Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2773
Views
0
Helpful
7
Replies

EAP-FAST and MAC authentication with WPA2 on Local RADIUS for 1242AG access point

Go to solution
interactor
Level 1
Level 1

‎11-29-2010 04:33 PM - edited ‎07-03-2021 07:28 PM

Hi,

Does any one has a working configuration for this combination?

Regards

VP

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra BG
Cisco Employee
Cisco Employee
In response to interactor

‎12-05-2010 05:48 PM

Hi EAP-FAST doesnt need any certs.. we need to generate PAC.. here is the link.. which gives the comparison between various EAPs

http://ciscosystems.com/en/US/prod/collateral/wireless/ps5679/ps5861/prod_qas09186a00802030dc_ps4555_Products_Q_and_A_Item.html

here is the link to generate or Use the PAC

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/configuration/guide/s38local.html#wp1050270

lemme know if this helps..

Regards

Surendra

Regards
Surendra BG

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Surendra BG
Cisco Employee
Cisco Employee

‎12-04-2010 09:25 PM

Why not go for LOCAL EAP with MAC filtering?? here is the configuration example..

LOCAL LEAP

===========

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml

and

MAC FILTERING

============

https://supportforums.cisco.com/docs/DOC-13767

lemme know if this answered your question..

Regards
Surendra

======

Please dont forget to rate the post if this answered your question
Regards
Surendra BG
0 Helpful

Go to solution
interactor
Level 1
Level 1
In response to Surendra BG

‎12-05-2010 02:02 AM

Hi and thank you for your reply.

I already have tried LEAP with MAC on Local RADIUS and works fine! But I'm sure that EAP-FAST provides a more secure way (PACs) to protect the communication between the radio interface and clients in terms of possible dictionary or man-in-the middle attacks.

Regarding the ACL , how can I specificaly implement for my radio 802.11g interface an ACL which exclude ALL TIME all IPs except those 2 static IPs assigned to my handheld clients and further more, permits the association, authentication and traffic of those 2 IPs with the AP on a daily basis but from 14:00 till 07:00 assuming though that the AP will be administratively reachable via WEB Console or Telnet any day/time?

Regards

VP

0 Helpful

Go to solution
Surendra BG
Cisco Employee
Cisco Employee
In response to interactor

‎12-05-2010 02:58 AM

Hi,

In the local server settings you can select EAP-FAST as well instead of LEAP..

Now the access list part of it..

here is the configuration..

en
conf t
time-range hi
period weekdays to [eg = periodic daily 14:00 to 19:00

end

config t

ip access-list extended 111

access-list 111 permit ip host any time-range hi
access-list 111 permit ip host any time-range hi

eg-


access-list 111 permit ip host 10.10.10.10 any time-range hi
access-list 111 permit ip host 10.10.10.11 any time-range hi

end

conf t

int dot11 0

ip access-group 111 in

lemme know if this answered your question..

Regards

Surendra

========

Please dont forget to rate the post if this was helpful for you or usefull

Regards
Surendra BG
0 Helpful

Go to solution
interactor
Level 1
Level 1
In response to Surendra BG

‎12-05-2010 12:25 PM

Hi again,

Regarding the ACL everything is OK but I still have problems with EAP-FAST setup. Does EAP-FAST demand a private certificate?

On our site there're 2 MC5574 handheld clients. When I try to setup a WLAN profile on both of them and select EAP-FAST the system ask me to select one of the 3 protocols MS-CHAP, EAP-TLS, EAP-GTC for tunneling Authentication. In either case then asks for a User Certificate to install.

This is weird because I thought that EAP-FAST establishes a tunneling authentication via PACs and that's it!. In case a PAC stands for a private certificate and the AP has the default settings for EAP-FAST meaning that it will create and provide the PAC upon client request, what is the point for a private certificate authority involvement?

Regards

VP

0 Helpful

Go to solution
Surendra BG
Cisco Employee
Cisco Employee
In response to interactor

‎12-05-2010 05:48 PM

Hi EAP-FAST doesnt need any certs.. we need to generate PAC.. here is the link.. which gives the comparison between various EAPs

http://ciscosystems.com/en/US/prod/collateral/wireless/ps5679/ps5861/prod_qas09186a00802030dc_ps4555_Products_Q_and_A_Item.html

here is the link to generate or Use the PAC

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/configuration/guide/s38local.html#wp1050270

lemme know if this helps..

Regards

Surendra

Regards
Surendra BG
0 Helpful

Go to solution
interactor
Level 1
Level 1
In response to Surendra BG

‎12-06-2010 12:55 PM

Hi,

these were very helpful links

Thank you very much for your support

Regards

Vasilis

0 Helpful

Go to solution
Surendra BG
Cisco Employee
Cisco Employee

‎12-04-2010 09:26 PM

In the LOCAL LEAP config example, you can select EAP-FAST as well if you dont want the LEAP to be configured..

Regards

Surendra

Regards
Surendra BG
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card