Aironet 1200 AP against IAS

HI all,

has anyone successfully set up Authentication of Client devices associating
against
a 1200 Series AP, relayed to a box running Microsoft IAS ? Is this possible
al all ?


Greets

jt

 

On Wed, 5 May 2004 15:15:04 +0200, "jt" <> wrote:

~ HI all,
~
~ has anyone successfully set up Authentication of Client devices associating
~ against
~ a 1200 Series AP, relayed to a box running Microsoft IAS ? Is this possible
~ al all ?
~
~
~ Greets
~
~ jt
~

IAS can authenticate PEAP (and, I'm reasonably sure, MAC address) clients;
you can't use IAS to authenticate LEAP clients however.

 

Hi Aaron,

there seem to exist various dependencies....thanks for the input. We' ve now
d/l'd a Secure ACS trial, works fine with LEAP.
I am new to WLAN, so please be patient )))

Aaron, let me just ask two questions.....

The AP runs 12.2(15), newest release. Whilst configuring encryption on the
radio, it refuses to run AES-CCM ( "not supported on radio0" );
---> this is because of 2.4 GHz, isn' t it ? Will it run with 5GHz ? Which
cipher should I use with WPA in 2.4 GHz ?

I dislike WEP due to its known flaws, but I am forced to because of the
centrino boxes with integrated WLAN.
I thought to use "enc mode ciphers wep128" for the boxes not WPA - Capable,
will this do ?

Greets


jt




"Aaron Leonard" <> schrieb im Newsbeitrag
news:...
> On Wed, 5 May 2004 15:15:04 +0200, "jt" <> wrote:
>
> ~ HI all,
> ~
> ~ has anyone successfully set up Authentication of Client devices
associating
> ~ against
> ~ a 1200 Series AP, relayed to a box running Microsoft IAS ? Is this
possible
> ~ al all ?
> ~
> ~
> ~ Greets
> ~
> ~ jt
> ~
>
> IAS can authenticate PEAP (and, I'm reasonably sure, MAC address) clients;
> you can't use IAS to authenticate LEAP clients however.

 

~ there seem to exist various dependencies....thanks for the input. We' ve now
~ d/l'd a Secure ACS trial, works fine with LEAP.
~ I am new to WLAN, so please be patient )))

I'm relatively new myself.

~ Aaron, let me just ask two questions.....
~
~ The AP runs 12.2(15), newest release. Whilst configuring encryption on the
~ radio, it refuses to run AES-CCM ( "not supported on radio0" );
~ ---> this is because of 2.4 GHz, isn' t it ? Will it run with 5GHz ? Which
~ cipher should I use with WPA in 2.4 GHz ?

We don't support AES yet. It will be supported in a future
IOS release.

~ I dislike WEP due to its known flaws, but I am forced to because of the
~ centrino boxes with integrated WLAN.
~ I thought to use "enc mode ciphers wep128" for the boxes not WPA - Capable,
~ will this do ?

Let's first figure out what authentication scheme you're
going to use. You mentioned LEAP. Are ALL your clients
going to use LEAP - do your Centrino clients support it?
Or are some clients going to do LEAP and some others do
some other kind of authentication?

Here are some links that might help lay out your options:

Security Implementations Q&A
http://cisco.com/en/US/products/hw/wireless/ps4570/products_qanda_item09186a008010018c.shtml

Wireless LAN Security White Paper
http://cisco.com/en/US/netsol/ns339...g_solutions_white_paper09186a00800b469f.shtml

Aaron

---

~ "Aaron Leonard" <> schrieb im Newsbeitrag
~ news:...
~ > On Wed, 5 May 2004 15:15:04 +0200, "jt" <> wrote:
~ >
~ > ~ HI all,
~ > ~
~ > ~ has anyone successfully set up Authentication of Client devices
~ associating
~ > ~ against
~ > ~ a 1200 Series AP, relayed to a box running Microsoft IAS ? Is this
~ possible
~ > ~ al all ?
~ > ~
~ > ~
~ > ~ Greets
~ > ~
~ > ~ jt
~ > ~
~ >
~ > IAS can authenticate PEAP (and, I'm reasonably sure, MAC address) clients;
~ > you can't use IAS to authenticate LEAP clients however.
~

 

Hi Aaron,

I guess this is becoming increasingly interesting. Let me shortly jot down
what Laptop hardware
i do have under my shivering hands :

5 Toshiba Tecra S1, Centrino Chipset, integrated 802.** b ** WLAN, 2.4 GHz.
Several, say old boxes ( Dell Inspiron / Latitude, Compaq Presario) which
must ( and so, will ) be equipped with a 802.1g capable Cisco NIC.

The Tecra integrated NICs are Intel 2100 - based; driver is the latest
released 2003 ! ).
The drivers do NOT support L/EAP, only static WEP. I dug around at Intel to
locate a EAP - capable release, was redirected to Toshiba and vice versa.
So, this is frustrating - will need to equip the newer boxes with Cisco
Cards as well.
---> Go see the doctor, Toshiba. They seem to think that static WEP is the
ultimate thing. You CAN run 'em associated, but only with static WEP.

--> Aaron, can you think of another solution / tweak to get the Centrinos
doing LEAP ?

So, this delivers the final answer, I think: After having equipped all the
boxes with the required 802.g adapters, I' m on LEAP.
Which releases me from the need to supply different SSIDs and such.

