Solved: Allow PEAP, disallow LEAP on SSID, Allow LEAP on other SSID

kcorkins · ‎11-17-2004

Is it possible to limit the EAP-type allowed on an SSID?

For example; Allow PEAP authenticated users to access SSID "PEAP-Users", allow LEAP-authenticated users to access SSID "LEAP-Users".

but do not allow a LEAP authenticated user access to the "PEAP-users" SSID? (and vice-versa).

The only solution I can see, is use a different ACS server for each SSID, and only support allowed EAP-types on that ACS.

mmiklic · ‎11-18-2004

Yes, no problems there with sniffing the SSID, as long as there is at least one more client connected ;) A big security hole, I agree.

Just came accross one interesting thing, though (haven't tried it myself) - a certain document (can't remember the URL;) says, that if Cisco supplicants are used for PEAP, the "authentication mode network-eap" should be used on the AP SSID. This unfortunately also works with LEAP. But if Windows zero config is used on PEAP supplicants, then the authentication should be set to "authentication open eap method-list". And this does not work with LEAP as far as I know. Perhaps worth trying...

Anyway, if you are dealing with uncontrolled environment, then you should probably go for separate servers (possibly using Vmware;).

BR;Mark

View solution in original post

mmiklic · ‎11-18-2004

As far as I know, you can not limit the EAP type per SSID, since APs do not care about the specific EAP type. This is not a problem unless you implement VLANs, where you need to know in which VLAN the clients will end up.

In this case the solution would be either to use separate servers as you mentioned, or rather disable broadcasting of SSIDs and configure appropriate profiles (specific SSIDs) for appropriate groups of users.

BR;Mark

kcorkins · ‎11-18-2004

Thanks for the info.

That's how I understand it as well.

Not broadcasting an SSID won't/can't stop someone from "sniffing" for SSIDs and changing their configuration to join the PEAP-SSID, using LEAP to authenticate.

mmiklic · ‎11-18-2004

Yes, no problems there with sniffing the SSID, as long as there is at least one more client connected ;) A big security hole, I agree.

Just came accross one interesting thing, though (haven't tried it myself) - a certain document (can't remember the URL;) says, that if Cisco supplicants are used for PEAP, the "authentication mode network-eap" should be used on the AP SSID. This unfortunately also works with LEAP. But if Windows zero config is used on PEAP supplicants, then the authentication should be set to "authentication open eap method-list". And this does not work with LEAP as far as I know. Perhaps worth trying...

Anyway, if you are dealing with uncontrolled environment, then you should probably go for separate servers (possibly using Vmware;).

BR;Mark

kcorkins · ‎12-09-2004

i tried this, and it did seem to work. The LEAP-Authenticating client appeared to "hang" during authentication, and never completed auth. The PEAP client worked just fine. I switched it around, and it still worked.

Thanks for your help!

mmiklic · ‎11-24-2004

Another thought just crossed my mind. If you need the correct authentication on the correct SSID just for the purpose of assigning VLANs, you can use per-user RADIUS assigned VLANs.

Best regards,

Mark