[c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..

Howard Leadmon howard at leadmon.net
Mon Dec 7 15:13:08 EST 2009


  Sorry for following up to my own posting slowly, but have been kind of
under the weather for a bit here..  :(

 Anyway I was saying that WPA-PSK was working fine, but I was trying to
figure out how to just use the radius server in the AP to do WPA-Enterprise
using the PEAP support in Windows 7/Vista.   Someone did respond to me
privately and stated that the Radius server in the AP does NOT support PEAP,
only LEAP, so that could easily explain why I just can't make WPA using PEAP
work.  Seems I need to use the M$ radius server, or some other radius option
to make it work with PEAP.  I may do that, or just stick with WPA2-PSK, as
that is working like a charm, and I only need to support it for about a half
dozen logins..

 So I guess in closing, it seems the Cisco AP wants to use LEAP/EAP-TTLS,
and M$ wants to use PEAP, and they don't support each others protocol.  So I
need a supplicant to add the support to windows, or I need a Radius server
that will support PEAP, then AP can talk to..   So much for simple..  LOL


---
Howard Leadmon 


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Tony Varriale
> Sent: Tuesday, December 01, 2009 1:51 AM
> To: 'cisco-nsp'
> Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> 
> It doesn't help me as I already know.  That's why I was responding to the
> original poster.
> 
> Maybe you could try that?
> 
> tv
> ----- Original Message -----
> From: "Scott McGrath" <mcgrath at fas.harvard.edu>
> To: "'cisco-nsp'" <cisco-nsp at puck.nether.net>
> Sent: Monday, November 30, 2009 12:47 PM
> Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> 
> 
> > Since there is WPA-PSK and WPA2 often known as Enterprise,
> >
> > The real difference is that WPA-PSK uses a fixed 'pre-shared' key to
> > encrypt the link between the AP and the supplicant,   Enterprise assumes
> > that a RADIUS server is available to authenticate the session and set
> the
> > key for the session.    What has not been discussed is what protocol is
> > being used for these PEAP and/or EAP-TTLS are valid choices,
> >
> > The encryption scheme is 'better' on enterprise as the key is not known
> > before session instantiation,   But WPA-PSK (aka Personal) and WPA2 both
> > use the same cipher set to protect the session so the link is as secure
> > but if the key is disclosed to unauthorized users the wireless network
> > effectively has no security whereas WPA2 uses a user database and if the
> > user's credentials are disclosed the endpoint can be deauthenticated and
> > the users credentials changed.   Whereas WPA-PSK requires
> reconfiguration
> > of the AP(s) and supplicant reconfiguration,
> >
> > Hope this helps
> >
> > - Scott
> >
> > Tony Varriale wrote:
> >> What type of "enterprise" are you interested in?  What's your user
> >> database?
> >>
> >> tv
> >> ----- Original Message -----
> >> From: "Howard Leadmon" <howard at leadmon.net>
> >> To: "'cisco-nsp'" <cisco-nsp at puck.nether.net>
> >> Sent: Saturday, November 28, 2009 12:35 PM
> >> Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> >>
> >>
> >>
> >>>  I have a question hopefully someone can give me a pointer or shed
> some
> >>> light on..
> >>>
> >>>
> >>>
> >>> I have both an Aironet 1242AG and now a 1252AG access point, which are
> >>> working fine.   I have WPA2-Personal with a shared key setup and
> running
> >>> great as well.   As it was my impression that Vista and Win7 both
> >>> supported
> >>> Enterprise authentication, which I figured would be better and more
> >>> secure
> >>> than using the personal shared key stuff.
> >>>
> >>>
> >>>
> >>> I have tried, and googled, and I for the life of me just can't seem to
> >>> get
> >>> Enterprise auth going..   Does anyone have any docs on getting the
> >>> Aironet
> >>> and Windows to play together, configs, or links to info that will
> help?
> >>> Just FYI, I am trying to use the radius server built into the AP, as I
> >>> figured that would be simple enough, hopefully doing that is ok..
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> ---
> >>>
> >>> Howard Leadmon
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list