Cisco 1231 with PEAP & MS-Chap v2

[bolson]

Hello all-

I am currently trying to set up a Cisco 1231G WAP with PEAP and MS-Chap v2. I am using RADIUS on the Active Directory Domain Controller with IAS and Windows Certificate Services. I have IAS, AD, and Certificate Services set up, but I am having trouble configuring the WAP. Can anyone help me with a sample config for the WAP?

RADIUS Server: 10.0.0.2
SSID: myTestSSID

Thank You in advance for any assistance or pointers you may provide.

[Midnight]

The Colored text needs to be changed to what you would like....That is a sample config, I do not take responceability for any thing that comes of it.



-Midnight-

Code:

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP_Hostname
!
logging buffered informational
!
clock timezone GMT -6
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.0.0.2 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local 
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
dot11 ssid myTestSSID
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa
   guest-mode
!
dot11 network-map
!
!
username Cisco password Cisco
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip 
 !
 ssid myTestSSID
 !
 no short-slot-time
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 no power client local
 packet retries 50
 no preamble-short
 channel 2417
 fragment-threshold 2000
 station-role root
 rts threshold 2000
 rts retries 50
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 hold-queue 160 in
!
interface BVI1
 ip address 10.0.0.3 255.0.0.0
 no ip route-cache
!
ip default-gateway 10.0.0.1
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1 
!
snmp-server view iso iso included
snmp-server community public view iso RW
snmp-server enable traps tty
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.0.2 auth-port 1645 acct-port 1646 key Shared_Secret_Pass
radius-server deadtime 60
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 5 15
!
end

[Wifi-Guru]

IAS listens on 1812 and 1813, but Cisco's by default use 1645/46.

Change the cisco AP to use the ports 1812 and 1813 and try again.

And people wonder why Cisco is starting to loose the network wars....their WLAN ****s. They break more WiFi Spec rules then anyone..but they are Cisco and they get away with it.

~K

[legalrights]

Pros: support for 802.1x Cisco LEAP and PEAP reliability

Cons: cost of unit is more expensive then others

The Bottom Line:
would recommend for small/med size business especially for security minded customers. rock solid tech support
Author's Review
as a small or medium business owner, you might be asking the question $600 for a wireless access point? why can't I get the same thing from Netgear, linksys, D-link at half the price to do the exact same thing..?

One word.. Security..

as most people are aware WEP keys are hackable, so Cisco competitors try to compensate by using other methods such as WPA, Disabling SSID Brodcasting or MAC address filtering.. unfortunately regardless of what vendors tell you.. these methods still do NOT provide a secure wireless deployment.

the solution

Cisco is one of the few Access Points & Wireless 802.11B/G Cards that support a new technology called 802.1X with PEAP With MS-CHAP V2) which allows encrypted wireless through a VPN to a MSFT Radius server (ships free with windows 2003) with a single Verisign certificate.. allows for a secure VPN tunnel for a wireless connection, where your user account needs to be authenticated to

advantages of the Aironet 1200 over

1. hardware already supports new AES wireless standard
2. module plug-in to upgrade unit to future standards without replacing unit (such as 802.11I etc)
3. wireless AP are manageable through unified management software so managing 200 Access points is as easy as managing a single one.
4. range - operate further then other AP's
5. Supports Vlan support, security
6. metal box, custom antenna selection due to your enviroment - even external avail

7. fast & secure layer 3 roaming.. what this means if you move around the office and "outside" the specific access point your connected to, the adjacent Access Point (or subnet) will re-authenticate you within 100ms.. in 2004 cisco will integrate this feature into future Router/switch design (IOS update - see thier website for full info)

8. single sign-on to network using cisco leap
9. ability to detect unauthorized access points through software

10. Support for Vlans, meaning you can give "visitors" to your company access to the internet through your Access point, without having to be "on your private" Wireless network.

final analysis
I found setup of the unit very easy to setup and use, I also found the ability to use.