11-17-2004 02:50 PM - edited 07-04-2021 10:10 AM
Is it possible to limit the EAP-type allowed on an SSID?
For example; Allow PEAP authenticated users to access SSID "PEAP-Users", allow LEAP-authenticated users to access SSID "LEAP-Users".
but do not allow a LEAP authenticated user access to the "PEAP-users" SSID? (and vice-versa).
The only solution I can see, is use a different ACS server for each SSID, and only support allowed EAP-types on that ACS.
Solved! Go to Solution.
11-18-2004 06:20 PM
Yes, no problems there with sniffing the SSID, as long as there is at least one more client connected ;) A big security hole, I agree.
Just came accross one interesting thing, though (haven't tried it myself) - a certain document (can't remember the URL;) says, that if Cisco supplicants are used for PEAP, the "authentication mode network-eap" should be used on the AP SSID. This unfortunately also works with LEAP. But if Windows zero config is used on PEAP supplicants, then the authentication should be set to "authentication open eap method-list". And this does not work with LEAP as far as I know. Perhaps worth trying...
Anyway, if you are dealing with uncontrolled environment, then you should probably go for separate servers (possibly using Vmware;).
BR;Mark
11-18-2004 04:59 PM
As far as I know, you can not limit the EAP type per SSID, since APs do not care about the specific EAP type. This is not a problem unless you implement VLANs, where you need to know in which VLAN the clients will end up.
In this case the solution would be either to use separate servers as you mentioned, or rather disable broadcasting of SSIDs and configure appropriate profiles (specific SSIDs) for appropriate groups of users.
BR;Mark
11-18-2004 05:54 PM
Thanks for the info.
That's how I understand it as well.
Not broadcasting an SSID won't/can't stop someone from "sniffing" for SSIDs and changing their configuration to join the PEAP-SSID, using LEAP to authenticate.
11-18-2004 06:20 PM
Yes, no problems there with sniffing the SSID, as long as there is at least one more client connected ;) A big security hole, I agree.
Just came accross one interesting thing, though (haven't tried it myself) - a certain document (can't remember the URL;) says, that if Cisco supplicants are used for PEAP, the "authentication mode network-eap" should be used on the AP SSID. This unfortunately also works with LEAP. But if Windows zero config is used on PEAP supplicants, then the authentication should be set to "authentication open eap method-list". And this does not work with LEAP as far as I know. Perhaps worth trying...
Anyway, if you are dealing with uncontrolled environment, then you should probably go for separate servers (possibly using Vmware;).
BR;Mark
12-09-2004 06:54 AM
i tried this, and it did seem to work. The LEAP-Authenticating client appeared to "hang" during authentication, and never completed auth. The PEAP client worked just fine. I switched it around, and it still worked.
Thanks for your help!
11-24-2004 06:28 AM
Another thought just crossed my mind. If you need the correct authentication on the correct SSID just for the purpose of assigning VLANs, you can use per-user RADIUS assigned VLANs.
Best regards,
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide