Re: need security WLAN solution

m.sir · ‎02-23-2004

I need solution for following:

Wireles LAN clients with various wifi cards - I need authentication on our ACS server /ver 3.2/

I dont want install any certificate or software on clients. It looks like job for PEAP but am I right???? I didt find any configuration examples. How to configure AP and client

Thx

steve.deal · ‎02-24-2004

You will need to install a certificate on the client to use PEAP.

s.vautour · ‎02-27-2004

PEAP provides mutual authentication. The Client authenticates the RADIUS server using a certificate. To do this, you need to install a server cert on the RADIUS server. The Client just needs the Root cert for the CA that issued the Server cert. If you want to avoid deploying the Root cert on all your clients, get a cert for your server from a CA on the MS supported list. This way, the Root cert is already on your clients.

Remember that there are 2 forms of PEAP: Cisco & MS. The MS 802.1x Supplicant on WinXP uses MS PEAP. The Cisco Client uses Cisco PEAP. I believe that ACS 3.2 supports both. The main difference is what you want to use as a DB to authenticate your clients. If you want to use the AD DB for single sign on, use MS PEAP. Cisco PEAP uses OTP or smart cards.

You should be able to find information on the Cisco and MS web sites on how to configure ACS3.2, WinXP Client and Cisco APs.

You could also use Cisco LEAP which is U/P based. It is slightly less secure because it uses MS-CHAPv2 to perform authentication which is subject to dictionary attacks. As long as you have a strong password policy you should be OK. This is simpler to setup than PEAP. Since it uses the Cisco Client it'll also work on more OSs.

Serge