Greets

Daniel


>
> Let's first figure out what authentication scheme you're
> going to use. You mentioned LEAP. Are ALL your clients
> going to use LEAP - do your Centrino clients support it?
> Or are some clients going to do LEAP and some others do
> some other kind of authentication?
>
> Here are some links that might help lay out your options:
>
> Security Implementations Q&A
>
http://cisco.com/en/US/products/hw/wireless/ps4570/products_qanda_item09186a
008010018c.shtml
>
> Wireless LAN Security White Paper
>
http://cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_w
hite_paper09186a00800b469f.shtml
>
> Aaron
>
> ---
>
> ~ "Aaron Leonard" <> schrieb im Newsbeitrag
> ~ news:...
> ~ > On Wed, 5 May 2004 15:15:04 +0200, "jt" <> wrote:
> ~ >
> ~ > ~ HI all,
> ~ > ~
> ~ > ~ has anyone successfully set up Authentication of Client devices
> ~ associating
> ~ > ~ against
> ~ > ~ a 1200 Series AP, relayed to a box running Microsoft IAS ? Is this
> ~ possible
> ~ > ~ al all ?
> ~ > ~
> ~ > ~
> ~ > ~ Greets
> ~ > ~
> ~ > ~ jt
> ~ > ~
> ~ >
> ~ > IAS can authenticate PEAP (and, I'm reasonably sure, MAC address)
clients;
> ~ > you can't use IAS to authenticate LEAP clients however.
> ~
>

 

On Thu, 6 May 2004 22:11:44 +0200, "jt" <> wrote:

~ Hi Aaron,
~
~ I guess this is becoming increasingly interesting. Let me shortly jot down
~ what Laptop hardware
~ i do have under my shivering hands :
~
~ 5 Toshiba Tecra S1, Centrino Chipset, integrated 802.** b ** WLAN, 2.4 GHz.

OK. According to this, that should be "CCX v1" compatible:
http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800c856b.html
with W2K or XP and "driver number 1.1.0.5.6 1.6.0.44", whatever that is.
ccx V1 tells me that this should support LEAP and Cisco-proprietary
TKIP (aka "CKIP".)

~ Several, say old boxes ( Dell Inspiron / Latitude, Compaq Presario) which
~ must ( and so, will ) be equipped with a 802.1g capable Cisco NIC.

OK.

~ The Tecra integrated NICs are Intel 2100 - based; driver is the latest
~ released 2003 ! ).
~ The drivers do NOT support L/EAP, only static WEP. I dug around at Intel to
~ locate a EAP - capable release, was redirected to Toshiba and vice versa.

~ So, this is frustrating - will need to equip the newer boxes with Cisco
~ Cards as well.
~ ---> Go see the doctor, Toshiba. They seem to think that static WEP is the
~ ultimate thing. You CAN run 'em associated, but only with static WEP.
~
~ --> Aaron, can you think of another solution / tweak to get the Centrinos
~ doing LEAP ?

From what I see, Toshiba should be able to supply you with working
LEAP on your Tecras. I see a "Intel(R) PROSet 802.11b WiFi Client Utility
with Cisco/WPA support for Win2K (v7.2.0.0; 11-11-2003; 7.82M)"
download on their website.

~ So, this delivers the final answer, I think: After having equipped all the
~ boxes with the required 802.g adapters, I' m on LEAP.
~ Which releases me from the need to supply different SSIDs and such.

Yes, if you buy all Cisco stuff, it makes life better
in so many ways ;-)

Cheers,

Aaron

---

~ Greets
~
~ Daniel
~
~
~ >
~ > Let's first figure out what authentication scheme you're
~ > going to use. You mentioned LEAP. Are ALL your clients
~ > going to use LEAP - do your Centrino clients support it?
~ > Or are some clients going to do LEAP and some others do
~ > some other kind of authentication?
~ >
~ > Here are some links that might help lay out your options:
~ >
~ > Security Implementations Q&A
~ >
~ http://cisco.com/en/US/products/hw/wireless/ps4570/products_qanda_item09186a
~ 008010018c.shtml
~ >
~ > Wireless LAN Security White Paper
~ >
~ http://cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_w
~ hite_paper09186a00800b469f.shtml
~ >
~ > Aaron
~ >
~ > ---
~ >
~ > ~ "Aaron Leonard" <> schrieb im Newsbeitrag
~ > ~ news:...
~ > ~ > On Wed, 5 May 2004 15:15:04 +0200, "jt" <> wrote:
~ > ~ >
~ > ~ > ~ HI all,
~ > ~ > ~
~ > ~ > ~ has anyone successfully set up Authentication of Client devices
~ > ~ associating
~ > ~ > ~ against
~ > ~ > ~ a 1200 Series AP, relayed to a box running Microsoft IAS ? Is this
~ > ~ possible
~ > ~ > ~ al all ?
~ > ~ > ~
~ > ~ > ~
~ > ~ > ~ Greets
~ > ~ > ~
~ > ~ > ~ jt
~ > ~ > ~
~ > ~ >
~ > ~ > IAS can authenticate PEAP (and, I'm reasonably sure, MAC address)
~ clients;
~ > ~ > you can't use IAS to authenticate LEAP clients however.
~ > ~
~ >
~

 

Check out the AEGIS client from Meetinghouse which supports a LEAP supplicant.

http://www.mtghouse.com/products/client/features/index.shtml



The AP 1200 can support a local RADIUS server which supports LEAP only.