WPA2 Enterprise and autonomous 1231
I have a bunch of standalone AIR-AP1231G-A-K9 running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2 which is currently setup for guest and company ssid. The guest I don't care but for company, it goes back to a Microsoft IAS radious Certificate Authority using WEP. I want to migrate to WPA2 Enterprise without effecting the current setup so want to create some type of testing. Can I do so or do I need to blow away wavenet with WEP altogether. If so, any sample configs out there?
Since you'll have to touch all the clients in order to change your security/encryption, why not add another SSID and define it as WPA2/Enterprise and point it to the same IAS server? I'm pretty sure that IAS will support that (I know your AP's will). Try it on one AP, then configure the others, then migrate your clients (kill the old SSID when you're done).
Similar Messages
-
WlanApi: Setting and connecting WPA2-Enterprise and PEAP
HI
I am writing application using Wlanpi which we can connect WiFi. Security setting are WPA2-Enterprise and PEAP.
Can someone help me with Working code? I have tried lot of things but not able to make it work. it is returning an error "corrupted profile".You can add a wireless profile to the profile store programmatically by calling
WlanSetProfile
Check this document: https://msdn.microsoft.com/en-us/library/windows/desktop/aa370030(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/aa369853(v=vs.85).aspx
Best Regards,
Please remember to mark the replies as answers if they help -
Can the WAP4410N be setup with WPA2-Enterprise and also be repeater by another WAP4410N?
I have AP1 setup with WPA2-Enterprise. How would I setup AP2 (WAP4410N) to be a repeater for AP1?
Hi Alec,
Thanks for participating in the Small Business Support Community. I've posed your question to our engineers and the short answer is "no".
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
WAP4410N can only repeat or bridge other supported Small Business APs/Routers.
Thanks again for your participation and, although probably not the answer you wanted, I hope this helps.
Stephanie Reaves
Cisco Small Business -
WAP4410N width Security-Mode WPA2-Enterprise and WDS-Repeater
Hi,
i have two WAP4410N with same Firmware 2.0.7.4. One Configured as AccessPoint with "Allow wireless signal to be repeated by a repeater." and correct MAC of the repeater.
The Repeater has same settings (WPA2-Enterprise, both WAP4410N in B/G/N-Mode) configured as "Wireless WDS-Repeater" width correct MAC of first AP.
Problem is, that the Repeater does not repeat anything, nothing in the logfile. Are my settings correct or should i use "Wireless Client/Repeater" in my case. Does WAP4410N support Repeating in WPA2-Enterprise?
Thanks for your assistanceA dumb question first of all - when you entered the mac address to repeat, did you use the wireless rather than the wired mac address?
I also found that enabling http (wireless) access to the wap4410n repeater and then disconnecting the wired connection to the wap4410n ap helped set things up better.
If you search these forums I uploaded beta firmware that works much better than the one you're using. Alternatively you could use wap encryption, it seems that using wpa2-personnel is what messes up the firmware you're using. -
I configured my Aironet 1262N autonomous AP to authenticate and account my users against a FreeRADIUS server. In the RADIUS server database, I saw some records like:
select username, acctauthentic, acctterminatecause, acctstarttime, acctstoptime from radacct where username='xxxxxx';| xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 09:15:32 | 2014-02-22 11:15:58 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 09:15:58 | 2014-02-22 12:16:36 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:16:37 | 2014-02-22 09:22:13 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:22:14 | 2014-02-22 09:27:34 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:27:35 | 2014-02-22 09:33:12 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:33:14 | 2014-02-22 09:38:34 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:38:35 | 2014-02-22 09:43:55 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:43:57 | 2014-02-22 09:49:17 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:49:18 | 2014-02-22 09:54:52 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:54:54 | 2014-02-22 10:00:14 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:00:14 | 2014-02-22 10:00:26 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 10:00:26 | 2014-02-22 10:06:17 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:06:19 | 2014-02-22 10:11:39 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:11:41 | 2014-02-22 10:17:52 || xxxxxx | Local | Lost-Carrier | 2014-02-22 14:50:41 | 2014-02-22 14:50:42 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 14:50:42 | 2014-02-22 15:01:25 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:01:26 | 2014-02-22 15:06:46 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:06:48 | 2014-02-22 15:12:08 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:12:09 | 2014-02-22 15:20:24 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:20:25 | 2014-02-22 15:28:33 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:28:35 | 2014-02-22 15:33:54 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:33:55 | 2014-02-22 15:39:15 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:39:17 | 2014-02-22 15:44:37 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:44:38 | 2014-02-22 15:49:59 || xxxxxx | Local | | 2014-02-22 15:49:59 | NULL |
As you can see, the Acct-Authentic fields contains two possible values: Local and RADIUS. I didn't create any user with name 'xxxxxx' on AP, and I configure the authentication is against the RADIUS server. Why there are so many Acct-Authentic = 'Local'?
Also, this user always lost his connection and then reconnected quickly. This user login his account in multiple devices, including smart phone and computers. All of them are experiencing the same issue. Is there anyway to debug it? Any protential reasons?
Regards,
Lingfeng XiongHi,
I have exactly the same problem with my freeradius and switchs when swiths are in IOS 15.x .
You can see the log accounting :
| 5971 | 0000007E | bde8f71b768f2785 | | | | 10.254.1.253 | 50001 | Ethernet | 2014-04-03 23:23:04 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5972 | 0000007F | 27c15b7db52213d9 | | | | 10.254.1.253 | 50001 | Ethernet | 2014-04-03 23:23:04 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5973 | 00000080 | 8fb0d5fe41e82d65 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:23:18 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5974 | 00000081 | fa753225306a1a30 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:23:35 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5975 | 00000082 | 39b6dfcf6aa90e30 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:25:57 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5976 | 00000083 | d7766e99f09aee2f | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-03 23:26:33 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5977 | 00000084 | 7094f61110fe4eef | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:29:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5978 | 00000085 | 66ded1d410f07c51 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:30:00 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5979 | 00000086 | 326144c4321e0286 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:30:32 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5980 | 00000087 | 01d1379a4f9c3365 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:32:57 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5981 | 00000088 | 91164743f562dfdb | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:34:59 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5982 | 00000089 | abf1519e403f8305 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:36:21 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5984 | 0000008B | 2e199e473e646ba4 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:21:01 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5986 | 0000008C | cb4c2e11189d484c | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:10 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5987 | 0000008D | 1e928dc7eabc1e6d | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:11 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5988 | 0000008E | f1e3754a954e6863 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:15 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5989 | 0000008F | e46d377efc8a47f8 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:00:02 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5990 | 00000090 | e098f1dc19bdeee2 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:01:02 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5991 | 00000091 | 6ae3acb7d57c9c5a | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:56:25 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5992 | 00000092 | abc974156cf20e23 | | | | 10.254.1.253 | 50021 | Ethernet | 2014-04-04 03:10:56 | NULL | 1943 | Local | | | 0 | 204825 | | | | Framed-User | | | 0 | 0 | |
| 5993 | 00000093 | be822673509843a6 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 03:51:41 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5994 | 00000094 | 0a4366a6cd9eb0c5 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 07:53:42 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5996 | 00000095 | 5d289b8db37d0c8d | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 08:58:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5997 | 00000096 | c4ea1e813085a6d7 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 08:58:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6002 | 0000009A | a82ac41b1ff5f16b | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:03:12 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6004 | 0000009B | 0719718c780250c2 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:53:30 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6005 | 0000009C | c58f9c5e30b60fb7 | | | | 10.254.1.253 | 50016 | Ethernet | 2014-04-04 09:56:54 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6007 | 0000009D | f78cc71528fd7898 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:56:54 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6008 | 0000009E | 200a1608264cc03c | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:01:14 | 2014-04-04 10:30:24 | 1750 | Local | | | 114654 | 93145 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6009 | 0000009F | c5ec021f0ef399c1 | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:01:44 | 2014-04-04 10:30:24 | 1720 | Local | | | 109122 | 86295 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6013 | 000000A4 | 042773e07781caba | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:30:26 | 2014-04-04 10:39:51 | 565 | Local | | | 36891 | 39077 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6015 | 000000A5 | f6b305e3f0d6aa5a | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:30:56 | 2014-04-04 10:39:51 | 535 | Local | | | 31698 | 32171 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6017 | 000000A6 | ef6cad3df24ccd61 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 10:42:20 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
Someone has an idea ?
