01-29-2009 08:45 AM - edited 07-03-2021 05:04 PM
I am begging to migrate all of my wireless links to WPA, currently they are unencrypted. I have a few computers that recieve there connectivity via wireless link. I need to have these computers establish an ecyrpted wireless link so domain users can log on to them with cached credentials. I have 1100 series Ap that establish wireless link with an ACS using WPA and MS-CHAPv2.
I was told i have to set up 802.1x the allow computer to establish link but have not been able to figure this out.
Mike
01-29-2009 12:51 PM
Mike
Can your clients support WPA2 (AES)?
If not you will need to use WPA TKIP
You have the option of using 802.1x
EAP-TLS - considered most secure but you need a PKI infrastructure
EAP-PEAPv0
EAP-PEAPv1
EAP-FAST
or
EAP-TTLS - not that common now
You mentioned MS-CHAPv2 so I think you want a single sign on functionality which PEAP offers.
01-29-2009 12:58 PM
I haven't heard of the single sign on feature but yes that sounds like what I want. I have established wireless connectivity using WPA and MS-CHAPv2 byt don't believe our equipment supports WPA2. I have a CISCO ACS but do not know how to configure 802.1x, and how I can get domain computers to establish connectivity with campus network and allow user to use domain credentials to log in.
Mike
01-29-2009 01:09 PM
Mike
With EAP-PEAP the wireless supplicant uses your windows username / password and the laptop/desktop machine account that exists in the window active directory database to authenticate
With EAP-TLS the wireless supplicant uses the
digital certificate installed on the laptop/desktop to authenticate
Both methods use WPA or WPA2 to encrypt data
take a look at this link
Mark
01-30-2009 09:19 AM
Mark,
Is LEAP the only way to do single sign on? IS there a way to do machine authenication? I really don't want to use LEAp, but i need the computer to establish a network connection before user logs on.
Mike
02-03-2009 02:16 AM
Mike
PEAP with MSCHAPv2 allows for active directory machine and active directory user authentication. You can select machine access restrictions so the user can only use a domain laptop combined with domain username and password. This EAP method also allows users with non cached profiles on the laptop to login.
Mark
02-03-2009 07:27 AM
Mark,
Do you have any materials that can assist me in setting this up? Do I need a 3rd party suplicant to make this?
Mike
02-03-2009 07:41 AM
Mike
Take a look at this
http://www.cisco.com/application/pdf/paws/43486/acs-peap.pdf
The Microsoft XP sp2 supplicant has PEAP
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide