Re: Access Points and Active Directory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

saudi sans wrote:
> We have got 10 Cisco Aironet Access Points . However we donot have a
> AAA solution like Cisco ACS.
> 
> But we would like to authenticate wireless LAN users via Active
> directory database before they can connect. Is it possible without a
> AAA solution?  Are there any drastic implications if we do this .

Assuming you have Windows XP or Vista clients as well, it's probably
easiest to go with a PEAP authentication deployment for wireless.  If
you have Windows 2003 servers, you can install the Windows IAS service
which will act as a RADIUS server for MS Active Directory.  Then you can
point your AP's to the IAS server for authentication.

Some pointers on getting this setup:

http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx
http://www.microsoft.com/technet/network/wifi/ed80211.mspx
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1200/accsspts/b1238ja/1238jasc/s38auth.pdf

One factor you need to consider is how you're going to authenticate the
Windows IAS RADIUS service to the client.  The easiest way is to
purchase a wireless server authentication certificate from a public
certificate authority such as Verisign.  You can deploy your own CA
using the Windows CA service, but then you have to manually add it to
the trust list on all your client systems.  Best to go with a commercial
CA, pay the few hundred dollars they want for a certificate, and save
yourself some extra work.

When configuring the PEAP supplicant settings on Windows XP or Vista, be
sure to apply settings with an eye to security.  I wrote about some
recommendations for securing the Windows XP PEAP supplicant for Network
World here:
http://www.networkworld.com/columnists/2007/042307-wireless-security.html

- -Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iQIVAwUBRkwzQTWX3FIa1TkuAQIQLQ//afMp6a9Pio0O8jD1sVNn2gEHpEPBNr1v
YCecRBdPmgTRGB9sF/0wVRkVNAeJXonbDVB3SphW/QadPJvy8mnbsSmc3XthC77Q
hxsPu0dSUWFIGGAoyz/U9nJ4jtKqyzJ/wyUrW0Hj25VypvUlxxRe+rK7UwtDGhsJ
MkqV1lhZ+nBwuSThHT9ZLZkqKfVPi0dhq88/2ZVE+xuRWDSHenzaTEML0gzsYj9r
FbThYb8+f3m3x+OF2zXqc9HywCQidR+oAuEjZH3umZ3h3gxy3Uri80U3SctUK8Og
DFZ3g7pk+uyWaC0x8Pav0fV+1t6+FBkQFxgBrwAZc7ygfARqdU/nOYJi2a5nB+gy
Jz7xxYaYCWFyXSWkRaahD4RtV30EpyBJnAMkNDLez4UHnRSSLpW/PYLDnU5+pGuR
TxQte+HovuwiqQ6G/IhRZFqLgO65UxQxwhWKA/JsEibLupN/sqcqj4sHEKtrJYIQ
ZaAMcQcrqrRVsGyl94uAQGStWLcN6jYK1GxAWfBDkbMo1Lc1HDG096sV7Sxj5bG4
IDFSg2gE9DdqoWzGZ4B2r1rPe7KYii3QqC8YH2D6fCCLz0q4iTTTAcZR5n69ABtS
MoAMBuKWuuN8C3Brzfto3ETiHxnCxzR4QDYOflWwLGsP4Xn0TlNjjtlLQjrAeUUO
ObOeHYUbl1w=
=DvD5
-----END PGP SIGNATURE-----