Aironet 1200 AP against IAS

Discussion in 'Cisco' started by jt, May 5, 2004.

  1. jt

    jt Guest

    HI all,

    has anyone successfully set up Authentication of Client devices associating
    against
    a 1200 Series AP, relayed to a box running Microsoft IAS ? Is this possible
    al all ?


    Greets

    jt
     
    jt, May 5, 2004
    #1
    1. Advertisements

  2. ~ HI all,
    ~
    ~ has anyone successfully set up Authentication of Client devices associating
    ~ against
    ~ a 1200 Series AP, relayed to a box running Microsoft IAS ? Is this possible
    ~ al all ?
    ~
    ~
    ~ Greets
    ~
    ~ jt
    ~

    IAS can authenticate PEAP (and, I'm reasonably sure, MAC address) clients;
    you can't use IAS to authenticate LEAP clients however.
     
    Aaron Leonard, May 5, 2004
    #2
    1. Advertisements

  3. jt

    jt Guest

    Hi Aaron,

    there seem to exist various dependencies....thanks for the input. We' ve now
    d/l'd a Secure ACS trial, works fine with LEAP.
    I am new to WLAN, so please be patient :))))

    Aaron, let me just ask two questions.....

    The AP runs 12.2(15), newest release. Whilst configuring encryption on the
    radio, it refuses to run AES-CCM ( "not supported on radio0" );
    ---> this is because of 2.4 GHz, isn' t it ? Will it run with 5GHz ? Which
    cipher should I use with WPA in 2.4 GHz ?

    I dislike WEP due to its known flaws, but I am forced to because of the
    centrino boxes with integrated WLAN.
    I thought to use "enc mode ciphers wep128" for the boxes not WPA - Capable,
    will this do ?

    Greets


    jt
     
    jt, May 6, 2004
    #3
  4. ~ there seem to exist various dependencies....thanks for the input. We' ve now
    ~ d/l'd a Secure ACS trial, works fine with LEAP.
    ~ I am new to WLAN, so please be patient :))))

    I'm relatively new myself.

    ~ Aaron, let me just ask two questions.....
    ~
    ~ The AP runs 12.2(15), newest release. Whilst configuring encryption on the
    ~ radio, it refuses to run AES-CCM ( "not supported on radio0" );
    ~ ---> this is because of 2.4 GHz, isn' t it ? Will it run with 5GHz ? Which
    ~ cipher should I use with WPA in 2.4 GHz ?

    We don't support AES yet. It will be supported in a future
    IOS release.

    ~ I dislike WEP due to its known flaws, but I am forced to because of the
    ~ centrino boxes with integrated WLAN.
    ~ I thought to use "enc mode ciphers wep128" for the boxes not WPA - Capable,
    ~ will this do ?

    Let's first figure out what authentication scheme you're
    going to use. You mentioned LEAP. Are ALL your clients
    going to use LEAP - do your Centrino clients support it?
    Or are some clients going to do LEAP and some others do
    some other kind of authentication?

    Here are some links that might help lay out your options:

    Security Implementations Q&A
    http://cisco.com/en/US/products/hw/wireless/ps4570/products_qanda_item09186a008010018c.shtml

    Wireless LAN Security White Paper
    http://cisco.com/en/US/netsol/ns339...g_solutions_white_paper09186a00800b469f.shtml

    Aaron

    ---

    ~ ~ >
    ~ > ~ HI all,
    ~ > ~
    ~ > ~ has anyone successfully set up Authentication of Client devices
    ~ associating
    ~ > ~ against
    ~ > ~ a 1200 Series AP, relayed to a box running Microsoft IAS ? Is this
    ~ possible
    ~ > ~ al all ?
    ~ > ~
    ~ > ~
    ~ > ~ Greets
    ~ > ~
    ~ > ~ jt
    ~ > ~
    ~ >
    ~ > IAS can authenticate PEAP (and, I'm reasonably sure, MAC address) clients;
    ~ > you can't use IAS to authenticate LEAP clients however.
    ~
     
    Aaron Leonard, May 6, 2004
    #4
  5. jt

    jt Guest

    Hi Aaron,

    I guess this is becoming increasingly interesting. Let me shortly jot down
    what Laptop hardware
    i do have under my shivering hands :) :

    5 Toshiba Tecra S1, Centrino Chipset, integrated 802.** b ** WLAN, 2.4 GHz.
    Several, say old boxes ( Dell Inspiron / Latitude, Compaq Presario) which
    must ( and so, will ) be equipped with a 802.1g capable Cisco NIC.

    The Tecra integrated NICs are Intel 2100 - based; driver is the latest
    released 2003 ! ).
    The drivers do NOT support L/EAP, only static WEP. I dug around at Intel to
    locate a EAP - capable release, was redirected to Toshiba and vice versa.
    So, this is frustrating - will need to equip the newer boxes with Cisco
    Cards as well.
    ---> Go see the doctor, Toshiba. They seem to think that static WEP is the
    ultimate thing. You CAN run 'em associated, but only with static WEP.

    --> Aaron, can you think of another solution / tweak to get the Centrinos
    doing LEAP ?

    So, this delivers the final answer, I think: After having equipped all the
    boxes with the required 802.g adapters, I' m on LEAP.
    Which releases me from the need to supply different SSIDs and such.

    Greets

    Daniel
     
    jt, May 6, 2004
    #5
  6. ~ Hi Aaron,
    ~
    ~ I guess this is becoming increasingly interesting. Let me shortly jot down
    ~ what Laptop hardware
    ~ i do have under my shivering hands :) :
    ~
    ~ 5 Toshiba Tecra S1, Centrino Chipset, integrated 802.** b ** WLAN, 2.4 GHz.

    OK. According to this, that should be "CCX v1" compatible:
    http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800c856b.html
    with W2K or XP and "driver number 1.1.0.5.6 1.6.0.44", whatever that is.
    ccx V1 tells me that this should support LEAP and Cisco-proprietary
    TKIP (aka "CKIP".)

    ~ Several, say old boxes ( Dell Inspiron / Latitude, Compaq Presario) which
    ~ must ( and so, will ) be equipped with a 802.1g capable Cisco NIC.

    OK.

    ~ The Tecra integrated NICs are Intel 2100 - based; driver is the latest
    ~ released 2003 ! ).
    ~ The drivers do NOT support L/EAP, only static WEP. I dug around at Intel to
    ~ locate a EAP - capable release, was redirected to Toshiba and vice versa.

    ~ So, this is frustrating - will need to equip the newer boxes with Cisco
    ~ Cards as well.
    ~ ---> Go see the doctor, Toshiba. They seem to think that static WEP is the
    ~ ultimate thing. You CAN run 'em associated, but only with static WEP.
    ~
    ~ --> Aaron, can you think of another solution / tweak to get the Centrinos
    ~ doing LEAP ?

    From what I see, Toshiba should be able to supply you with working
    LEAP on your Tecras. I see a "Intel(R) PROSet 802.11b WiFi Client Utility
    with Cisco/WPA support for Win2K (v7.2.0.0; 11-11-2003; 7.82M)"
    download on their website.

    ~ So, this delivers the final answer, I think: After having equipped all the
    ~ boxes with the required 802.g adapters, I' m on LEAP.
    ~ Which releases me from the need to supply different SSIDs and such.

    Yes, if you buy all Cisco stuff, it makes life better
    in so many ways ;-)

    Cheers,

    Aaron

    ---

    ~ Greets
    ~
    ~ Daniel
    ~
    ~
    ~ >
    ~ > Let's first figure out what authentication scheme you're
    ~ > going to use. You mentioned LEAP. Are ALL your clients
    ~ > going to use LEAP - do your Centrino clients support it?
    ~ > Or are some clients going to do LEAP and some others do
    ~ > some other kind of authentication?
    ~ >
    ~ > Here are some links that might help lay out your options:
    ~ >
    ~ > Security Implementations Q&A
    ~ >
    ~ http://cisco.com/en/US/products/hw/wireless/ps4570/products_qanda_item09186a
    ~ 008010018c.shtml
    ~ >
    ~ > Wireless LAN Security White Paper
    ~ >
    ~ http://cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_w
    ~ hite_paper09186a00800b469f.shtml
    ~ >
    ~ > Aaron
    ~ >
    ~ > ---
    ~ >
    ~ > ~ ~ > ~ >
    ~ > ~ > ~ HI all,
    ~ > ~ > ~
    ~ > ~ > ~ has anyone successfully set up Authentication of Client devices
    ~ > ~ associating
    ~ > ~ > ~ against
    ~ > ~ > ~ a 1200 Series AP, relayed to a box running Microsoft IAS ? Is this
    ~ > ~ possible
    ~ > ~ > ~ al all ?
    ~ > ~ > ~
    ~ > ~ > ~
    ~ > ~ > ~ Greets
    ~ > ~ > ~
    ~ > ~ > ~ jt
    ~ > ~ > ~
    ~ > ~ >
    ~ > ~ > IAS can authenticate PEAP (and, I'm reasonably sure, MAC address)
    ~ clients;
    ~ > ~ > you can't use IAS to authenticate LEAP clients however.
    ~ > ~
    ~ >
    ~
     
    Aaron Leonard, May 7, 2004
    #6
  7. jt

    mh Guest

    mh, May 7, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.