Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
5
Replies

LEAP/PEAP/ACS3.3/RSA SecurID & NOVELL?

tsage
Level 1
Level 1

‎12-09-2004 01:59 PM - edited ‎07-04-2021 10:14 AM

Problem:

I currently have a contractor that has presented several solutions regarding a WLAN project I’m working on, though not with a great level of clarity. I don’t feel that I’m getting complete information so I’m hoping you may offer a generalist some help.

I ‘m currently trying to secure several Cisco 1200AP’s that are located at remotes sites via a WAN connection. These devices will be connecting to sensitive information that will require encryption residing on both back-end application servers on Novell and Windows platforms. We currently have RSA-SecurID system running that is receiving user information from Novell through LDAP. Novell’s E-Directory is our primary directory services. We are not running DHCP in our current environment.

Our contractor has recommended that we need an ACS 3.3 appliance, to provide Radius services, for our roaming wireless users. Additionally, our vendor has recommended that we utilize Cisco Pix 501’s on each remote location, for DHCP and VPN services.

We want wireless users to utilize VPN tunnels and RSA tokens for any connections via wireless

Questions:

Can we run LEAP within a Novell Network; our vendor is telling us that we must run Microsoft’s AD? Reason I have been given to date is that MS-CHAP is needed for LEAP, though I have found forum entries that contradict this statement.

Do I need a Cisco PIX at each remote location entry point for DHCP? I have also seen references to the 1200’s ability to provide DHCP services, though this is not an automatic setting.

Doesn’t the Cisco ACS 3.3 appliance offer the Radius services that are needed to support LEAP? The ACS box can be configured to use LDAP to access E-Directory information.

Labels:
0 Helpful
5 Replies 5

tsage
Level 1
Level 1

‎12-09-2004 02:00 PM

Follow-up question?

Since are WLAN environment is complete Cisco is it not better for us to run LEAP vs. PEAP? Our contractor wants to implement PEAP instead of LEAP, because we are not using Active Directory.

0 Helpful

dixho
Level 6
Level 6
In response to tsage

‎12-10-2004 03:31 PM

I totally agree that you can configure ACS to use a LDAP. If you do not want to use Active Directory, I suggest you to think twice before implement PEAP (MS-CHAP v2).

I attach EAP-FAST Deployment Guide. Table 1 shows capability of different 802.1x types.

I would like to mention LEAP is subject to dictionar attack. If you choose LEAP, please implement strong password.

AP1200 does not have DHCP capability. I do not know enough on PIX to comment on the PIX question.

Preview file
1390 KB
0 Helpful

rdockins
Level 1
Level 1

‎12-09-2004 02:09 PM

We use the ACS and are using PEAP which allows use to authenticate against our Novell. Two issues: 1st On the PC you need to setup PEAP and set to GTC. In XP this is easy and is a software and not a hardware thing; 2nd You will have to use an Microsoft Certificate Authority because Novell's CA is missing an enhancement that Microsoft CA has and is required by the ACS.

0 Helpful

matthewsj
Level 1
Level 1
In response to rdockins

‎12-10-2004 03:17 PM

I am interested in your post regarding the Novell CA and Microsoft CA. I have been having problems getting PEAP MSchapv2 to work. I am using a netware generated certificate, organiazational CA on the ACS. Could you provide more detail on the differences with a microsoft CA or a link with the info? Thanks

0 Helpful

scottmac
Level 10
Level 10

‎12-10-2004 08:33 AM

Perhaps this would work for you:

Since you are communicating via VPN, go with something like WPA-PSK at the remote sites (relieves the burden of RADIUS / CA). As long as the Pre-Shared Key is complex the chances of break-ins are very low (dictionary / brute force attacks). Worse case: put VPN software on each client.

If you need to bump the security a little higher, replace your remote switches with something that supports 802.1x and / or MAC security.

Use the VPN gateway as your barrier into the network. Then you can continue to use the SecureID and back-end authentication for your ultimate security system (basically, keep what you have, add the APs with WPA-PSK).

You didn't mention how many users at each site, or the type of clients, or the level of traffic you'll have to accommodate ... but the Pix501 is a pretty solid little unit and can handle a fair number of users, especially as a site-to-site VPN.

Because we have some users with with NICs that won't do WPA, we've added a second, open / no auth VLAN to our Lab system. The users must then use a VPN client to get into the system through a VPN concentrator. So far, the system has been working well for us (one WPA VLAN, one Open connection via VPN).

If you add to the system something like a WLSE, you can monitor the radio and client activity at each site and use it to manage the APs remotely, do firmware updates, watch for rogue clients, etc.

Just another alternative ... it works for us.

FWIW

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card