Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
0
Helpful
3
Replies

Best setup for Universities

k.mahmood
Level 1
Level 1

‎05-10-2004 12:36 AM - edited ‎07-04-2021 09:37 AM

Hi,

I would like to aks some importan questions. We are trying to set up MS PEAP with ACS 3.2 in our university. For that type of authentication we have to add user laptops on ouw domain, Which is fine for Staff but How can we avoide this with students laptops with out adding them to our domain. Security is the big issue.

Which other authentication method should anyone recommand to avhieve this goal.

Runnning Ap1200, Non Cisco WCards, Acs 3.2, Win xp/W2k.

I would be greatful if someone help me regarding this issue. What other issues should we consider while making the decisions?

regards

Khaleefa

Labels:
0 Helpful
3 Replies 3

simonrak2
Level 1
Level 1

‎05-13-2004 01:01 PM

You may want to consider getting a standard 802.11x supplicant for all the laptops if you don't have a standard for adapters. I have had good experience with Funk Odyssey client authenticating with ACS using PEAP, but others may be just as good or better. A lot of client adapters come with PEAP supplicants, but your support cost may be lower if you standardise.

Your users can then authenticate with a Windows domain using PEAP/MSCHAP, or ACS, LDAP, etc. username and password using PEAP/GTC. There's no need to add machines into a domain.

For best results, you'll need to get one SSL cert for each ACS server signed by a trusted root authority.

0 Helpful

kyle.omalley
Level 1
Level 1

‎05-20-2004 03:07 PM

1) With PEAP, the end system only needs to be logged into the domain to authenticate the client to a trusted access-point. The username/password exchange through the AP is still encrypted with a TLS tunnel, but the user will need to make sure that "Send login credentials automatically" is not checked with his/her supplicant (windows wireless configuration). Typically, with this supplicant, a window will pop up asking for username/password/domain.

2. Installing clients on the remote end MAY not be feasable for two reasons:

i) User may not have administrative rights

ii) campus/university will be "responsible" for any "problems that happened after the client was installed".

0 Helpful

peterjhill
Level 1
Level 1

‎05-27-2004 10:16 AM

I would recommend EAP/TTLS with a 3rd party supplicant, like the meetinghouse client. Certs would be a great way to deploy it, but then you need to deal with PKI.

I have not dealt with the ACS. We are going to be looking at Radiator for radius backend support. I believe it supports multiple EAP types.

Currently we are running an open network and use a custom middlebox (www.net.cmu.edu/authbridge/)

Are you trying to control access to the network, or provide data encryption. We tell users to use applications that secure their data (ssh, ssl).

If you want more details on what we are looking at, let me know. We have about 900 APs across our university and have been using wireless since the days of 900 MHz 1 Mbps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card