC files for groups of users. Does this mean that I could use only one PAC file to all the users of the wireless network?
EAP-FAST method phase two is based in other methods, isn't it? So, it's imposible to avoid using EAP-GTC or EAP-FAST. Is this correct?
If I can't avoid them, is better to use one of them and forget PAC provisioning...
Have you ever configure a solution like the one I described?
Thanks!
07-21-2008 06:08 AM
Trouble with EAP-FAST is that it's a Cisco protocol, and whilst it's 'open', it needs 3rd party client support (i.e. it's not supported natively in Windows XP for example).
The simplest way we've come across for integrating wireless authentication with NDS is putting in a Windows server and using Microsoft Windows Services for NetWare to sync between NDS and Windows.
http://www.microsoft.com/windowsserver2003/sfn/default.mspx
Then, point ACS at the Windows server and you've got all the EAP options available to you.
We've never actually installed the Windows box - we've found that people using NDS usually have a Windows box sitting somewhere on the network.
Might not be an option in this case, but maybe worth keeping in mind...
08-10-2008 01:33 PM
You could install Free Radius for eDir (NDS). As long as the customer has already deployed Universal Password, Free Radius can then provide PEAP-MSCHAPv2.
There are a couple of alternatives to ACS, Ignition being one of them, that can also talk with eDir and provide PEAP-MSCHAPv2 support, again assuming the customer has deployed Novell's Universal Password.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide