WPA authentication help

mmacdonald70 · ‎10-14-2010

Hi,

I am looking at impementing a small wireless network, but knowing the way things seems to work, it will most likely grow a lot in the near future. The penny pinchers say that they want to go with a shared key scheme since they don't want to buy a radius server. I think that this is not a great idea so I was hoping that I could get some help with my problem.

We will be using a 5508 WLC. I believe that they can use local authentication (peap?). If so, can wireless clients change their passwords? Would they be able to do this on their wireless connection? Also can an account be created on the 5508 that would allow a helpdesk employee to reset passwords?

If we do go out and buy a radius server (ACS most likely), I would like the ability for clients to change their passwords and to require them to be changed on a frequent basis. Is this possible? Can it be done though the wireless connection?

Thanks in advance for your help.

Nicolas Darchis · ‎10-14-2010

Hi,

The WLC can do peap authentication yes. However you don't have fancy password management features, so nothing the users can change.

There is the concept of "guest" accounts that "Lobbyambassadors" can create, so yes helpdesk people can manage WLC accounts.

However, the best is to have Active Directory managing your passwords. They are then using their windows domain credentials for the wireless.

With ACS, ACS can handle the authentication and using Active Directory as account databases. Then it allows end-users to change their passwords themselves when they expire.

Nicolas

George Stefanick · ‎10-14-2010

Another alternative to an AD server is a LDAP server. I deployed a very similar deployment. They didn't have coin for radius and NO AD. But the onsite guys made a LDAP server.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

mmacdonald70 · ‎10-14-2010

Perfect. This is what I wanted to know. Unfortunately, there will be no active directory. Would wireless clients be able to change their passwords if they are on an ACS server?

George Stefanick · ‎10-14-2010

Thats a good question. Ill tell you what i will create a local account on my ACS server and give it a spin. I dont think the users gets a "your password will expire" screen. I think it just stops working and someone (admin) would need to update the ACS server.

Now there is another way to skin this cat. Instead of using a password, you could use a supplicant that uses certs on the client instead of a logon and password.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

mmacdonald70 · ‎10-14-2010

That would be great. I don't yet have access to the equipment and when it arrives, I'll most likely need to set up quickly. If you would have the time to mock it up, I would be greatly appreciated.

Thanks,

Matt

Nicolas Darchis · ‎10-14-2010

Some warning there that George didnt' mention. If you directly connect the WLC to an LDAP server, you are restricted to authentication methods not encrypting the password inside the eap tunnel (outside is still encrypted, no worry). So no peap-mschapv2, which means no windows default supplicant.

What works then is Peap-GTC, eap-fast-GTC for example.

Nicolas

Raul Manzano Barroso · ‎10-18-2010

What about EAP-TLS? I Think it´s also supported by the WLC against LDAP Database and it´s "fully" compatible with Microsoft Windows Supplicant.

Although this document takls about EAP-FAST instead TLS; It could be useful.

http://www.cisco.com/en/US/partner/products/ps6366/products_configuration_example09186a008093f1b9.shtml#backinfo

Best Regards.