Wireless Authentication

Similar Messages

• Wireless authentication to a windows network

  IF this is the wrong group please let me know and I will re-post...
  I am trying to solve some problems authenticating to a windows network using a airport card....
  I keep getting a non-trusted certificate message after/during the 802.x authentication box..We are not using certificates, at least that is what the admin tells me...so I have logged in as root, opened keychain and set the certifcates in question to trust always for all settings...I log out and then relogin as a normal network account and I still get the message which I can click continue and now I have access..
  the other problem is that my home folder will not mount...I have to mount it manually through the finder..I am assuming this is because the airport network services are not running until I authenticate locally with a cached password....Is there a way to have the login window authenticate through airport so I can have my home directory mount automatically...
  thanks for your help...

  unfortunately there are severla problems with the solution and it really doesn't address the issue. I can't mount the volume on the dock as it won't mount, probably because it is the server itself that has been mounted, not the shared home folder. Also it might create a conflict by having an alias to the home folder that would conflict with the auto mounted home folder when I use the ethernet as a connection source. What I have is a multi-purpose machine.
  1) I use a hardwired connect at my desk...
  2) If I need to go somewhere that a port in the wall is not active, I can then use a wirless connection which allows me access to everything I need....
  What I need to do is get this working so that the rest of the area can use it as well....
  So the question still remains: Does the wireless authentication not mount the home directory because it is not tied into the login window. For example, in a hardwired case I login to the system and this authenticates me and mounts my home folder. When I unplug the ethernet cable and turn on ariport and log off I login to the login window but the 802.x box comes up and asks for my password....which then brings up a not trusted certificate. Which I have tried everyhting I know to make this accepted by the system, including logging as root and going into keychain and setting it to be trusted. This DOES not work. I still get the untrusted certifcate message and the home directory does not mount. So what I need is someone who is authenticating to a windows network using wireless. I have followed all the 802.x suggestions which include using only peap to authenticate through.
  I hope someone can tell me how to stop the untrusted certificate error and how to mount the home directories. It would seem that there should be some type of setting to make airport startup prior to the login window or be hooked into the login window and pas that through to the wireless authentication. This is beyond my experience as you can see...
  thanks

• 802.1x wireless authentication with certificates

  Hi.
  I have configured and working 802.1x authentication with certificates for Wired connections. with no problem.
  when i try to authenticate the same machine with 802.1x and certificates , on Wirelss, the ACS rejects it  with:
  "12520  EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate."
  the ACS is the same, the certificate the same, and the root ca is the same.
  what's hapenning????
  Antero Vasconcelos

  What supplicant are we using for wireless authentication? Do we have complete chain of certificates installed on the client machine? Can you check if we have root CA/intermediate correctly installed in client and ACS.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• 802.1x Wireless Authentication

  Hello
  I am using a MS Certificate Server and MS Radius server with 802.1x Wireless Authentication. When the macs Authenticate I get a warning so to speak and the Cert will not save or trust. I have enter it in as a 509 anchor and other and still the same thing. Is anyone out there doing this.
  The windows says
  801x Authentication
  The Server Certificate could not be validated becuase the root certificate is missing.
  Thanks

  No, CA wasn't changed with R2.
  Are you able to see the User's certificate in the Keychain app under the login keychain & My Certificates? Can you see the CA's certificate under the X509Anchors?
  In the login keychain, when looking at the Users certificate, does it show as valid?

• Secure wireless authentication

  I have just been reading all the posts about secure wireless access and I am
  not happy with the direction Novell has chosen to take.
  I have been extremely pleased with Netware, GroupWise & ZenWorks but Novell
  is starting to loose it's appeal.
  Let me summarize what I have learned and see if I have made any mistakes
  with my understanding.
  1. Novell has stopped development on their Radius server and have no plans
  to resume development.
  2. Novell contributed code to the open source FreeRadius project.
  http://www.novell.com/news/press/arc...2/pr05008.html
  3. There isn't any Radius server with 802.1x authentication that runs on
  Netware (Netware kernel).
  a. Novell's Radius server (BMAS or the newer NMAS server) doesn't do
  802.1x authentication.
  b. I have contacted Funk and this is their reply. Steel-Belted Radius
  Server will run on Windows and Solaris (Linux is coming).
  http://www.funk.com/News&Events/sbr_linux_pn.asp
  c. MTG House hasn't gotten back to me about a solution for Netware. (I
  am doubtful, I didn't find anything on their website.)
  4. You need to run a Radius server that does 802.1x authentication and will
  work/integrate with eDir.
  a. FreeRadius (Linux) will integrate with Edir.
  http://www.novell.com/documentation/...ius/index.html
  http://www.novell.com/coolsolutions/feature/15383.html
  b. Funk's Steel-Belted Radius server (Windows, Solaris & Linux is in
  beta).
  http://www.funk.com/radius/default.asp
  c. Aegis Server
  http://www.mtghouse.com/products/aeg...er/index.shtml
  5. You need a 802.1x Client to authenticate to a Radius server for wireless
  authentication.
  a. Microsoft has 802.1x support in their client. (read this from other
  posts in this forum)
  b. Novell isn't planning on putting 802.1x support in the NW Client.
  (read this from other posts in this forum)
  c. There are 2 Radius clients that integrate with the NW Client for
  Radius Edir authentication.
  1. Funk's Odyssey Client ($45 - $50 per workstation depending on
  quantity) + added annual maintenance costs.
  $2281.25 for 50 Client licenses & annual maintenance.
  http://www.funk.com/radius/wlan/wlan_c_radius.asp
  2. Aegis' Client ($32 - $39.99 per workstation depending on
  quantity) + added annual maintenance costs.
  $2240.00 for 50 Client licenses & annual maintenance.
  http://www.mtghouse.com/products/aeg...nt/index.shtml
  http://www.mtghouse.com/novell_app_note_122204.pdf
  3. When FreeRadius is integrated with Edir is this separate client
  still needed?
  I didn't see anything about a separate client being needed while
  reading the Integrating FreeRadius with Edir documentation.
  6. FreeRadius support is going to be built-in to the next version of Edir.
  http://www.novell.com/news/press/arc...2/pr05008.html
  Why didn't Novell contribute code to port FreeRadius to Netware?
  At this point in time they are still giving us a choice between the Netware
  kernel and the Linux kernel. To me that says they are willing to make
  things work with both systems until they drop support for the Netware
  kernel. Ok, so give me support for 802.1x authentication in the Netware
  kernel. I don't have stray single purpose servers floating around my
  network and I don't want to have to begin that practice just to get Radius
  802.1x authentication working.
  I also won't put my district at a disadvantage by upgrading to the Linux
  kernel until I know Linux well enough to administer it properly. I am the
  IT department at this district so I don't have a great deal of extra time to
  run about learning the new things I would LOVE to learn. I'm sure I'm not
  the only person in this situation so Novell should take these things into
  concideration before they just drop support for a product they say they are
  still supporting. Obviously all of the real support is going toward the
  Linux side at Novell.
  Daniel Blake
  Milford Central School

