05-05-2009 08:43 AM - edited 07-03-2021 05:32 PM
How do you connect ACS LEAP-FAST to 4404? I'm wanted to have an open SSID where the students can login with their Novell Usernames/passwords but get encrypted.
05-05-2009 08:52 AM
There is no LEAP-FAST. There is LEAP, or EAP-FAST. Neither one is built into Windows, so the first step is to make sure that your users have a software client which supports your desired EAP method.
On the 4404, you'll just set up a WPA or WPA2 network using 802.1X, and configure the address and shared key for the ACS server in your RADIUS entries. The specific EAP method is not configured on the controller.
On the ACS server, you will configure the controller as a AAA client with the appropriate shared secret, using Cisco Airespace as the RADIUS type, and make sure that EAP-FAST is enabled and set up in the Global Encryption section. And of course, you'll have to set up external authentication to your Novell LDAP.
05-05-2009 09:47 AM
I mean EAP-Fast.
Where do I type in the RADIUS entries? In the security tab and I see RADIUS on the left.
I also see EAP-FAST Method Parameters under local EAP
05-05-2009 10:33 AM
Do I need RADIUS Key Wrap?
Also what ip should I use in ACS? should I use the web auth ip or the ip I use to get the the web page?
05-05-2009 12:23 PM
You do not need RADIUS key wrap.
Use the controller's management address as the IP address for the AAA client.
RADIUS servers are configured under Security: AAA: Radius servers; then, select the servers under WLANs: your SSID: Security: AAA. You are not using Local EAP; don't configure anything there.
05-06-2009 08:50 AM
Heres what I have done so far.
I went to the security tab in the controller and under aaa>RADIUS>Authentication
I clicked new
typed in the ACS IP
Shared Secret Format ACSII
Shared key (for a test): aaabbbccc
I left everything else as default
I was able to use the blue arrow on the next screen to ping the ACS server. It worked.
I went to Wlan
Clicked on my ssid
went to security
went to aaa servers
Picked the Authentication Servers from the drop down menu.
I try to connect with my laptop with the settings:
http://img135.imageshack.us/img135/1250/30843309.jpg
05-06-2009 09:05 AM
OK, so what happens then? If you're not getting online successfully, what errors do you see on the controller and/or in the ACS authentication logs?
05-07-2009 05:41 AM
I disabled windows firewall. It was blocking the ports.
I also Had to enable eap-fast on the acs and turn on anonymous pac/authenticated pac.
I'm using a user I made on the ACS.
My next step is to allow Eap-fast to use my novell user name and password with LDAP... This works for our other ssid that uses web auth.
How do I do this?
05-07-2009 06:07 AM
Just set the controller to use the ACS servers as AAA Authentication on your secure SSID.
05-07-2009 06:44 AM
its setup like that. I assume that you also need LDAP Servers drop down box filled in to right?
I'm picking the same LDAP in the drop down box as I did when I use LDAP to web auth.
Do I need to configure LDAP on the ACS? Also Do I have to have manual PAC generation to use ldap or can I use automatic?
05-07-2009 06:50 AM
The LDAP boxes on the right are only used if you are using Local EAP- i.e. if you do not have a RADIUS server. If you're using an ACS, then you are not using Local EAP and will leave those options blank.
05-07-2009 08:17 AM
ok, so what would be my next step?
I can connect with GTC and MSChapv2. I thought I read MSCHAPv2 can't be used with LDAP.
I can type a username and password in my laptops client. If I connect how do I know its LDAP that let me in?
05-07-2009 08:51 AM
The MSCHAP+LDAP issue only comes into play when you are using Local EAP. Again, because you are using an ACS server this is not a Local EAP implementation.
If you are able to connect successfully, doesn't that resolve your problems? Is there a specific reason why you are concerned about verifying that the LDAP protocol is being used? I suppose you could sniff the traffic between the ACS and your Novell server if you wanted to be really sure.
05-07-2009 08:57 AM
I can only connect with the username I made on the ACS server. When I try to use my novell user name and password It doesnt work.
05-07-2009 09:40 AM
Hmm. This page says that EAP-FAST + LDAP requires manual PAC provisioning:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide