Link to home
Start Free TrialLog in
Avatar of ZachTouba
ZachTouba

asked on

Configure Cisco Aironet 1130AG with Windows Server 2008 RADIUS

I've been reading up on W2k8 NPS RADIUS and WPA2 for a little over a week now (here on EE and around the web) and still have found almost nothing useful for what I am trying to do which I believe is theoretically possible. I would like users/computers from AD to be automatically granted access without having to install a certificate on each machine (which judging from what I’ve read is possible). Also non windows devices such as Apple computers, BlackBerry cell phones, etc, will need to be able to still connect. Should the non windows domain devices be configured to somehow authenticate on the RADIUS side? Or is it possible/makes more sense to still have some sort of key so that the other devices can simply use the key to authenticate? Also what is the best authentication method for doing so? User generated image
User generated image
Avatar of Irwin W.
Irwin W.
Flag of Canada image

So, here are the steps you need to accomplish:

1. You needs to configure RADIUS on your 2008 box or some other device
2. You don't need to configure a certificate but it is a better option
2a. If you want to go the certificate route, you will need to setup a CA on one of your servers
3. So now you need to configure your 1130AG. If the unit came pre-configured to work with Lan Controllers, you will first need to downgrade to autonomous mode.

So let me know where you want to start if you have any of these steps already configured.  
Avatar of ZachTouba
ZachTouba

ASKER

1. I have already installed NPS on my w2k8 box (as shown in ss1). I added my Aironet 1130AG as a RADIUS client under "RADIUS Clients and Servers" and generated a "shared secret".
2. I created a Network Policy within the Network Policies folder, with conditions:
     NAS Port Type: Wireless Other OR Wireless IEEE 802.11
     Windows Groups: mydomain\Domain Computers OR mydomain\Domain Users
3. On the cisco 1130AG I've selected WPA, entered the IP of the w2k8 RADIUS server, and entered the shared secret.

So I believe I have the very basic framework there, I just need a greater understanding of which type of authentication and encryption I should setup. Also what is the "standard" or typical setup for a small business that wants to switch to WPA / WPA2 in terms of using a certificate setup.
The choice to use WPA or WPA2 encryption depends on what your devices support. If everything can support WPA2 go with WPA2.
It can, and it's currently set to WPA2 (as shown in ss2) I'm just not sure which type of EAP/PEAP authentication and encryption is best and how it would be configured.
Peap is what I have configured.
Could you please elaborate. There's many different configurations of PEAP. Once you selected PEAP did you then use "MSCHAPv2" or "Smart card or certificate" for the peap auth method (within PEAP)? Did you leave MSCHAP v1 still enabled? Did you disable MSCHAP v1 + v2 both and force certificate use?
ASKER CERTIFIED SOLUTION
Avatar of Irwin W.
Irwin W.
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial