Home Forums PEAP and EAP-TLS on Server 2008 and Cisco WLC

This topic contains 113 replies, has 7 voices, and was last updated by  Rene Molenaar 1 week, 2 days ago.

Viewing 15 posts - 1 through 15 (of 113 total)
  • Author
    Posts
  • #13065

    Francis

    Great Peace there, for the purpose of practice, i have a Linksys wireless Router I share my internet with friends on the same apt. My Isp assigns me IP Dynamically through a modem and connected to them(ISP) on PPoE style. I want to implement this so my friends don’t log other friends behind my back. Onces they are logged on no second login with same credentials can be logged

    Thank You

    #13066

    Rene Molenaar
    Keymaster

    Using PEAP will work well because you can track what usernames are accessing your wireless network, and you can permit just a single login for each user.

    It does take time to setup the radius server, freeradius is a nice and simple alternative for the Microsoft solution btw.

    #13067

    Robson de Carvalho

    Many thanks dear… perfect post

    #13068

    sindy

    Useful explanation! I want to use EAP-TLS for authentiation with wlc 5508, but :
    1- do I have to install certificate on all clients asset?
    2- I want that client will have no thing to do only select the SSID without any settings to do (if it’s not possible this means that I have to configure 200 assets!)

    #13069

    sindy

    Useful explanation! I want to use EAP-TLS for authentiation with wlc 5508, but :
    1- do I have to install certificate on all clients asset?
    2- I want that client will have no thing to do only select the SSID without any settings to do (if it’s not possible this means that I have to configure 200 assets!)

    #13070

    sindy

    Many thanks for the explanation. my company has over then 200 lap top, how to proceed?
    what about the DNS because we already a DNS and ip address are delivered automatically.

    #13071

    Rene Molenaar
    Keymaster

    If you want to use EAP-TLS then you will need client certificates and yes somehow you will have to provision these to your clients. For Windows computers in the domain you can use group policy to auto-enroll certificates and auto-configure the wireless profile.

    For Apple devices you can look for “MDM” which is meant to configure iPhones and iPads on a large scale. There’s probably also something for Android devices…

    #13072

    Rene Molenaar
    Keymaster

    So what exactly is your question? In my example I installed DNS because Active Directory requires it. If you have an Active Directory then you can use your current DNS?

    #13073

    sindy

    Exactly, what I want is to push out the policy on end user devices: the client have only to accept the certificate and the process will transparent for him, no configuration to do.
    could you help me on how to realise it?

    Regards

    #13074

    Rene Molenaar
    Keymaster

    This is possible but it depends on the client. Are you talking about Windows 7 laptops or other devices like Apple or Android?

    #13075

    sindy

    To be more clear, I’ve already an architecture with AD and DNS… but as I’m quite new to this stuff, I’ve installed a new windows server 2008 and I follow your steps, and for this should I install a new active directory? or is it possible to make a link to the existing AD or simply copy the groups to the new AD?

    #13076

    Rene Molenaar
    Keymaster

    If you have an AD and DNS then you only need to install the CA and NPS roles. I wouldn’t recommend to implement this right away in your production environment, best to try everything first in a test lab using vmware or virtualbox to understand how all components work together.

    #13077

    sindy

    Sorry but I don’t find to replay to your post bellow, this is why I answer here.

    then yes, I talk about windows 7 and XP laptop and when I solve this categorie I will probably need to do the same in android, if it’s not possible then could you make a post please with what’s possible to realise?

    #13078

    Rene Molenaar
    Keymaster

    Are your Windows XP / 7 laptops in the domain or in a workgroup? Domain is easy since you can use group policy to enroll the client certificates and configure the wireless profile for them. If they are in a workgroup then you’ll have to do some scripting if you want everything to be auto-configured. It’s also not a bad idea to create a simple user manual so that users can get a certificate.

    Android devices are difficult to “auto enroll”. I’m not sure if there is management software that can do this…I know there is for Apple (google for Apple MDM).

    #13079

    sindy

    Yes, all laptops are already on a specific domain

Viewing 15 posts - 1 through 15 (of 113 total)

You must be logged in to reply to this topic.