Thanks,
Best regards, -
How do I configure a cisco 1131 AP to use WPA2 enterprise and authenticate to Active Directory
I have a Win2008 server set up as a radius server (192.168.32.71) and a stand alone AP (192.168.201.9) The AP is config is below:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$IdUV$UvE2IJTNzHX6mW6Mmh3At0
ip subnet-zero
ip domain name TKGCORP.local
ip name-server 192.168.32.71
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius rad_eap1
server 192.168.201.9 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 ssid ka_test
vlan 201
authentication open eap eap_methods1
authentication network-eap eap_methods1
guest-mode
power inline negotiation prestandard source
username Cisco password 7 112A1016141D
username tkgadmin privilege 15 password 7 022D167B06551D60
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 201 mode ciphers aes-ccm tkip
encryption key 1 size 128bit 7 673B0AA56FCB4E630D8E4856427E transmit-key
encryption mode wep mandatory
broadcast-key change 150
ssid ka_test
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption key 1 size 128bit 7 B711059074E30B1E1D4E3EC038BB transmit-key
encryption mode wep mandatory
broadcast-key change 150
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface FastEthernet0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
no bridge-group 201 source-learning
bridge-group 201 spanning-disabled
interface BVI1
ip address 192.168.201.9 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication eapfast
no authentication mac
nas 192.168.201.9 key 7 010703174F
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 0835495D1D
radius-server host 192.168.201.9 auth-port 1812 acct-port 1813 key 7 0010161510
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
line vty 0 4
endSorry for the late reply Steve. The link you provided was extremely helpful here is what my config looks like now:
ersion 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$7vHS$YWCMbrlAgDUayKlOHhMlF1
ip subnet-zero
ip domain name TKGCORP.local
ip name-server 192.168.32.71
aaa new-model
aaa group server radius rad_eap
server 192.168.32.71 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 ssid wap_test
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
guest-mode
infrastructure-ssid optional
power inline negotiation prestandard source
username Cisco password 7 047802150C2E
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid wap_test
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface BVI1
ip address 192.168.201.9 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 071B245F5A
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
line vty 0 4
end
I get a login screen but it will not let me connect, on my radius server I have it set to allow a group that my username is in. Here are some debugs from when I try to connect to the AP:
ap#debug aaa authentication
AAA Authentication debugging is on
ap#
*Mar 2 01:11:53.284: AAA/BIND(00000006): Bind i/f
*Mar 2 01:11:53.355: AAA/AUTHEN/PPP (00000006): Pick method list 'eap_methods'
*Mar 2 01:11:54.556: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed
*Mar 2 01:11:55.280: AAA/BIND(00000007): Bind i/f
*Mar 2 01:11:55.404: AAA/AUTHEN/PPP (00000007): Pick method list 'eap_methods'
*Mar 2 01:11:56.349: AAA/BIND(00000008): Bind i/f
*Mar 2 01:11:56.525: AAA/AUTHEN/PPP (00000008): Pick method list 'eap_methods'
*Mar 2 01:11:57.300: AAA/BIND(00000009): Bind i/f
*Mar 2 01:11:58.070: AAA/BIND(0000000A): Bind i/f
*Mar 2 01:11:58.812: AAA/BIND(0000000B): Bind i/f
*Mar 2 01:12:15.470: AAA/AUTHEN/PPP (0000000B): Pick method list 'eap_methods'
*Mar 2 01:12:15.492: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed
ap#undebug all
All possible debugging has been turned off -
WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS
I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
thanks !!!WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
WPA and WPA2 are actually are of 2 types respectively.
WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
The following document might clarify your doubts.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml -
WPA2 Enterprise setup question
I have been trying to complete a WPA2 Enterprise setup, and I have hit a wall in troubleshooting. The current setup has two SSIDs, but the users only use one of these SSIDs, and that one is setup as WEP (I know...I know). I have been tasked with getting the users on a stronger security setup, and I thought that the best way would be to have them use WPA2 Enterprise, and they would authenticate to the network using their Active Directory user name and password.
I have been trying to get the secondary SSID converted over to do this, but I am stuck. I have setup the access point (Cisco 1140) the way that I believe should work, and I have also went through the Radius server (Microsoft Server 2008 R2) and set it up with some suggestions I have ran while researching.
I am hoping someone can see what I am doing wrong, or guide me to setup a more secure connection. My networking/Cisco skills are intermediate so there are things that I miss or could improve on at times.
I am attaching the config on the access point, and some screen shots off of our Radius server.
The radius server is 10.90.9.9
SSID that I am trying to configure is AAA
AP IP address 10.90.6.6
Please let me know if there is any information that I am missing. I will get it to you right away.
Edit - One thing I didn't include was that we don't have a certificate for this. Preferably I would like to set this up without a cert, and just have them authenticate with the user/pass from AD. If a cert is needed though, I can get one. Thanks :)
Thanks.Hi Brent,
Here is a working configuration for similar requirement using ACS as RADIUS server. Hope it is useful for you to get this working.
http://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/
Pls do not forget to rate our responses if it is useful to you.
HTH
Rasika -
WPA2 Enterprise connections don't work
Hi everyone,
Configuration: MacBook Pro 7,1, 2,4GHz, Mac OS X 10.6.5.
Three user accounts (one for me, two for friend's backup), two of them have admin rights. I'm using one of these accounts.
I'm having a strange issue with *WPA2 Enterprise*-based access points, namely, the private one on my university's campus, and the eduroam one. Eduroam is, roughly, a SSID that is available in participating institutions worldwide, and allows connection from personnel registered in any of these institutions without having to ask for a guest access.
On eduroam, one is supposed to select the eduroam SSID in the list of network available, select "Security: WPA2 Enterprise", and type his institutional email address as a username. "Password" should remain blank for now, and in front of the "802.1X", select "Auto". On clicking the "Connect" button for the first time, a "Check certificate" dialog should appear with three buttons, "Display", "Cancel", "Continue", where one would click "Continue". Finally, a "802.1X authentication" dialog would appear, when a user would put his email address as username, and type in his institutional password to log in. Then, the user would be online without further fuss.
On my university network, it's even simpler. One should select it, type in the IT login, then the corresponding password, before being allowed to be online.
On my normal user account, I never get the "Check certificate" dialog for eduroam, an on the uni's network, it never seems to connect. Ultimately, I get the exclamation point over the wireless waves, meaning that the card self-assigned an IP. Then it tries to connect again (the icon is waving), then fails again. No other authentication is affected, and a quick look in the logs doesn't show anything salient.
On the other user account, the connection to either of these SSID works as written, on the first try.
So it's no hardware issue.
I first tried to create a new wireless profile, and recreate the connection. It failed, once again, for both networks.
So to the Genius Bar I went. Since it's a login issue, we deleted the ~/Library/Keychans/login.keychain item, rebooted. Since the issue couldn't be reproduced in store, he advised me to delete the "session" keychain and reboot if the problem persisted. He asked me if the computer crashed while I was logged in anywhere in the past (before 10.6.5), and yes I said, adding that I let AppleJack do the automated repair. He checked with a colleague, on a tech forum, spent 30 min with me, but came back with the dreaded conclusion that, at least in that store, they ended up doing what he named "partial restore" to correct a similar issue, in contrast to "archive and install".
Off to the uni I went, and recreating the connection failed again. In the Access Keychain, I then removed the session keychain, with both the references and files (default is reference only), since they referred to passwords I already knew, rebooted, logged in, and tried to connect, to no avail. The other user account still works.
What else should I try? Ironically enough, I reinstalled OS X more times in two years than I did Windows in eight, and want to avoid the time-consuming step of reinstalling applications, and the very tricky part - ownership issues - of manually importing documents and only selected settings.I was chasing a similar authentication issue on OS X ≥ 10.5.8 for quite some weeks. My setup does use MS 2008 Server (AD, NPS, Radius) and SonicWall SonicPoint (multi SSID on VLAN).
When I started evaluating the different options, I didn't realize such issues But when it came to the final usage guidelines I had serious issue connecting with Mac OS X to the WPA2 Enterprise Network (BlackBerry and iOS was never an issue)!
I finally did work out, that you can only authenticate once successfully if you use the "Ask to join networks" popup - instead I had to select the network manually from the airport, provide my credentials and select "remember this network"to store the network and it's radius profile! I guess this behavior may have something to do with the credentials stored/reused in/from the keychain for the second login.
Also, I did notice you have to make sure you quit your system preferences each time you expect a change due to newly stored networks or radius profiles!
Hope this may help other users to troubleshoot similar issues! -
Connecting Z10 to WPA2-Enterprise Wifi
Haloo...
Please help by giving any clue to connecting Blackberry Z10 to Office Wifi which is using WPA2-Enterprise security type.
Thank you in advanced
Regards,
Tri HarnokoHey harnoko,
Welcome to the BlackBerry Support Community Forums.
Thanks for the question.
When adding a Wi-Fi network, change the security type to WPA2-Enterprise and fill out the required security information.
Do you receive any specific errors when adding the Wi-Fi network?
Let me know if you have any more questions.
Cheers.
-ViciousFerret
Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
Be sure to click Like! for those who have helped you.
Click Accept as Solution for posts that have solved your issue(s)! -
Host in network is not reachable over WPA2-Enterprise encryption
hello together,
i'm running a WRVS4400N router with parallel WPA2-Enterprise and WPA2-Personal wireless networking. If I try to ping a host on the network I get two different results:
The ping over the WPA2-Personal network is working pretty well.
Over the WPA2-Enterprise network the host isn't reachable.
This happens only to one special host, internet and other host are working well.
Do you have any idea why this host is only reachable over the WPA2-Personal network??
Thank you for any help you can provide in this situation.
phaenovumHi,
According to the log, your iPad tried to connect the remote server with IP address 10.100.01.01/32. Please check if it is the correct IP address of the server.
Also, please make sure that your iPad can connect to your VPN network successfully and get a valid IP address so that it can remote your internal server.
Thanks.
Jeremy Wu
TechNet Community Support -
Connecting to WPA/WPA2 Enterprise Network
I am trying to configure an Apple TV to connect to our corporate network. I have a service account in AD that I am using in the profile, have pointed to our cert and trusted it in the profile, selected WPA/WPA2 Enterprise, and selected PEAP as the 802.1X authentication. I have done this after going over the settings with our network security engineer. Everything looks correct. After installing the profile and connecting it to the TV, I can only get a 169.X.X.X address (should be our private WiFi network of 10.9.X.X. Has anyone successfuly done this?
This is a user to user help forum only so no one here knows what Apple is working on.
http://www.apple.com/feedback/iphone.html -
Airport Express broadcasting both WPA2 Personal and WPA2 Enterprise?
