03-26-2008 05:39 AM - edited 07-03-2021 03:35 PM
Hello all,
I am very confused as to the authentication method used for a wifi client logging into a windows domain.
802.1x supports EAP type eap-peap-mschap-v2, but active directory supports Kerberos and not MSCHAPv2 (I believe).
What do I have to do to get a wifi-client working to connect to active-directory using Kerberos whilst EAP only supports MSCHAPv2?
Please help, I am a tad confused
Many thx indeed,
Kind regards,
Ken
03-26-2008 09:27 AM
I believe you need some sort of RADIUS server to perform the authentication.
In our enviorment - we use a Cisco ACS (RADIUS) server to authenticate our wireless clients.
Our clients all use PEAP auth, and the APs all point to the RADIUS server. The RADIUS server has agents that get installed on AD member servers - then those agents act as the go-between for ACS(RADIUS) and Active Directory.
I beleive M$ has a radius server (IAS) which should tie nicely into AD - I just have never used M$ RADIUS solution so I cant tell you how to make it work - although I can tell you how to make a Cisco ACS work
03-26-2008 11:00 AM
Many thx indeed for your reply. You are very kind.
So can I just have my WLCs pointing directly to the M$ IAS ? and does that run Kerberos?
Sorry, still a little confused?
Many thx
Ken
03-26-2008 02:16 PM
I just set this up and I'm still confused. Here is an overview of what you will need to do:
1) Install a Windows 2003 certificate server CA, and IAS/RADIUS.
2) Authorize your IAS server in active directory.
3) Create a wireless policy in IAS for PEAP Secure password (EAP-MSCHAP v2).
4) Configure your AP as a RADIUS client in IAS.
5) Deploy the certificate from your CA to all your wireless laptops either automatically through AD, through web-enrollment with IIS or manually.
6) I think all laptops must be members of the AD domain but I'm not positive.
Here are the best links that I could find that will guide you step by step.
Microsoft word document: Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab:
Ultimate wireless security guide Automatic PEAP deployment with Microsoft Active Directory GPO:
http://articles.techrepublic.com.com/5100-1035-6148576.html
Checklist: Configuring the IAS server and wireless access points for wireless access
03-27-2008 12:06 AM
I have configured all of the above from 1-6.
Access points which are wired are no problem to configure.
But I have two 1300 series bridges (1310),
one configured as a Root Bridge with wireless clients the other as a NonRoot Bridge with wireless clients.
The non-root cannot associate to the root and is giving the following error:
Interface Dot11Radio0, cannot associate: EAP authenticating.
How can I configure the nonroot?
Many thx in advance.
03-27-2008 01:48 AM
This is absolutley fantastic. Many thx indeed,
One question if I may :-
4. Configure your AP as a RADIUS Client in IAS.
As I am using 1242 zero touch APs, and using 440x controlers (WLCs), I assume I just configure the WLCs as the RADIUS clients?
Can you or anyone else confirm that?
Then I beleive you have given me exactly what I need :)))))))))))))))
Many thx indeed,
Ken
03-27-2008 06:54 PM
I'm sorry but I'm new to Cisco as well as wireless so I'm really lost. I was lucky to get some good help to setup the PEAP. I wish I could help you further but I really don't know what I'm doing.
I'm still trying to get help with setting up some sort of 'Guest' access. I've posted a question but no one replied. I don't suppose you have any experience with that?
03-28-2008 01:15 AM
Yes, we have setup Guest access.
Send me the link (or I will look for it now with your usename) so I can hopefully help you out as you have so kindly helped me :))))
Will find and get back to u
Thx
Ken
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide