Anyone using IAS and Cisco Aironet

[Duracel]

Has anyone managed to use IAS (RADIUS) to authenticate clients through Cisco Aironet 350 AP's and client adapter.

I have set up the AP's... IP, shared secret, authentication server, network EAP etc., etc.,

The client adapter associates and authenticates with the AP OK but then the EAP authentication fails I assume the problem is now the configuration of the IAS Server. Anyone got any pointers please?

Thanks in advance
Duracel.
(Lasts longer than any other net admin)

 

[SeaBird2000]

Hi all,

I am having the same problem. What Client-Vendor type do you use (i.e. Cisco, RADIUS standard...)?

Thanks,

SB

 

[Duracel]

Hi SB,
Ashamed to admit, I actually gave up trying to use EAP. I tried just about every combination of vendor attributes and still got no joy. The Cisco documetation and settings all seem straightforward, however I think the problem lies with IAS (no suprise there then!). The IAS logs show that authentication tries to take place but is rejected as not valid and subsequently logon is denied.
I couldn't find any further info so have now implemented 128bit shared secret and mac filtering for now but the admin is a nightmare. (having to add and remove macs to the tables all the time).
I intend to have another go at IAS when I get time but I'm tied up on other projects at the moment.
Hope you have more luck than me. (most people do!)

Duracel ;-)
On the other hand....usually four fingers and a thumb.

 

[SeaBird2000]

Hi Duracel,

I contacted Cisco yesterday and they told me that the EAP requires a certificate server. I will give it a try early next week. I will let you know if I have any luck.

As always, good luck to us )

SB

 

[Duracel]

SB,
I also tried using certificates and still got no joy. However it was the first time I had installed and used a certificate server so perhaps the config needed tweaking. If you manage to get it working then I would be more than interested in the config.

Many thanks,
Duracel ;-)

 

[SeaBird2000]

Duracel,

I finally got it to work (EAP-TLS). I used two certificates in this case: computer account and user account. I used just the computer account before and it did not work. The way that it works is when a workstation first turns on; it sends its computer certificate to the IAS. Once this process is completed, the access point will forward the traffic to the network (this is how a DHCP client can get an IP address). When a user actually logs on to the domain, that user's certificate will send to the IAS. If the certificate is valid, the access point will forward the traffic to the network.

Here is the order that I implemented the solution:

1. Setup the IAS with EAP-TLS and certificate server.
2. Use Active Directory to push out computer certificates.
3. Go to individual wireless workstation and logon then install the user certificate BEFORE configuring the access point to do the dynamic WEP. I used the web interface, but I think you can also use the MMC. Note that you must add the certificate for ALL users that logs on the workstation.
3. Configure the access point to use the dynamic WEP key and specify the RADIUS server.

That's all to it. Please let me know if you need additional information.

SB

 

[Duracel]

Hi SB,
What a man! I'll have a crack at this as soon as I have completed our current project (currently approx 4 weeks behind so likely to be towards the end of Jan). Thanks for your perseverance, I really appreciate your help.

Duracel

 

[coremt]

Duracel & SB,

I just got finished implementing the same solution that you guys are working on. Here are a couple of documents that I found extremely helpful:


Cisco EAP-TLS Deployment Guide

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.pdf

Enterprise Deployment of Secure 802.11 Networks

http://www.microsoft.com/WindowsXP/pro/techinfo/deployment/wireless/80211corp.doc

If you need anything else let me know

-Coremt

 

[coremt]

One other thing. You can change Windows XP to only use host based authentication by adding a key to the registry. See Step 4 on the following document:

http://www.missl.cs.umd.edu/Projects/wireless/8021x/xpclient.html

-Coremt

 

[Helpy]

Hi guys (Coremet, Duracel & SB), can you confirm this:

EAP-TLS need certificates on computer account and client account.

PEAP-MS-CHAPv2 need certificate from a commercial certification authority on the IAS and Windows Wireless Clients use ROOT CA certificates.

So, for EAP-TLS i don´t need to buy any commercial certification authority? I only use a "local" certificate server created by my own?

For PEAP-MS-CHAPv2, is there any "Free" certificate server?

Regards,
Helpy

 

[ADB100]

I use an AP340 and IAS, I am using Microsoft PEAP with a Cisco 340 wireless card and an iPAQ 5450 with WM2003. You must have certificates for all your devices. Windows 2000 Server comes with Certificate Services so you can easily deploy a Certificate Authority Server.

This link is good:

http://www.missl.cs.umd.edu/Projects/wireless/8021x/

Andy

 

[bdoub1eu]

In my IAS server, under the profile for the remote access policy, under Authentication, I have the EAP option checked and then I chose the "smart card or other certificate" and then when I click configure, I see an old certificate.

How do I get IAS to see the new certificate I created?

Also, do you have to have a computer certificate and a user cert?