We were recently scanning for wireless access points for a client using a product called Vistumbler. The client had two older Airport Express wireless routers, set to use WPA2 Personal, but Vistumbler was detecting both WPA2 Personal and WPA2 Enterprise during the scans. Has anyone else seen this before with any other routers or scanning software? If so, was there a way to only broadcast the current encryption setting?
The AirPorts can be set to WPA2 Personal.......OR........WPA2 Enterprise, but only one setting can be activated at a time.
In the highly unlikely event that the AirPort Express devices are really broadcasting with two different types of encryption, the devices either have corrupted software settings, or they are defective.
Try another scanner......like WiFi Scanner, located in the Utilities folder of the Mac, or another application to see if you get the same results. -
Officejet 6000 wireless and WPA2-Enterprise network security
I own an Officejet 6000 wireless printer. The manual says that it should be compatible with a wireless network with WPA2-Enterprise network security but when setting up the connection (I am using a macbook and am setting the printer up via usb connection) the newtork is listed but the security type is "unsupported." For whatever its worth it is listed 5 or 6 times but probably thats a different issue.
I can still select the right network but it only asks for a security key, but my network security requires a log-in name and password.
What can I do to get my printer connected to the network?I get the feeling that most of the people replying here don't know the difference between WPA2-Personal and WPA2-Enterprise.
Personal has a passkey.
Enterprise uses both a username and password, usually in conjunction with a Radius server (802.1X athentication).
What we've had to do solve this problem is create a second SSID on the network that authenticates on WPA2-Personal. We use a really long password to secure the network, one that I will never be able to memorize in my lifetime.
All we can hope for is that these enterprise-level vendors will, perhaps, gain a greater understanding of wireless authentication processes and the needs of actual enterprise customers who at least a percieved need for wireless printer capabilities. It used to be that customer was always right, though. Perhaps those days are gone...
The other problem that probably ought to be addressed on consumer end is the fact that multicast tools that make AirPrint work (such as Bonjour), are being blocked from crossing between your wired and wireless networks, perhaps by the wireless controller or due to inefficient routing hierarchy or NAT/PAT issues. Solve this issue and you won't have a need for wireless printers. -
Airport Express version 7.6
Airport Utility 5.5.3
I want to use the Airport Express simply to bridge an Ethernet connection to wireless using WPA 2 Enterprise (Wireless network uses RADIUS authentication)
Wireless mode is set to "Join a wireless network"
Wireless Security is set to "WPA/WPA2 Enterprise"
Problem is that there is no place that I can find to enter the username and password for the Enterprise security.
ThanksAirport Express version 7.6
Airport Utility 5.5.3
I want to use the Airport Express simply to bridge an Ethernet connection to wireless using WPA 2 Enterprise (Wireless network uses RADIUS authentication)
Wireless mode is set to "Join a wireless network"
Wireless Security is set to "WPA/WPA2 Enterprise"
Problem is that there is no place that I can find to enter the username and password for the Enterprise security.
Thanks
Maybe you are looking for
-
My built in mic on my iPod touch 4th gen stoped workin
Ho do you fix this ?
-
Hi all 1. Is it possible to apply CDC on views? I was attempting to apply CDC on views. When i executed the Start Journal i got the following error: java.sql.SQLException: ORA-25001: cannot create this trigger type on this type of view (The code snip
-
How to Hide a column in OBIEE 11g
Hi, I am trying to hide a column of presantation layer table in OBIEE 11g. But it is not working. I am doing the follwoing. Open the permission tab of the column. Given no access to Everyone. Given No access the user/Application Role. When i go to we
-
PROCURE TO PAY AND ORDER TO CASH CYCLE
Can anyone please give me a good material on " Procure to pay cycle" and " Order to cash cycle". Regards Amitava
-
Exchange Management Console, Initialization Failed
Hi, Today when i open the Exchange 2010sp1 EMC it gave me this error The following error occurred while attempting to connect to the specified Exchange Server HUBC01.contoso.int The attempt to connect to http://HUBC01.contoso.int/powershell using "ke