Options for migrating from LEAP to PEAP

mlambe · ‎06-07-2004

Hi. I currently have about 60 1210 AP's running a and b radios and LEAP is the authentication mechanism for clients. Unfortunately I have been told that I must move my network authenticaiton to use PEAP with TKIP instead of LEAP (they will not even look at EAP-FAST:( )

My problem lies in how to migrate users across.

Can I have my AP on a single VLAN with 2 SSIDs, one doing LEAP and the other PEAP? I have a Cisco ACS (3.2.3) server doing the auth. Does anyone have any experience of doing this?

TIA. Mark

melisei · ‎06-07-2004

In a 1210 (IOS) Security/SSID Manager you can define more than one SSID and each of them can have different authentication type.

I haven't experienced this kind of migration myself but that's my 0.02.

Could you setup a quick test environment?

ME

gamccall · ‎06-10-2004

No need to set up separate SSIDs or VLANs. The access point doesn't know or care which EAP flavor you're using; all EAP types are handled by the same configuration and settings. To enable PEAP, you just need to turn PEAP on in the global security settings of your ACS and make sure the ACS has a valid certificate.

Whether a client uses LEAP or PEAP to authenticate will be determined by the client-side configuration. If you have both enabled on your ACS, either will work.

Once your users have all migrated their client settings to PEAP, you can just globally disable LEAP in your ACS.

-Gabriel

mvario · ‎06-22-2004

Absolutely. I just completed a similar project. ACS will support both simultaneously and the AP will pass LEAP and PEAP. It works fine.