Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

EAP-FAST and Windows 2000 Server Support 1

Status
Not open for further replies.
jdyer

jdyer

IS-IT--Management
Mar 24, 2003
53
0
0
US
I wasn't sure if I should put this in the Microsoft forums or in the Cisco forums, but here goes...

I have a wireless access point that I'm trying to get to communicate with a radius server running on my Windows 2000 Advanced Server Domain Controller. I tried configuring the radius server and configuring the access point to point to the radius server but from the client I'm not able to authenticate through Active Directory. My question is, does Windows 2000 or even Windows 2003 Server support the EAP-FAST protocol or are they limited to just MS-CHAP, MD5 Challenges and PEAP? We are trying to better secure our wireless network but are under a tight budget.

I know by purchasing Cisco Secure ACS 3.2 I would be able to authenticate using the EAP-FAST Authentication Method but due to those financial limitations I can't buy the license.

Is there any alternatives to EAP-FAST that allow me to still authentice wireless users through Active Directory that won't cost me a fortune?

Thanks in advance.
Jeff
 
Sort by date Sort by votes
Ahhhh....no. The best you can do on a tight budget (as far as I've been able to do anyway) is to use the 1200 series AP as the local RADIUS server and put the user names and passwords into the AP. OK for a small set of users, not worth a hoot if you have a large base. Funk Software has the best RADIUS, but "educational" pricing is NOT cheap and you'll need a bunch of wireless users to justify the cost. FreeRADIUS I believe supports LEAP and it may be able to relay requests to a Windows RADIUS server. Haven't tried that.

If you had a Cisco VPN device, you could use a neutered VLAN for the wireless clients and let them use the Cisco VPN client to auth against the domain. Can probably do that with the MS VPN client too, but I've not done it.
 
Upvote 0 Downvote
Thanks. I'll give it a try. I don't want to have to enter in all the logins on the AP. I want to try to avoid upgrading AP's as well. I will if I have to though. Using the VPN Client to authenticate isn't a bad idea. I can try that.

Thanks again.
 
Upvote 0 Downvote
Ah Christ, don't use LEAP or EAP-FAST. Those are totally proprietary Cisco protocols. If you're on a tight budget, why would you go proprietary? LEAP on it's own is the most unsecure protol you can use, you'd be better off using plain old WEP. Tools like ASLEAP will rip your network wide open if you use LEAP.

Use Windows 2003 IAS in PEAP mode. It's the easiest thing in the world to build a Windows 2003 Certificate Authority and roll it out on the active directory. It's not too hard to manually roll it out either if you don't have AD. I'll have a more detailed article on this by next week for Wireless LAN security.

If you're really on a tight budget, use an $80 Linksys 54g AP. That supports WPA mode and it will authenticate using EAP. Set that up with Windows 2003 IAS in PEAP or EAP-TLS and you've got the most secure network running WPA/PEAP mode.


George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
My email address is jdyer@elemica.com. If you could please send me your article. I would like to give it a shot. Thanks for your input. We are rolling out Windows 2003 Server first quarter next year so we may incorporate this strategy into the upgrade.

Jeff
 
Upvote 0 Downvote
These 2 articles are a must read for anyone running Cisco LEAP or considering EAP-FAST. No one else has anything significant on Cisco's new EAP-FAST protocol yet.


EAP-FAST: The LEAP and PEAP killer?
Is Cisco's new EAP-FAST protocol really "as easy as LEAP" and "as secure as PEAP"? See for yourself in this first of a kind article on EAP-FAST.

LEAP: A looming disaster in Enterprise wireless LANs
If you're like most Enterprises running Cisco's proprietary LEAP authentication protocol, you better read this paper and discover why you better start migrating fast.




George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
George,

Thank you very much for the articles. I'll read them thoroughly. As soon as I roll out Windows 2003 Server I will look further into the IAS and Active Directory authentication method. I greatly appreciate your feedback. Please feel free to keep me informed on any future articles.

Thanks again,
Jeff Dyer
 
Upvote 0 Downvote
Hi there,
As far as I am informed Eap-Fast might only supported on Windows 2000 SP 4 or higher.
I have a question too. How hard is it to implement the Active directory into a 802.1x solution like EAP Fast. Do you have any good links for that?
bye,
busche
 
Upvote 0 Downvote
EAP-FAST as far as I know works with the Cisco ACU client and the latest version of Cisco's ACS RADIUS server both of which you can update for free. I'm not sure about the Win2k SP4 business. As far as I'm concerned, you're wasting your time if you're not running XP SP1 with WPA patch or SP2 soon.

If you read my article on EAP-FAST, you probably won't want to run EAP-FAST. 802.1x and PEAP is more secure and much simpler. Not to mention that it is works on just about all servers and clients. Using Active Directory with group policy to deploy 802.1x and PEAP is the easiest thing in the world. You can deploy it for 10,000 users in less than an hour.

Part 3 off my article will cover 802.1x and PEAP with Active Directory or Manual deployment.






George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
just finished reading your article. Id had really interesting points, thank you. My problem is that I have to plan 802.1x for a big company and they want me to test all the solutions that might be possible. They rolled out Windows 2000 last year and it will probably last until they will come up with XP. They will probably go for EAP TLS but I have to prove that this is the best solution for them. So I will probably test EAP-Fast, EAP-TLS and PEAP. Thank's for the links to the articles,
busche
 
Upvote 0 Downvote
EAP-TLS can be implemented automatically via Active Directory group policy for Windows XP SP1 (with WPA patch). Note that if you want to go as far as automating "user certificates" (not machine certificates), you will need to purchase Windows 2003 Enterprise edition to run the Certificate Authority. Only that version can automatically push out the "user certificates" needed for EAP-TLS. Note that EAP-TLS is the strongest EAP of all so it's well worth paying $1400 for Windows 2003 enterprise edition.

If you meet the requirements (Windows XP), you can deploy everything through active directory and group policy. You can patch Windows 2000 to run EAP-TLS or PEAP, but I'm not sure if it can be managed via group policy.

If you're going to run the Cisco supplicant (Cisco ACU), then you wouldn't be able to use group policy anyways. Even then, PEAP would be easier to deploy and probably more secure than EAP-FAST.




George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
George,

It sure sounds like you know what your talking about.

So my $20,000 question is, if were up to you and you had an AD infrastructure, a Cisco ACS server and cisco wireless and lan/wan equipment, what would be the most secure/easiest to implement security and why?

Thanks,

Ken
 
Upvote 0 Downvote
Ktripp,

See this article first:

This is also a must read:

ACS is horribly unstable and buggy. Use IAS on Windows 2003 w/SP1. Your domain controller should be Win2003 SP1 too, but other member servers can be 2000. This means you might have to upgrade your domain controller to Win2003 with SP1. Reason for this is that you can globally configure a very secure setup throughout the organization using PEAP or EAP-TLS authentication and WPA-TKIP or WPA-AES encryption. WPA2 global configuration is not supported on Win2003 server yet.

All your clients must XP and have WPA driver support along with SP1+WPA_Patch or SP2 installed. Win2k does not support group policy configuration and does not support WPA so you'll need to use a 3rd party client and configure it manually or some other automation method.

When you set up the IAS server on Win2003 w/SP1 with Cisco Access Points, make sure you put VENDOR_Type=Cisco. Also make sure you don't use "enable fast reconnect" on the server or client end because it's problematic with Cisco APs.

George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
I can definatley see the advantage of using a windows 2003 IAS. Looks like one would have to use the enterprise version go break the 50 user barrier.

Do you have an opinion on the odyssey client by funk? Was considering using this as we are still in a mixed client environment between 2000 and XP.

We also have some linux clients. Will these work with the MS IAS implementation?

Ken
 
Upvote 0 Downvote
Ktripp,

There is no 50 user barrier. It's 50 Access Points I think. You can support as many users as your Active Directory will handle. It's a straight pass through to active directory. Linux will work with the generic PEAP (PEAP-EAP-MSCHAPv2) or EAP-TLS implementation. It will not work with PEAP-EAP-TLS so stay away from that.

The Funk client is one of the better 3rd party clients out there. If you buy a $32 miniPCI Intel a/b/g (same as the one in Centrino branding), it comes with a nice WPA2 capable supplicant. If you're going to use something less than WinXP SP1, it comes in handy. SP1 with WPA patch is ok, SP2 is good, SP2 with the WPA2 patch is better. We'll have to wait a little for Windows 2003 group policy to support automatic WPA2 deployment.

This article tells you the best adapters to get that come with WPA or WPA2 client software for all versions of Windows.
George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
George,

Very good reading.

I'd like to start with the PEAP/EAP-MS-CHAP-V2 I think.
Correct me if I'm wrong, but this only requires a server side certificate, and not a client.

Can only get better from there.

I'm would still like to use the Cisco Secure ACS server (3.3). Alot of political reasons. I'm trying to gernerage a self signed key. Do you have a recommended key length? What about the Digest (SHA1,SHA,MD5,MD2)

Thanks,

Ken
 
Upvote 0 Downvote
Political reasons? You mean they don't trust Microsoft? Funny that they're running ACS on top of Microsoft windows if that's the case.

Let me tell you something about IAS and ACS. IAS has been running for years for without any problems and I can't remember the last time there was a remote exploit for IAS. I do remember ACS having lots of problems and lots of remote exploit holes. You can look this up the vulnerability history on IAS and ACS yourself. IAS also just works a lot better for Microsoft VPN or wireless clients. The only thing I use ACS for is TACACS+.

1024-bit self-signed keys work just fine. You can still use active directory to push out its public key certificate so that the clients trust it.

George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
Just to clarify PEAP/EAP-MS-CHAP-V2 requires only the server to have a MAchine certificate, the client though must Trust this certificate. So if the certificate on the RADIUS Server is not trusted the client won't authenticate.

Andy
 
Upvote 0 Downvote
You're right ADB100.

You only need a Machine Cert on the RADIUS server that is trusted by the clients. You can either post the certificate containing the public key of the RADIUS server with no risk, or you can push it out through Active Directory group policy by including it in the "Trusted root certificate" section. I like the latter solution a lot better. You can also buy a really cheap certificate for $60 from and it is already trusted by the clients.

Technically, you can force the client not to check server side certificates, but this would open you up to a man-in-the-middle attack. With Win2003 SP1, you could force all of the XP SP2 clients to not only check the cert of your choosing, but also prevent users from being prompted to accept another certificate a hacker can acquire from registerfly.com with a bogus name but still appear legit. Security is always better when you set things globally from the server side because there is no chance for user error.

George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
75
Lccarter
Lccarter
NavinNet
  • Locked
  • Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
43
NavinNet
NavinNet
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
38
acabezas2014
acabezas2014
mrdom
  • Locked
  • Question
RV325: Accessing LAN and WAN resources using the same hostname ...
Replies
0
Views
42
mrdom
mrdom
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
48
dmourghen
dmourghen

Part and Inventory Search

Sponsor

Back
Top