06-07-2004 05:59 AM - edited 07-04-2021 09:41 AM
Hi. I currently have about 60 1210 AP's running a and b radios and LEAP is the authentication mechanism for clients. Unfortunately I have been told that I must move my network authenticaiton to use PEAP with TKIP instead of LEAP (they will not even look at EAP-FAST:( )
My problem lies in how to migrate users across.
Can I have my AP on a single VLAN with 2 SSIDs, one doing LEAP and the other PEAP? I have a Cisco ACS (3.2.3) server doing the auth. Does anyone have any experience of doing this?
TIA. Mark
06-07-2004 11:16 AM
In a 1210 (IOS) Security/SSID Manager you can define more than one SSID and each of them can have different authentication type.
I haven't experienced this kind of migration myself but that's my 0.02.
Could you setup a quick test environment?
ME
06-10-2004 05:10 AM
No need to set up separate SSIDs or VLANs. The access point doesn't know or care which EAP flavor you're using; all EAP types are handled by the same configuration and settings. To enable PEAP, you just need to turn PEAP on in the global security settings of your ACS and make sure the ACS has a valid certificate.
Whether a client uses LEAP or PEAP to authenticate will be determined by the client-side configuration. If you have both enabled on your ACS, either will work.
Once your users have all migrated their client settings to PEAP, you can just globally disable LEAP in your ACS.
-Gabriel
06-22-2004 10:41 AM
Absolutely. I just completed a similar project. ACS will support both simultaneously and the AP will pass LEAP and PEAP. It works fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide