[c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..

Linder, Todd todd at onenet.net
Mon Dec 7 15:52:46 EST 2009


Hey Howard, A Cisco Secure Access Control Server (typically referred to
as Cisco ACS) can be used to hand off authentication to Windows Active
Directory. Second, the Cisco ACS supports all EAP methods, PEAP-MSCHAPv2
being one of them directly on the server with no need for handoff to
Windows A/D. The nice thing about the Cisco ACS is that in addition to
supporting RADIUS functionality, it will also support TACACS. In other
words, it can do more than just support authentication for you wireless
needs. Another option is Free radius server which can be found at
http://freeradius.org/. Free radius is an open source radius server
software that supports multiple EAP methods and can also hand off
authentication to Windows Active Directory. I hope this information is
helpful.


Todd Linder
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Howard Leadmon
Sent: Monday, December 07, 2009 2:13 PM
To: 'Tony Varriale'; 'cisco-nsp'
Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..


  Sorry for following up to my own posting slowly, but have been kind of
under the weather for a bit here..  :(

 Anyway I was saying that WPA-PSK was working fine, but I was trying to
figure out how to just use the radius server in the AP to do
WPA-Enterprise
using the PEAP support in Windows 7/Vista.   Someone did respond to me
privately and stated that the Radius server in the AP does NOT support
PEAP, only LEAP, so that could easily explain why I just can't make WPA
using PEAP work.  Seems I need to use the M$ radius server, or some
other radius option to make it work with PEAP.  I may do that, or just
stick with WPA2-PSK, as that is working like a charm, and I only need to
support it for about a half dozen logins..

 So I guess in closing, it seems the Cisco AP wants to use
LEAP/EAP-TTLS, and M$ wants to use PEAP, and they don't support each
others protocol.  So I need a supplicant to add the support to windows,
or I need a Radius server
that will support PEAP, then AP can talk to..   So much for simple..
LOL


---
Howard Leadmon 


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- 
> bounces at puck.nether.net] On Behalf Of Tony Varriale
> Sent: Tuesday, December 01, 2009 1:51 AM
> To: 'cisco-nsp'
> Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> 
> It doesn't help me as I already know.  That's why I was responding to 
> the original poster.
> 
> Maybe you could try that?
> 
> tv
> ----- Original Message -----
> From: "Scott McGrath" <mcgrath at fas.harvard.edu>
> To: "'cisco-nsp'" <cisco-nsp at puck.nether.net>
> Sent: Monday, November 30, 2009 12:47 PM
> Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> 
> 
> > Since there is WPA-PSK and WPA2 often known as Enterprise,
> >
> > The real difference is that WPA-PSK uses a fixed 'pre-shared' key to
> > encrypt the link between the AP and the supplicant,   Enterprise
assumes
> > that a RADIUS server is available to authenticate the session and 
> > set
> the
> > key for the session.    What has not been discussed is what protocol
is
> > being used for these PEAP and/or EAP-TTLS are valid choices,
> >
> > The encryption scheme is 'better' on enterprise as the key is not
known
> > before session instantiation,   But WPA-PSK (aka Personal) and WPA2
both
> > use the same cipher set to protect the session so the link is as 
> > secure but if the key is disclosed to unauthorized users the 
> > wireless network effectively has no security whereas WPA2 uses a 
> > user database and if the user's credentials are disclosed the
endpoint can be deauthenticated and
> > the users credentials changed.   Whereas WPA-PSK requires
> reconfiguration
> > of the AP(s) and supplicant reconfiguration,
> >
> > Hope this helps
> >
> > - Scott
> >
> > Tony Varriale wrote:
> >> What type of "enterprise" are you interested in?  What's your user 
> >> database?
> >>
> >> tv
> >> ----- Original Message -----
> >> From: "Howard Leadmon" <howard at leadmon.net>
> >> To: "'cisco-nsp'" <cisco-nsp at puck.nether.net>
> >> Sent: Saturday, November 28, 2009 12:35 PM
> >> Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> >>
> >>
> >>
> >>>  I have a question hopefully someone can give me a pointer or shed
> some
> >>> light on..
> >>>
> >>>
> >>>
> >>> I have both an Aironet 1242AG and now a 1252AG access point, which
are
> >>> working fine.   I have WPA2-Personal with a shared key setup and
> running
> >>> great as well.   As it was my impression that Vista and Win7 both
> >>> supported
> >>> Enterprise authentication, which I figured would be better and 
> >>> more secure than using the personal shared key stuff.
> >>>
> >>>
> >>>
> >>> I have tried, and googled, and I for the life of me just can't 
> >>> seem to get
> >>> Enterprise auth going..   Does anyone have any docs on getting the
> >>> Aironet
> >>> and Windows to play together, configs, or links to info that will
> help?
> >>> Just FYI, I am trying to use the radius server built into the AP, 
> >>> as I figured that would be simple enough, hopefully doing that is
ok..
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> ---
> >>>
> >>> Howard Leadmon
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list