using PEAP and want to add MAC matching to force VLAN

Discussion in 'Cisco' started by BerkHolz, Steven, Feb 28, 2005.

  1. I am currently using 1200 series APs and PEAP against MS IAS server to
    authenticate "company" users for wireless.
    This is working great. The machines auth with PEAP machine accounts and when
    the user logs in, it switches to their user account for auth.

    Now I need to add a Tandberg 880 videoconferencer to a different VLAN
    outside the firewall to avoid H.323 problems.
    It will have a fixed IP, so I do not need DHCP, etc.
    It only supports WEP, so I need to use its MAC address for security.

    I also want to be able to give guests access to a third VLAN that will give
    them Internet via a linksys router with DHCP outside the firewall.
    I figure using MAC addresses here is easiest as well, so I do not have to
    alter their configs for PEAP and worry about certificates, etc.
    I also do not want the employees on this network.

    Issue:

    I can not figure out how to keep my PEAP config on the 1200 AP and also do
    MAC address matching with non-PEAP machines.
    Can I still use MS-IAS for this? I know I can set the VLAN with MS-IAS.

    Please offer any hints.



    --
    Steven BerkHolz
    Send to Domain TESCOGroup dot com, username SB

    Note: you may also want to know that you should never send mail to:




    -abuse.org

    BerkHolz, Steven, Feb 28, 2005
    #1
    1. Advertising

  2. BerkHolz, Steven

    Uli Link Guest

    BerkHolz, Steven schrieb:


    > I can not figure out how to keep my PEAP config on the 1200 AP and also do
    > MAC address matching with non-PEAP machines.
    > Can I still use MS-IAS for this? I know I can set the VLAN with MS-IAS.


    Are your 1200 AP run VxWorks 12.05?

    With IOS you can set
    Authentification requiremets as MAC + EAP or EAP per SSID

    And with IOS 12.2(15)JA or later:
    If you configure one or better two APs as WDS master and backup they can
    use their local MAC list for all APs using this WDS. Works great for up
    to 30 or 40 cards, else your config.txt will grow too much.

    The internal RADIUS of the AP can force a list of allowed SSIDs per
    group, but only LEAP or EAP-FAST or MAC. Not PEAP.

    I haven't found how to configure W2K IAS for RADIUS MAC authentication,
    I don't know a good reason why this should *not* be possible.

    --
    Uli

    These opinions are mine. All found typos are yours.
    Uli Link, Feb 28, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jester
    Replies:
    1
    Views:
    1,769
    Vivek
    Dec 20, 2005
  2. Replies:
    0
    Views:
    1,161
  3. Replies:
    0
    Views:
    1,413
  4. Replies:
    0
    Views:
    1,766
  5. Replies:
    2
    Views:
    898
    Bert Hyman
    Dec 31, 2008
Loading...

Share This Page