  Ok, I'll give them the benefit of the doubt and say fine the Netware kernel
  might as well be considered dead. So they are giving me support via
  FreeRadius if I just migrate to OES (Linux). Ok, I might/can live with that
  as a Novell decision.
  But that still doesn't explain why they don't give us some client to log in
  via 802.1x. Giving us the server but not the client is like giving us a
  locked door without a key. That's just plain stupid. I would rather stay a
  Netware - OES shop, but if Novell can't think something this simple through
  then I'm a little nervous about staying with them. What could they think up
  next?
  I guess Novell has decided to port all it's software to Windows cause it
  sucks so bad at business decisions. GroupWise & ZenWorks run completely on
  Windows now, so why do I need OES at all? Except for complexity &
  integration issues of course. I mean why would I need to purchase Edir for
  Windows if I didn't stay with OES? Or Nsure Identity Manager for that
  matter. So if we start looking deeper into this we see Marketing all over
  this thing. Novell Marketing has always done such a good job for Novell.
  Novell has given me a real choice that will work though. If I migrate
  completely to a Windows network it just works without any added costs. Heck
  it even makes my installs easier without having to install the NW Client on
  every new workstation. I can still run ZenWorks & GroupWise too.
  Now, how is Novell Marketing going to screw up and make me hate GroupWise &
  Zenworks so I migrate completely away from Novell products? Way to go
  Novell!
  Daniel Blake
  Milford Central School
  "Jim Michael" <[email protected]> wrote in message
  news:[email protected]...
  > mcsdtech wrote:
  >
  >> 1. Novell has stopped development on their Radius server and have no
  >> plans to resume development.
  >
  > Correct, so far as we know.
  >
  >> 2. Novell contributed code to the open source FreeRadius project.
  >> http://www.novell.com/news/press/arc...2/pr05008.html
  >
  > Yes. Code to allow easier integration with eDirectory.
  >
  >> 3. There isn't any Radius server with 802.1x authentication that runs on
  >> Netware (Netware kernel).
  >
  > Correct.
  >
  >> a. Novell's Radius server (BMAS or the newer NMAS server) doesn't do
  >> 802.1x authentication.
  >
  > Correct. It was developed quite a while before 802.1x even existed.
  >
  >> b. I have contacted Funk and this is their reply. Steel-Belted
  >> Radius Server will run on Windows and Solaris (Linux is coming).
  >> http://www.funk.com/News&Events/sbr_linux_pn.asp
  >
  > Correct, but Stell-Belted Radius is probably the last solution I would
  > look at. Radiator is a commercial product that runs on Linux or Windows
  > (it is Perl-based) and you will get far better support from them on
  > eDirectory issues and general Radius problems. freeRADIUS is what I would
  > run on Linux if you don't want to spend a dime on the software.
  >
  >> c. MTG House hasn't gotten back to me about a solution for Netware.
  >> (I am doubtful, I didn't find anything on their website.)
  >
  > Not familiar with them.
  >
  >> 4. You need to run a Radius server that does 802.1x authentication and
  >> will work/integrate with eDir.
  >> a. FreeRadius (Linux) will integrate with Edir.
  >> b. Funk's Steel-Belted Radius server (Windows, Solaris & Linux is
  >> in beta).
  >
  >> c. Aegis Server
  >
  > And Radiator (what I run) http://www.open.com.au This is the solution we
  > run.
  >
  >> 5. You need a 802.1x Client to authenticate to a Radius server for
  >> wireless authentication.
  >
  > Correct.
  >
  >> a. Microsoft has 802.1x support in their client. (read this from
  >> other posts in this forum)
  >
  > Correct. Technically, the "support" is in Windows, not the MS client.
  >
  >> b. Novell isn't planning on putting 802.1x support in the NW Client.
  >> (read this from other posts in this forum)
  >
  > Correct.
  >
  >> c. There are 2 Radius clients that integrate with the NW Client for
  >> Radius Edir authentication.
  >> 1. Funk's Odyssey Client 2. Aegis' Client ($32 - $39.99 per
  >> workstation depending on
  >
  > Correct.
  >
  >> 3. When FreeRadius is integrated with Edir is this separate
  >> client still needed?
  >
  > Yes. You ALWAYS need a 802.1x supplicant (client) on the workstation.
  > Windows has one built-in, which works FINE against eDirectory. HOWEVER,
  > because of the way it works you must log into eDirectory *after* fully
  > logging into windows. That is unacceptable to most organizations (you
  > would have to manually log in and map drives to NW, etc). This is why
  > there are third-party clients that integrate specifically with the NetWare
  > client.. they allow the 802.1x authentication to "insert" itself
  > in -between the Windows and eDirectory login, thus preserving all of the
  > normal features like dynamic local user, zen policies, etc.
  >
  >> I didn't see anything about a separate client being needed
  >> while reading the Integrating FreeRadius with Edir documentation.
  >
  > A client is always assumed.
  >
  >> Why didn't Novell contribute code to port FreeRadius to Netware?
  >
  > Because Novell's future direction is Linux, and there isn't much demand
  > for a NetWare Radius server.
  >
  >> At this point in time they are still giving us a choice between the
  >> Netware kernel and the Linux kernel. To me that says they are willing to
  >> make things work with both systems until they drop support for the
  >> Netware kernel. Ok, so give me support for 802.1x authentication in the
  >> Netware kernel. I don't have stray single purpose servers floating
  >> around my network and I don't want to have to begin that practice just to
  >> get Radius 802.1x authentication working.
  >
  > You can always make your wishes known at
  > http://support.novell.com/enhancement
  >
  >> I also won't put my district at a disadvantage by upgrading to the Linux
  >> kernel until I know Linux well enough to administer it properly. I am
  >> the IT department at this district so I don't have a great deal of extra
  >> time to run about learning the new things I would LOVE to learn. I'm
  >> sure I'm not the only person in this situation so Novell should take
  >> these things into concideration before they just drop support for a
  >> product they say they are still supporting. Obviously all of the real
  >> support is going toward the Linux side at Novell.
  >
  > I understand the frustration, but I doubt things will change. There is a
  > big difference between "supporting" existing products and adding major
  > enhancements to products to support new standards. I just don't think
  > Novell believes it is worth dedicating development resources to enhancing
  > Radius on NetWare, for those few that can't/won't run a Linux or Windows
  > box where the software already exists.
  >
  >
  > --
  > Jim
  > NSC SYsop

• Open Wireless authentication concept.

  Folks,
  We have been asked to explore the possibilities of getting an open wireless setup going for guests. This essentially means that guests coming in should get Internet access without having to feed in a username/password. Connecting to this SSID should take them to a portal page which mentions some policies about internet access. On accepting that the users must get Internet access.
  Can this be achieved on the Cisco Wireless controllers? Has anyone heard about the industry using such Wireless authentication? Is there any know setup that uses this kind of configuration?
  Thanks,
  N.

  Web Passthrough on Wireless LAN Controllers
  Web passthrough is a solution that is typically used for guest access. The process of web passthrough is similiar to that of web authentication, except that no authentication credentials are required for web passthrough.
  In web passthrough, wireless users are redirected to the usage policy page when they try to use the Internet for the first time. Once the users accept the policy, they can browse the Internet. This redirection to the policy page is handled by the WLC.
  In this example, a VLAN interface is created on a separate subnet on the WLC. Then, a separate Wireless LAN (WLAN)/Service Set Identifier (SSID) is created and configured with web passthrough, and it is mapped to this VLAN interface.
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116879-configure-wlc-00.html

• Wireless authentication through AD

  I have a 2106 LAN controller with 1250 AP. I need to authenticate via my Active Directory users. Can this be done and how? I am also looking to get better range from my antennas, what the best omni or Bi antenna I can use with my 1250 AP
  Thank you in advance.

  Hi Tabish:
  Unfortunately, there is no specific document for wireless authentication with ACS 5.x
  If you wish you can check the below listed sections from acs 5.1 user guide:
  You can configure AD on Windows to use as external database, you can use the following link to integrate your AD
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213
  For authorization using TACACS+
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/pol_elem.html#wp1074366
  For configuring managing access
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• 802.1x Wireless Authentication with 10.8.4 Build 12E3067

  Hello All,
  Work in a school and we use 802.1x authentication for Wi-Fi and access to our server and Staff wireless VLAN.  We use a login window profile that authenticates with our Active Directory.
  Previous and working set up was MBA (Mid 2012) 5,1. Running OS 10.8.4 build 12E55.  This OS was downloaded from Mac App Store. Bound to domain and using authorization certificates for our active directory controllers. Created Wi-Fi 802.1x authentication profile with Profile Manager on 10.8 server.  No issue.  Units authenticate with server at user login, join Wi-Fi and mounts home folder. 
  New and not working set up is MBA (Mid 2013) 6,2 running OS 10.8.4 build 12E3067.  This unit will not run build 12E55, boots to prohibitory sign. Unit is set up with same certificates and 802.1x profile. When first booting up the Wi-Fi signal appears to be attached to the network, unlike previous setup when unit will Wi-Fi indicator will appear disconnected until user logs in.  90% of the time new units will not authenticate. States unable to connect to server and then loads into mobile user account.  Will not attached to Wi-Fi. There are instances when it does authenticate properly.  However logging out and then back in will cause the failure.
  Also note, I have made an image of the 6,2 MBA with build 12E3067 and installed in on MBA 5,1. Same Failure happens.  This leads me to believe the issue lies in OS 10.8.4 build 12E3067.
  Troubleshooting:
  -I have taken OS build 12E3067 on MBA 6,2 (failing to authenticate) and removed Wi-Fi profile. Unit authenticates over Ethernet with no issue. Add profile back and issue surfaces.
  -Created new profile using profile manager and issue continues. Verified proper certificates are being used. Would the previous profile
  -Restarted domain controllers. Issue continues.
  Any thoughts or questions would be appreciated.

  did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
  we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
  any input would be much appreciated.

• EAP-TLS Wireless Authentication - General questions

  Hi,
  I want to use EAP-TLS as a method of authentication for users/computers to join the Wireless. Devices that will connect to the Wireless are part of the domain.
  What certificate is preferred to use for this purpose? Computer o User certificates? I guess that it probably depends on what you want to identify or authenticate, a user or a device, but what option is “generally” recommended?
  Is there any difference from the point of view of security? Is a computer certificate more secure than a user certificate o vice versa? I have been told that user certificates are easier to compromise (or steal from a windows machine) than computer certificates
  even if a user doesn’t have Admin privileges in their machine?
  I have also been told that using user certificates could result in some issues to pass some Compliance audits.
  I would like to be sure that the design complies with the most recommended and secure alternative.
  I would appreciate some help.
  Many thanks.

  There are pros and cons to using workstation or user based certificates, as well as benefits to using "both". But first thing, both user and computer certificates are secured in the same way in the operating system - in an encrypted state. There are reasonable
  controls in place, but anyone bent on hacking a system and has physical control of it, has many options available to them. Things like Bitlocker with TPM can help mitigate many of these attacks. The purpose of certificates is to increase the security and integrity
  above passwords. It's not foolproof.
  The benefit to using computer/workstation authentication is that when the computer boots up, it joins the WiFi and enables domain users to log on. This is even the case if the user has never logged onto the computer before. The workstation has a secure channel
  to a domain controller and is fully managed and applies GPO updates. In this model, the WiFi connected machine is no different from a wired machine.
  The disadvantage is that you need to carefully manage your computer devices in AD. Imagine the scenario of a laptop that is stolen. Do you have the means to know which computer object it is and to disable/delete it from AD? If not, then whoever uses the
  computer will be able to get onto your WiFi. Many organizations have trouble with this aspect.
  User Authentication is a little easier as its easy to manage users who should be allowed to get onto a network. If they leave, their account is disabled. However, they must have cached credentials on the laptop
  they want to use as there is no means to contact a DC to authenticate a user the first time.
  Another option to consider is to use BOTH. In this scenario, you issue certificates to both the computer and user. When the computer boots, it joins the WiFi. When a user logs on, the computer stays connected
  to the WiFi for 60 seconds to allow the user to authenticate and to receive their credentials which are then used to authenticate to the WiFi. If the user is not authorized or is unable to authenticate, then the WiFi is disconnected. This provides the best
  security option, but it means managing both user and computer objects properly.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• Radius for 802.1x; Remote Access and Wireless authentication

  Looking to use a single Radius platform for authenticating Remote, wired and wireless users and machines. Anyone with some experience with that use to share some lessons learns...

  Hello Richard,
  there is a previous post from a user who wants to add authentication to his Cisco ACS Radius server for wireless clients, it might be worth contacting that user to see how he resolved this...here is the link to the thread:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Getting%20Started%20with%20LANs&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd9504e
  Also, have a look at the document below, which talks about the issue:
  Selecting an EAP Method: the RADIUS Authentication Server Component
  http://www.interlinknetworks.com/news/newsletters/20031104/tech.htm
  HTH,
  GP

• 802.1x wireless authentication using NPS - SSO sign on to Office 365 using ADFS

  Hi Spiceys,I'm researching for a potential client and would like to know if the following is possible:They have an existing wireless network with a working 802.1x implementation using NPS as RADIUS. They are very keen to move to Office 365 and use SSO and my understanding is that they'll need to spin up a working ADFS implementation to arrange this. We want to use Microsoft tech to tie it all in, so 3rd party SSO apps I don't want to investigate.If a wireless client is authenticated with NPS, and we have a working ADFS implementation are they able to access Office 365 resources without signing in twice? I'd imagine that the NPS auth would give them the necessary DC token, but if they access O365 resources and get redirected to the ADFS website and use Windows integrated login, will it 'just work' ? They are looking at using the full...
  This topic first appeared in the Spiceworks Community

  did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
  we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
  any input would be much appreciated.

• Wireless authentication network design questions... best practices... etc...

  Working on a wireless deployment for a client... wanted to get updated on what the latest best practices are for enterprise wireless.
  Right now, I've got the corporate SSID integeatred with AD authentication on the back end via RADIUS.
  Would like to implement certificates in addition to the user based authentcation so we have some level of dual factor authentcation.
  If a machine is lost, I don't want a certificate to allow an unauthorized user access to a wireless network.  I also don't want poorly managed AD credentials (written on a sticky note, for example) opening up the network to an unathorized user either... is it possible to do an AND condition, so that both are required to get access to a wireless network?

  There really isn't a true two factor authentication you can just do with radius unless its ISE and your doing EAP Chaining.  One way that is a workaround and works with ACS or ISE is to use "Was machine authenticated".  This again only works for Domain Computers.  How Microsoft works:) is you have a setting for user or computer... this does not mean user AND computer.  So when a windows machine boots up, it will sen its system name first and then the user credentials.  System name or machine authentication only happens once and that is during the boot up.  User happens every time there is a full authentication that has to happen.
  Check out these threads and it explains it pretty well.
  https://supportforums.cisco.com/message/3525085#3525085
  https://supportforums.cisco.com/thread/2166573
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Wireless Authentication/Security Design questions

  Wireless newbie here...I was required to quicky stand up a wireless deployment at a new warehouse/office building. I have the basic network up and working. My remote AP's have associated with the 2106 in the main office and users can associate and authenticate with the 1130G AP's and can access the office network. I did the basic configs and am now looking to tighten up security. My questions are as follows:
  1) The user clients are Dell Laptops with integrated wireless. They authenticate using LEAP..how do I migrate to EAP or do I need to. I have a Cisco ACS doing RADIUS authentication now.
  2) Should I be using some kind of supplicant client on the laptops?
  3) How do I filter mac's so rogue AP's and rogue clients cant try and associate.
  4) Am I correct in assuming the connections between the 1130 AP's and 2106 are secured and if so do I need to tweak anything to tighten them up?
  5) I have an AP in the main office building that I want to setup to detect rogue AP's. Do I have it associate as a regular AP and push some kind of policy to turn it into a detector?
  I have attached a diagram to help explain. Any help would be appreciated.
  v/r
  Chad

  1. LEAP is a form of EAP, so you must already have something terminating your EAP sessions. The WLC can do this to some extent, or ACS. Which one you chose will be based upon your requirements for manageability, scalability and feature-richness. I would suggest that PEAP-MSCHAPv2 provides a good balance of usability and security, and is significantly better than LEAP.
  2. No, stick with Windows XP SP2 supplicant. This can be configured using domain policy (2k3 SP1 or better) and is pretty good. Just make sure your laptops have new Intel drivers on them. Dell in particular have been quite bad with sending out old drivers in the builds.
  3. MAC authentication is now lergely regarded as a waste of time. It is so easy to spoof a MAC address it's ridiculous, and it's a fair amount of work for the admin(s).
  4. The LWAPP tunnel encrypts all management / config / security related traffic between the AP and WLC, while user data is simply encapsulated in LWAPP, so it can potentially be read if packets are captured.
  5. All APs will do rogue detection, don't really need to have dedicated APs unless you're REALLY paranoid. Main benefit is quicker detection, but drawback is that the 'detector' AP won't serve clients.
  Regards,
  Richard

• Hospitality based wireless authentication

                     Looking for a solution that meets the below requirements.  I don't think I can get this done with Cisco due to cost and the APs are not Cisco but the switches are.
  1) Force authentication for all new connections to the wireless
       a) Only 1 password but each new connection has to enter that password
       b) Authentications expires after a set amount of time (8+ hours or something to that effect)
  2) Allow access to certain pages without authentication (Walled Garden)
  3) Redirects all users to a particular web page once they authenticate
  We are currently using an older Nomadix device to get this done but it is going out of warranty and support at the end of the year.  Another Nomadix device is always an option but we wanted to see if there was anything better out there.
  Thanks in advance.  All replies rated.

  Normadix is probably what you want to stay with for what you need. I think the 3rd party software caters to this much better than a wireless vendor can. There was someone here a while back who works for Purple WiFi that has some good features also.
  http://www.purplewifi.net
  Sent from Cisco Technical Support iPhone App

• PEAP vs EAP-TLS Wireless Authentication Method

  Hi,
  I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
  I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
  Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
  We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
  Thanks,

  Hi,
  I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
  I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
  Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
  We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
  Thanks,