Proabably should have emphasied that this is what the customer is currently doing and wants to move away from it.

I suppose what im really asking is:

What password protocol should we consider, given that LDAP will be used to integrate from ACS to AD and there will be a mixture of managed & unmanaged Windows, MAC & Linux.

I would like the customer to put in remote agetens to talk with AD instead of LDAP and go with Ms-Chapv2 but this has been ruled out for now as we have to stick with LDAP

You raise a very good question. I dont like to pop out quick responses without knowing more about the deployment. For example, how many clients are deployed today and will that number increase significantly anytime soon. What security is being used today. What are the ACSs being used for today.. etc

I'll share with you what I have seen in the field the last 10 years. Customers, a signification portion, are using ACS integrated into AD with EAP-PEAP Mschapv2. EAP-PEAPv0 to be specific. v0 is MS-PEAP which is support on almost every platform including MAC and Linux.

As for the AD / LDAP. Most folks dont want the hassle, use what is there already, AD. I have accounts that have 9000+ clients with 2 ACSs integrated to AD. They work ... Its not a lot of effort either to intrgrate AD with ACS.

I hope this helps ...

George,

The customer has already integrated to AD using LDAP (i.e no the remote agents). Currently there are a few thousand clients (not sure of exact numbers) that are using the layer-3 web redirect (splash page) function of the wireless controllers to pass their credentials to ACS and then onto AD over LDAP.

They want to move to scenario where they dont have to use a splash page, they want to pass the credentals directly. As I mentioned MS-CHAP v2 would be the best option however the customer has ruled out using remote-agents and does not want to upgrade to 5.X right now ... so no MS-CHAPv2.

So my question is whats the best alternative considering that there will be a  mixture of managed and unmanaged Windows, MAC and Linux clients that will be assosciating to the same SSID?

Regards,

Eoin.

Any more opinions ... I guess this isnt as common a scenario as I thought ?

Sometimes I am a little thick headed...

So if I understand you right. Today users get presented a splash page. They then enter their credentials and you want to skip this step and have this happen automatically? Correct ?

What wireless security is in place today, outside of the splash page ?

Hey George,

I've been looking around and it seems i'm not the only person with this issue also there doesnt seem to be solution besides upgrading the ACS or going with the remote agents and MS-CHAPv2.

Ignore what the customer currently has thats probably only confusing the situation. The fact is the customer refuses to install the remote agents and because of that they cant go with MS-CHAPv2.

There is no other suitable password protocol in Windows XP SP2 (which would be the vast majority of clients) and given the fact that the clients are umanaged (i.e I customer cant push down another supplicant) I guess the customer just has to accept that the remote agents have to be installed for their ACS appliances.

Hi Eoin,

You may know this already, but you can refer to ACS 4.x supported authentication protocols:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wpxref846

Table 1-3 lists the supported EAP types (802.1x) with different external databases and, for LDAP, we can have PEAP-GTC, EAP-TLS and EAP-FAST.

PEAP-GTC and EAP-FAST aren't supported by all supplicants. As you've mentioned, not all stations are managed and there's a variety of OS's so these options are probably not applicable to this scenario.

EAP-TLS requires certificates issued on to the clients, which they use for authentication (rather than username/password). I don't see this as a feasible option for unmanaged clients either.

So the end customer is going in a deadlock situation if he wishes to continue using LDAP as the external database. In order to use an easy to deploy EAP method, I'd say PEAP-MSCHAPv2 would be the best choice but then the customer would need to move to an AD external DB. Either by using RA or by upgrading to ACS 5.x.

Hope this helps clarifying the situation with the end customer.

Best regards,

Bernardo

Bernardo,

Your absolutely right. I was just seeing if anyone on the community had come across a workaround. I now know there isnt.

Thanks all.

Eoin.