PEAP and EAP-TLS on Server 2008 and Cisco WLC

This topic is to discuss the following lesson:

https://networklessons.com/uncategorized/peap-and-eap-tls-on-server-2008-and-cisco-wlc/

Great Peace there, for the purpose of practice, i have a Linksys wireless Router I share my internet with friends on the same apt. My Isp assigns me IP Dynamically through a modem and connected to them(ISP) on PPoE style. I want to implement this so my friends don’t log other friends behind my back. Onces they are logged on no second login with same credentials can be logged

Thank You

Using PEAP will work well because you can track what usernames are accessing your wireless network, and you can permit just a single login for each user.

It does take time to setup the radius server, freeradius is a nice and simple alternative for the Microsoft solution btw.

Many thanks dear… perfect post

Useful explanation! I want to use EAP-TLS for authentiation with wlc 5508, but :
1- do I have to install certificate on all clients asset?
2- I want that client will have no thing to do only select the SSID without any settings to do (if it’s not possible this means that I have to configure 200 assets!)

Useful explanation! I want to use EAP-TLS for authentiation with wlc 5508, but :
1- do I have to install certificate on all clients asset?
2- I want that client will have no thing to do only select the SSID without any settings to do (if it’s not possible this means that I have to configure 200 assets!)

Many thanks for the explanation. my company has over then 200 lap top, how to proceed?
what about the DNS because we already a DNS and ip address are delivered automatically.

If you want to use EAP-TLS then you will need client certificates and yes somehow you will have to provision these to your clients. For Windows computers in the domain you can use group policy to auto-enroll certificates and auto-configure the wireless profile.

For Apple devices you can look for “MDM” which is meant to configure iPhones and iPads on a large scale. There’s probably also something for Android devices…

So what exactly is your question? In my example I installed DNS because Active Directory requires it. If you have an Active Directory then you can use your current DNS?

Exactly, what I want is to push out the policy on end user devices: the client have only to accept the certificate and the process will transparent for him, no configuration to do.
could you help me on how to realise it?

Regards

This is possible but it depends on the client. Are you talking about Windows 7 laptops or other devices like Apple or Android?

To be more clear, I’ve already an architecture with AD and DNS… but as I’m quite new to this stuff, I’ve installed a new windows server 2008 and I follow your steps, and for this should I install a new active directory? or is it possible to make a link to the existing AD or simply copy the groups to the new AD?

If you have an AD and DNS then you only need to install the CA and NPS roles. I wouldn’t recommend to implement this right away in your production environment, best to try everything first in a test lab using vmware or virtualbox to understand how all components work together.

Sorry but I don’t find to replay to your post bellow, this is why I answer here.

then yes, I talk about windows 7 and XP laptop and when I solve this categorie I will probably need to do the same in android, if it’s not possible then could you make a post please with what’s possible to realise?

Are your Windows XP / 7 laptops in the domain or in a workgroup? Domain is easy since you can use group policy to enroll the client certificates and configure the wireless profile for them. If they are in a workgroup then you’ll have to do some scripting if you want everything to be auto-configured. It’s also not a bad idea to create a simple user manual so that users can get a certificate.

Android devices are difficult to “auto enroll”. I’m not sure if there is management software that can do this…I know there is for Apple (google for Apple MDM).

Yes, all laptops are already on a specific domain

I’ve a problem, I noted that 80% of laptops are on a domain and the rest of on other domain. Is there a solution for this?

There probably is. You could create some trust relations between domains, or create a script or something to do automate the following: http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/#Configure-Wireless-Client

Thank you Rene for the explanation, it’s very helpful.
I’m trying to implement your examlpe, I’ve created a test lab, I’ve installed a windows server 2008 R2 on a VMare and I want to use a new AD from the server 2008 (not the existing from the production architecture), then I have 2 questions:

1- As the server is on a VMare what precautions should I take, to isolate my test LAB to don’t disturb the production installation?
2- for the test I’ll install the AD and DNS (all your steps) but when I want to migrate to the existing AD and DNS how can I proceed? sould I remove AD and DNS from the server 2008, is it sufficient ?

Make sure your is not connected somehow to your production network as you might run into issues. I use a separate VLAN on my switch for testing purposes. If you only want to practice with the servers in VMWare then you can set the NICs of your VM guests to use another physical NIC or host-only.

Removing the AD and DNS roles is possible but I always prefer to start with a clean setup. See if you can get everything up and running in VMware and if it works, re-build it for the production network. When you install some roles and remove them later, you never know what kind of “leftovers” you might find later…