Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2291
Views
25
Helpful
12
Replies

LAP1142N-A-K9 and 802.11n

Go to solution
bellaireroad
Level 1
Level 1

‎03-21-2012 08:36 AM - edited ‎07-03-2021 09:50 PM

can the access point be configured to do local authentication for 802.11N, or is a radius server necessary?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Justin Kurynny
Level 4
Level 4
In response to bellaireroad

‎03-22-2012 04:09 PM

Roger,

Correct. This is because WPA2 in and of itself is not really an authentication protocol. For example, if you look at setting up WPA2 Enterprise on a W7 machine, you will see security options that allow you to pick the authentication protocol. Your options in Windows 7 native are SmartCard/Certificate or PEAP (which is one of the flavors of Extensible Authentication Protocol, aka EAP). Here is a screengrab:

Unfortunately, the native EAP options in Windows are not compatible with the native Aironet autonomous EAP options, which are LEAP (older) and EAP-FAST (newer). Both of these EAP methods are Cisco-developed methods. If you want to use local EAP authentication on an AP, I would suggest you go with EAP-FAST. To get EAP-FAST functionality onto your Windows client, you can use the Cisco AnyConnect client with the Network Access Manager (NAM) module. This is what that client looks like, and you can see from the authentication selection list that you now have an option for EAP-FAST (and LEAP):

You would configure WPA2/AES independently, which you do through the security settings -- encryption manager. You need to first enable support for the AES CCMP cipher, and then you need to enable WPA support on your SSID (along with your accepted EAP method).

The link that George provided is a good guide to put all this together. Modify the instructions to use EAP-FAST instead of LEAP, configure an AES CCMP cipher instead of WEP, and set your SSID to accept Open with EAP + Network EAP and also WPAv2.

Justin

View solution in original post

12 Replies 12

Go to solution
nikhilcherian
Level 5
Level 5

‎03-21-2012 01:06 PM

The AP you mentioned require a WLC to work with, else you will have to convert it to Autonomous, by loading the proper image from Cisco site to work as s standalone AP. You can configure the AP in autonomous mode to work for local authentication

Go to solution
bellaireroad
Level 1
Level 1
In response to nikhilcherian

‎03-21-2012 05:00 PM

thanks,,,,I was aware that it would do local authentication for 802.11g, but can it be setup up to authenticate for 802.11N?  Apparently to get N speed, WPA/AES is required

0 Helpful

Go to solution
nikhilcherian
Level 5
Level 5
In response to bellaireroad

‎03-21-2012 08:34 PM

Authentication is not depenedent on 11n or g and for getting 11n speed you need to have either OPEN authentication or WPA2 with AES

Regards

NikhiL

Go to solution
bellaireroad
Level 1
Level 1
In response to nikhilcherian

‎03-22-2012 08:31 AM

thanks.....getting back to the original question, can the 1142 be configured as a local radius sever to do WPA2 with AES? 

best regards, Roger

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to bellaireroad

‎03-22-2012 12:26 PM

Roger,

Yes a Cisco autonmous access point can be used as a radius server but there is limitaions as I recall.

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml

Give that read.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
Justin Kurynny
Level 4
Level 4
In response to bellaireroad

‎03-22-2012 12:29 PM

Roger,

NikhiL is saying that your desired authentication method is not limited based on your decision to use .11g or .11n or .11a or 11Mbps or 54Mbps or 144Mbps or whatever other physical parameters you want to configure.

Yes, you can set up local authentication on your 1142 using a local RADIUS server.

What you do beyond that, WPA with TKIP or WPA2 with AES or OPEN is a radio configuration, not a AAA configuration.

What is it you you want to authenticate on your local radius server? A MAC address? A username and password?

Justin

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Justin Kurynny

‎03-22-2012 12:32 PM

Just to beat a dead horse

802.11N

OPEN - No security

PSK - WPA2/AES

ENTERPRISE - WPA2/AES

Nothing else will work ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to George Stefanick

‎03-22-2012 01:27 PM 

Just to beat a dead horse
802.11N
OPEN - No security
PSK - WPA2/AES
ENTERPRISE - WPA2/AES
Nothing else will work ..

Two words:  ANIMAL CRUELTY

Go to solution
bellaireroad
Level 1
Level 1
In response to Justin Kurynny

‎03-22-2012 03:02 PM

Hello Justin,

Thanks for the explanation, I am trying to set up the access point  as a local radius server to do WPA2/AES.  I have been using the web interface, and these are the options I get.  I'm a little confused because I dont see an option for WPA2/AES,  I must be missing something?

0 Helpful

Go to solution
Justin Kurynny
Level 4
Level 4
In response to bellaireroad

‎03-22-2012 04:09 PM

Roger,

Correct. This is because WPA2 in and of itself is not really an authentication protocol. For example, if you look at setting up WPA2 Enterprise on a W7 machine, you will see security options that allow you to pick the authentication protocol. Your options in Windows 7 native are SmartCard/Certificate or PEAP (which is one of the flavors of Extensible Authentication Protocol, aka EAP). Here is a screengrab:

Unfortunately, the native EAP options in Windows are not compatible with the native Aironet autonomous EAP options, which are LEAP (older) and EAP-FAST (newer). Both of these EAP methods are Cisco-developed methods. If you want to use local EAP authentication on an AP, I would suggest you go with EAP-FAST. To get EAP-FAST functionality onto your Windows client, you can use the Cisco AnyConnect client with the Network Access Manager (NAM) module. This is what that client looks like, and you can see from the authentication selection list that you now have an option for EAP-FAST (and LEAP):

You would configure WPA2/AES independently, which you do through the security settings -- encryption manager. You need to first enable support for the AES CCMP cipher, and then you need to enable WPA support on your SSID (along with your accepted EAP method).

The link that George provided is a good guide to put all this together. Modify the instructions to use EAP-FAST instead of LEAP, configure an AES CCMP cipher instead of WEP, and set your SSID to accept Open with EAP + Network EAP and also WPAv2.

Justin

Go to solution
bellaireroad
Level 1
Level 1
In response to Justin Kurynny

‎03-22-2012 05:02 PM

Thanks Justin, for taking the time to provide a very concise and detailed explanation...greatly appreciated.  Most of the devices on our network are windows  machines,  and installing clients on all of them isn't an attractive option.  We have server 2003 on the network, which I think can be setup as a radius server with PEAP and WPA2/AES, This might be the best way to go.

  Most of the network users also have iphones...any special considerations there?

Just as an aside, what is Cisco's logic in not supporting PEAP, since I'm guessing most supplicants are windows machines?

Best Regards, Roger

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Justin Kurynny

‎03-22-2012 05:10 PM

Nice work Justin +5

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card