12-27-2006 07:03 AM - edited 07-03-2021 01:25 PM
Hi,
I am trying to configure EAP-Fast and I couldn't find any documentation on this. Basically, I would like to configure wireless clients to authenticate using wpa1+wpa2 and EAP-Fast from an access-point through a WLC to the local database of an ACS appliance v4.0.1.
Thanks.
Solved! Go to Solution.
01-02-2007 12:49 PM
Hi Guys-
802.1X is exclusively an authentication and authorization management protocol, and works well with both WPA1 and WPA2.
You can use a wide variety of EAP types with 802.1X, and EAP-FAST is one of them.
So yes, you can of course use EAP-FAST with WPA1+2. You configure your WLAN policy to be WPA1+2 with 802.1X as your authentication management. From there, its all configuration on your Cisco Secure ACS.
We at Cisco use EAP-FAST with WPA across the entire world.
Hope this helps.
NS
12-27-2006 07:44 AM
Hi Friend,
You can configure WPA 1/2 and EAP-FAST on different WLANs. You cannot configure WPA1/2 and EAP-FAST on same WLAN/SSID
Have a look at this link which will guide you how to configure WPA1/2 and EAP-FAST on WLC
http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40wlan.htm#wp1084832
Also to configure EAP-FAST you just need to enable 802.1x auth on your WLC and then configure EAP-FAST settings on your ACS server.
To configure ACS have a look at this link
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/index.htm
HTH
Ankur
*Pls rate helpfull post
12-28-2006 12:31 AM
Hi Ankur,
First of all thanks for you reply. Now, I would like to know if it is possible to configure any kind of 802.1x authentication with WPA 1/2?
I can see that this is doable on the WLC and shows up as WPA1+WPA2 + 802.1x.
Regards.
Jawad
12-28-2006 03:05 AM
Hi Jawad,
There is a trick here. If we talk of layer 2 security option you can either select WPA1/2 or 802.1x.
But if you select WPA1/2 as layer 2 security method then for auth key management you will get an option for 802.1x or pre shared key where you can select 802.1x as auth key management for WPA1/2 layer 2 security.
Also if you sleect WPA1 and 2 both via a GUI checking both the options itwill work with WPA2.
HTH
Ankur
*Pls rate helpfull post
01-02-2007 12:49 PM
Hi Guys-
802.1X is exclusively an authentication and authorization management protocol, and works well with both WPA1 and WPA2.
You can use a wide variety of EAP types with 802.1X, and EAP-FAST is one of them.
So yes, you can of course use EAP-FAST with WPA1+2. You configure your WLAN policy to be WPA1+2 with 802.1X as your authentication management. From there, its all configuration on your Cisco Secure ACS.
We at Cisco use EAP-FAST with WPA across the entire world.
Hope this helps.
NS
01-03-2007 01:10 AM
Hi,
I was trying to setup EAP-Fast in a lab environment and it didn't seem to work. But, I just installed the same equipements at the customer site and it worked like a charm. The only difference is that I was using an external DHCP server in the lab and now I am using the internal DHCP server of the WLC.
Thanks everybody for your replies.
01-31-2007 06:42 AM
Hi.
We too have seen this in our environment. Why is this? Is this perhaps due to the DHCP requests being encrypted?
Out of interest, what DHCP server are you using?
We are required to use the external DHCP server so I would like to find an explanation for this but alas cannot.
Anybody shed any light on this?
Thanks in anticipation.
Sull
01-31-2007 06:55 AM
I am using the internal DHCP server that comes with the WLC. Since I used it, I didn't have any more connectivity issues.
I would recommend that you first test with the internal DHCP that comes with the WLC and see if it fixes your problem.
Regards,
Jawad
01-31-2007 07:03 AM
Hi. Thanks for the prompt response. We too are using the internal DHCP server on the WiSM to overcome this problem. What was the external DHCP server you were using?
01-31-2007 07:06 AM
We were using the windows 2003 DHCP server for some of the test and Cisco IOS DHCP server for others. Both didn't work for some reason.
The customer didn't care which DHCP server we use as long as it worked so we end up using the internal one without trying to troubleshoot further.
Regards,
Jawad Skalli
01-31-2007 07:15 AM
Thanks for that. We were trying to get it to work with QIP as the DHCP server so at least I can rule out it being an issue with a particular DHCP server product.
Unfortunately we have to use the external server as a matter of standards.
I found this on another thread.....
"Some of the earlier versions had problems with DHCP responses being dropped into the default VLAN (even though the request came from another valid VLAN).
The request makes it to the server, the server's response makes it all the way back where it loses its tag and is put into the Native VLAN."
This looks to be the issue as when we check on the DHCP server you can see the lease being granted. Wonder if there is a way round this if this is what's happening....
02-16-2007 07:56 AM
Question about choosing EAP-FAST over other EAP models...
While Cisco may be using EAP-FAST and may consider it secure enough, some industry analysts out there like George Ou of Tech Republic (I believe), think that it is just a little less vulnerable than LEAP. Is that true?
Is one better off by going to PEAP, or TLS or some other authentication option using ACS or is EAP-FAST secure for an enterprise network?
Any thoughts will be appreciated.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide