Client Authenticating the WAPs or WLCs

Bilal Nawaz · ‎02-26-2013

Hello,

Im fairly new to the wireless arena (security, I'd be grateful if someone can give me guidance. I want to set up a SSID for the corporate LAN but I want to ensure that the client (laptop xp / win7) authenticates the WAP or WLC first before the client authenticates with its credentials (laptop name then user credentials).

Because without this, anyone could set up a fake SSID (same as ours) and client would associate and pass on its credentials.

We have ACS on 5.4, WLC 5508 and WAP 126X

Thank you

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Scott Fella · ‎02-26-2013

Well one thing you have to understand is that you really can only authenticate either machine or user not both. There is a way in ACS to user MARS, but its not suggested. Windows XP will only do user credentials unless you do a registry hack to have it do machine authentication. Windows 7 will send the computer info first and the user info every time after if set the computer and user on the windows supplicant.

So here is the thing. If your worried about a man in the middle attack, use certificates. On the client side you will push a GPO to validate server certificate and also you can validate the DNS name of the ACS server. Using PEAP or EAP-TLS is a secure way of securing the wifi side.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Bilal Nawaz · ‎02-26-2013

Okay, so we're authenticating both I think and I'll try my best to explain how... In ACS, we've created an Access service and Policy that has two rules for network access, and it says - anything within this security group (laptops) 'permit' and also, any AD User that is part of another security group 'permit'. Then a default implicit deny follows.

When I tick the 'validate server certificate' checkbox, I need to choose a certificate to verify right?

Do I just generate a self signed cert from ACS and export, then roll the cert out as a trusted root authority via GPO?

How do I validate the DNS name of the ACS server?

We have 3 ACS appliances, if the above is possible then should I assume all 3 will need to have the same cert in the case of a failure?

Thank you

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Scott Fella · ‎02-26-2013

It's easier if you had an internal CA or else I would purchase a 3rd party cert then use a self signed if you can to do one of the two. There is an input box for the radius server name in windows 7 but don't know about XP. Yes you need the cert in each server and can be the same cert or not.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Bilal Nawaz · ‎02-26-2013

Thanks for your reply Scott, can I please ask how it would be easier taking the CA/3rd party cert than a self signed cert in ACS?

I think there is an option in XP to specify the server name, but we have multiple and I dont know the format e.g.

acs01;acs02;acs03 or acs01, acs02, acs03

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Scott Fella · ‎02-26-2013

Let say its more secure. Internal CA, all devices would already trust that, you just have to import that into your radius. A third party ver is easy to install, but that's me. Self signed is sort of frowned on bit will work, just depends in how much work you want to do. On windows 7 you just list your ACS hostnames separated by a comma.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***