03-24-2008 08:46 PM - edited 07-03-2021 03:35 PM
Hi,
I have a single AP setup using PEAP with MS Win2k3 IAS/RADIUS. I would like outside vendors and clients to be able to come in and be able to access the Internet as well as a printer. I believe in order to authenticate with PEAP the laptop must be a member of the domain which we can't do with vendors and clients. I'm new to wireless so I'm lost as how to set this up. If anyone is familiar with how to do this I would really appreciate some direction. Thanks in advance.
Riley
03-28-2008 01:17 AM
Riley (I found you)
Can you explain the setup a little further. Are you using Wireless LAN Controllers to manage your APs?
Many thx
Ken
03-28-2008 05:31 AM
Thank you for the help. This is all new to me so I'm really lost.
All I have is a single AP, nothing else. It's a Cisco Aironet 1200 Series AP a/b/g.
I was able to configure the AP and IAS/RADIUS/CA for PEAP and that's working.
However I have some laptop users who can't be members of the domain. I'm not 100% sure but I think in order for PEAP to work the laptops must be added to the domain.
I read about something called 'Guest' access. I thought I could setup another authentication method in addition to PEAP for these non-domain member laptops. Even though it's less secure I wanted to give them access to some internal resources as well as the Internet.
03-28-2008 05:50 AM
The one thing that I have found out in the last couple of days is that if you are using a radius server, that has to be part of the domain (if its a MS opsys) if you are granting corporate access.
If you are using a Cisco ACS and as the ACS is a Cisco applicance, you have to have a remote agent that the ACS forwards the PEAP-MSCHAPv2 request onto, and the RA is on a box within the domain. Then the RA forwards it to your active directory controller.
For guest access, would you want the guests to be part of your coparate domain?
What you need is the CUWN archetecture where you have controllers on campus where the APs/AP are managed from and then controllers in your internet DMZs (as per cisco design guides) but I dont think this is helping you much.
The reason for this is so that you seperate your corp/guest wifi traffic with the use of LWAPP tunnels so that a guest user cannot access corp resources.
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns279/c649/ccmigration_09186a00808d9330.pdf
?
I hope this was not too useless, but like you, I am a newbie to all of this :))
HTHs,
Ken
03-28-2008 04:28 PM
I wish I understood all that. All I have is a single AP. Is there a simple way to just add a 2nd authentication method? I think I read I would need a 2nd SSID and perhaps create a VLAN?
03-28-2008 06:03 PM
You should create another SSID for guest and that will map to a different vlan just for guest. Then you can configure ACL's on your L3 to deny certain traffic from the guest net to your internal net.
03-28-2008 08:54 PM
Thank you for your help.
Since I can't use PEAP for non-domain computers, what would you say would be the next best choice for a secure wireless connection for those laptops that I can't make members of the domain?
03-31-2008 05:07 AM
If you have ACS then you can use the DB in ACS to authenticate users. With IAS, users will have to be in the domain. If you have to secure the wifi network without using 802.1x, I would suggest using WPA2-PSK. You can always change this weekly and hand the info to your vendors and others who need access. However, if some users do not have support for WPA2, then you might have to go with WPA-PSK which has been compromised already.
03-31-2008 12:23 AM
Hi Fella5 :)
If you do this with a single AP, do you have to configure the AP as a trunk to the switch and carry both VLANs over the trunk?
This is an interesting topic.
Many thx
Ken
03-31-2008 05:02 AM
If the installation is LWAPP then the AP would be on an access port since the traffic flows to the WLC and then trunked to a switch. If the AP is in autonomous mode, then you will have to have a 802.1q trunk between the AP and the switchport. Native vlan would be the management subnet the AP is on.
03-31-2008 06:25 AM
I have a single Aironet 1200 Series Access Point and on the 'Express Security' page it shows Static WEP Key, EAP Authentication and WPA so I don't think it supports WPA2.
Do you know how I could keep the PEAP authentication as well as add a 2nd authentication method such as WPA-PSK?
Perhaps I could only enable the WPA-PSK when vendors/clients are onsite and then disable it when they leave.
03-31-2008 06:29 AM
AP#sh ver
Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(8)JEA, RELEASE S
OFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 23-Aug-06 16:42 by kellythw
ROM: Bootstrap program is C1200 boot loader
BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RE
LEASE SOFTWARE (fc1)
Cairny-AP uptime is 3 weeks, 5 days, 23 hours, 18 minutes
System returned to ROM by power-on
System restarted at 09:13:49 est Tue Mar 4 2008
System image file is "flash:/c1200-k9w7-mx.123-8.JEA/c1200-k9w7-mx.123-8.JEA"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
cisco AIR-AP1210 (PowerPC405GP) processor (revision A0) with 15138K/12
36K bytes of memory.
Processor board ID FOC074214X8
PowerPC405GP CPU at 196Mhz, revision number 0x00C4
Last reset from power-on
1 FastEthernet interface
2 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0E:38:23:C8:E7
Part Number : 73-8704-05
PCA Assembly Number : 800-23211-06
PCA Revision Number : A0
PCB Serial Number : FOC074214X8
Top Assembly Part Number : 800-23304-03
Top Assembly Serial Number : FHK0744J2K6
Top Revision Number : A0
Product/Model Number : AIR-AP1210
Configuration register is 0xF
AP#
03-31-2008 06:31 AM
You only can have one authentication method per ssid. You could disable the WPA-PSK, but that would be a daily activity.
03-31-2008 09:07 AM
Can I have multiple SSIDs configured for the same device or for different radios on the same device?
03-31-2008 12:06 PM
Yes... you can have the same ssid on either the 2.4GHz or 5 GHz radio. You can also have different ssid's per radio. You can have up to 8 SSID's, but recommended is 4.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide