Solved: Migrate WPA2 to ACS RADIUS

Daniel Ordóñez Flores · ‎06-05-2013

Hello Guys Again me I hope you can help me as well

I'm working with five SSID's they're using WPA2 with PSK, I wanto to migrate to 802.1x Authentication so I'm goin to set a ACS RADIUS.

I have some remote offices and they're working with WPA2 and PSK

My questions is what happen if I migrate this SSID's to 802.1x, my remote users are will available to join at one SSID? And what happen if my RADIUS goes down? Right now if my WLC goes down my remote AP still work and accept new clients. But if change this authentication method.. they will working as now?

And what happen with my local user if my RADIUS goes down?

Thank you everyone

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Scott Fella · ‎06-19-2013

If your radius goes down, then your authentication will not happen. This is why you should have redundant ISE nodes as you can't fallback to psk. You need to focus on 100% uptime on all the backend network devices. If your WAN goes down, well users will only have local resources available, so does it really matter if the wireless is up, when you compare if the phones still work, etc.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

Abhishek Abhishek · ‎06-05-2013

Hello Daniel,

As per your query i can suggest you the following solution-

In SOHO WLANs moving to WPA2-Personal, client configuration requires little effort. Once you've upgraded client software, choose "WPA2-PSK" from configuration menus, enter a group passphrase, and you're good to go. If you're using a WPA2-capable card with Windows XP but don't see WPA2-PSK as a configuration choice, you haven't installed the XP WPA2 patch. If you've installed the patch but don't see that choice, you're missing WPA2 card drivers. And don't be fooled by products that support WPA with AES -- that's not WPA2. To use WPA2-Personal, both cards and APs must choose WPA2-PSK and AES.

In WLANs moving to WPA2-Enterprise, especially large WLANs, upgrading clients can be a huge task. In addition to updating client-side software, you must choose an 802.1X authentication method, issue (or reuse) client credentials, and tie your RADIUS server to a user account database. The good news is if you've deployed WPA-Enterprise, then you've already covered this ground, and you won't have to do it all again. Otherwise, please continue your WPA2-Enterprise upgrade.

Hope this will help you.

Scott Fella · ‎06-05-2013

You need to understand the flow of traffic. Anything that goes down can cause an issue. if your radius goes down, of course your clients will not be able to reauthenticate and new clients will not be able to get on. 802.1x is more secure than PSK though so you have to balance things out. That is why you would have redundant WLC's and radius servers. As far as trying to migrate, you should create a new WLAN using the same SSID but different profile name. As long as the encryption is different, you will be allowed to create a duplicate SSID. This way you can still have your PSK and your 802.1x with the same SSID. Now this is really meant for migration and when you see no more clients on the PSK, then you can disable it or remove it.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Daniel Ordóñez Flores · ‎06-06-2013

Dear Scott as Well I really Aprecciate your help and Abhishek

One more questions I'm really concern about this migration, right now I have a WLC 4402 with 1131AG AP's this AP's has an IOS version 12.4 (3g) JA and the AP's are working as LWAPP. I founf on cisco page this Matrix.

http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html

My news 5508 have 7.2.103 version, that matix says I need as minimun 12.4 (25e)JA So... I'm not sure if I need to upgrade the IOS version to my AP's.

I was reading the 7.2 configuration text for 5508 and in some part of the tex say this

The WGB can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release 12.4(3g)JA or later releases (on 32-MB access points) or Cisco IOS Release 12.3(8)JEB or later releases (on 16-MB access points). These access points include the AP1120, AP1121, AP1130, AP1231, AP1240, and AP1310. Cisco IOS releases prior to 12.4(3g)JA and 12.3(8)JEB are not supported.

I know is talking about WGB, but I can read between the lines that the version of IOS12.4 (3g) JA of AP should no problem joining the new controller?

This part of the document make me guess I don't have to do anything.

Thanks!!

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Stephen Rodriguez · ‎06-06-2013

The ap will pull the correct image from the WLC automagically.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Daniel Ordóñez Flores · ‎06-19-2013

Dear Scott I think I got your idea but I have not clear this.

My Radius or (ISE) in this case are in my central Office. My remotes offices has AP on Flex-Connect mode. This SSID are using WPA+ WPA2 for authentication.

I'm migrating one SSID and I changed the authentication mode for 802.1X and now this SSID is using the radius to join the network.

So what happend whit this SSID if my RADIUS goes down? I mean I can use 802.1X for authentication while my Radius is Up and other backup authentication method like WPA+WPA2 PSK? Or I have choose one of this metods?

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Scott Fella · ‎06-19-2013

If your radius goes down, then your authentication will not happen. This is why you should have redundant ISE nodes as you can't fallback to psk. You need to focus on 100% uptime on all the backend network devices. If your WAN goes down, well users will only have local resources available, so does it really matter if the wireless is up, when you compare if the phones still work, etc.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎06-06-2013

Don't look at the WGB unless you are using or have WGB's in your network. These WGB's are autonomous and dinky join a WLC. Like Steve mentioned, as long as the AP supports the WLC code, you are fine.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***