Thanks, Frank-
I realize LDAP is hamstringing us, but AD may not be ready for primetime for
our environment from a timing perspective... Given that Cisco ACS is in house,
LDAP MAY have to be used initially, and say we have to start with TTLS before
we can run with PEAP- is there a known, PREFERRED, FREE!!!, Windows-friendly
TTLS supplicant? I've seen Xsupplicant recommended, but it doesn't appear to
have a Windows version.
Again- thanks.
Lee
>>> Frank Bulk <[EMAIL PROTECTED]> 2/28/2006 4:35 PM >>>
Lee:
If you're using LDAP that limits many of your choices, unfortunately.
==
If your directory server is based on LDAP, your options are limited based on
how your passwords are stored.
Cisco's Secure ACS LDAP integration supports EAP-TLS and PEAPv1/EAP-GTC. In
the first type, LDAP is used to retrieve the user's public-key certificate
for
comparison with both the client and the user's private-key certificate. In
the
second type, the environment must support one-time keys, as with token
cards.
If your passwords are stored in MSCHAPv2 format, as is the case with
Windows Domains and Active Directory, you can use the LDAP features of
other RADIUS vendors to take advantages of EAP-TTLS and PEAP.
If your passwords are stored in your LDAP directory in the clear, you can
use
EAP-TLS/PAP and EAP-TTLS/PAP as well as a few others, depending on the
RADIUS vendor.
http://www.networkcomputing.com/mobile/archives/mobile_archive_011106.html
==
In other words, you should be able to front end your LDAP infrastructure
with a 3rd-party RADIUS server.
As for roaming, Cisco's CCKM (proprietary standard!) does support fast
secure roaming with PEAP. Go here:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/cb21ag/acau02/au_pr
of.htm#wp1094945
And scroll down to CCKM to see some background and caveats.
Regards,
Frank
-----Original Message-----
From: Lee Badman [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 28, 2006 12:53 PM
To: [email protected]
Subject: [WIRELESS-LAN] Few more 802.1X questions
Given these specific resources:
- Cisco ACS 3.3
- LDAP (moving to AD, but not at first)
- Cisco 1130/1200s running latest 12.3(7) JA2 IOS code
- Up-to-date Windows XP users native supplicants
- Macintosh 10.4 users (latest) native supplicants
And looking at piloting an 802.1x environment using PEAP...
Looking for comments on-
- Roaming (I believe fast secure roaming doesn't work with PEAP)
satisfaction
- Users that may have used 802.1X migration as a juncture to give up the
typical wireless DMZ and make wireless an extension of the wired network
(for authorized users)
- Luck with WPA with a broad range of client hardware likely found in a
"bring what you have" laptop/handheld environment
- Success with Windows Mobile
- General satisfaction
- Horrors experienced
- Anything else relevent to the exercise with the resources described above.
As usual- thanks for the great input this list tends to provide!
Lee Badman
Lee Badman
Network Engineer
CWNA, CWSP
Information Technology and Services
(Formerly Computing and Media Services)
Syracuse University
(315) 443-3003
[EMAIL PROTECTED]
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
