Can anyone tell me how PEAP works and how to set up on my 1242 ap

carl_townshend · ‎08-26-2009

Hi all

Firstly can anyone explain briefly how the PEAP works, Can I use local usernames from the AP, and also a radius server linked to my active directory?

also when using PEAP etc do I not need to type in the PSK for WPA etc, does the PEAP function effectively do this?

also what are the basics for setting it up on my 1242 ap.

thanks

Carl

Roman Rodichev · ‎08-26-2009

Hello Carl,

PEAP just like LEAP, EAP-FAST, EAP-TLS is one of the 802.1x/EAP authentication methods used in WPA Enterprise. You can also use 802.1x/EAP without WPA. This is different from WPA-PSK. WPA-PSK doesn't use 802.1x authentication methods. In WPA-PSK you simply enter the same passphrase on client and AP. This passphrase is used to calculate the actual encryption keys used by TKIP or AES-CCMP encryption methods.

With WPA enterprise, you must have an authentication server (RADIUS). AP doesn't actually care which 802.1x authentication method you are using. AP ("authenticator") simply converts Client's 802.1x messages to RADIUS messages and forwards them to the authentication server (Cisco ACS, Microsoft IAS, etc), and then converts RADIUS messages from the authentication server back to 802.1x messages and forwards them to the client ("supplicant").

You can either uses your RADIUS server or you can also configure Local RADIUS (local usernames) on the AP. You can't use both at the same time, but you can failover from your RADIUS server to the Local RADIUS, if you wish. When using RADIUS server, AP doesn't care which 802.1x/EAP method you use, there's no EAP configuration on the AP (only EAP timeout settings and such). It's up to the supplicant to tell Authentication server which EAP method it wants to use, and it's up to the Authentication server to support that EAP method. When using Local RADIUS on the AP, AP must understand the 802.1X/EAP method that supplicant wants to use. Cisco Local RADIUS service supports only LEAP, EAP-FAST and EAP-TLS, but not PEAP, therefore you won't be able to use PEAP with local RADIUS server in your case, you must use external server (Cisco ACS or Microsoft IAS).

If you had Wireless LAN controller with lightweight APs, then you could set up WLC with Local RADIUS authentication and PEAP. WLC supports local RADIUS with LEAP, EAP-FAST, EAP-TLS *and* PEAP.

Here's the basic configuration for an autonomous IOS AP if you are planning to use an external Authentication server that supports PEAP (as well as LEAP, EAP-FAST, and EAP-TLS):

aaa group server radius rad_eap

server auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

!

dot11 ssid PUBLIC

authentication open eap eap_methods

authentication network-eap eap_methods

guest-mode

!

interface Dot11Radio0

encryption mode wep mandatory

ssid PUBLIC

!

radius-server host auth-port 1645 acct-port 1646 key RADIUS_KEY

The above configuration is pure 802.1x without WPA (WPA key management involves supplicant and AP only, not the Auth server). Here's a WPA-Enterprise example:

aaa group server radius rad_eap

server auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

!

dot11 ssid PUBLIC

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa

guest-mode

!

interface Dot11Radio0

encryption mode ciphers tkip (or aes-ccm)

ssid PUBLIC

!

radius-server host auth-port 1645 acct-port 1646 key RADIUS_KEY

Regards,

Roman

Jey23 · ‎09-14-2017

Thank you Roman!!! life saver.. coundnt get this working until I read your post :)

Works a GEM! keep up the good work and thanks again