Hi Rene, can you give me example of wireless access point that supports WPA(2)-Enterprise??
Any access point from the last 5 years should do the job. Even the cheap onesâŚ
Hi Rene, i need an explanation for this questionâŚ
Do i have to use wlc, or can i just connect from server to AP ??
sory newbie in server
Hi Kyle,
Most standalone access points support WPA(2)-Enterprise so you can use them for this setup.
Rene
Dear Sir,
very good article i like it but my scenario is change from it we have a wired network on cisco based switch and creating diffrent-diffrent vlan in this condition how can we iplement radius for both wire and wireless network
please help
Hello Amit,
This tutorial about wireless is about 90% the same as for wired authentication, instead of using the Wireless LAN Controller youâll have to configure your switch for 802.1x port-based authentication. I donât have a tutorial ready for it but itâs quite easy to configure, plenty of examples on Google. You can use this tutorial for the configuration of the radius server itself.
Hello Rene,
Thank you for this guide. However I have a question for you:
-I am trying to create a network policy in which to connect to the nps from a linux or any other device just by using the active directory username and password (NO CERTIFICATE INVOLVED) and I canât find how to achieve this for the life of me. Could you please help?
Thanks,
Iancu
Hello I encounter an issue when I configure EAP-TLS on the wired interface for user authentication. I already auto-enroll user and computer certificate by a GPO. When I try to authenticate the user and the computer, it works well. But the problem is that when a user try to connect to another computer, due to the fact his certificate isnât already download from the Active Directory. We receive a message which display that âa certificate is required for network connectionâ. Is it possible to increase the time before processing EAP-TLS authentication request to allow the user to download his certificate before authentication.
My NPS is Cisco Identity Service Engine, I configured 802.1X on the switch.
Hi Rene,
i have read many posts but this is more comprehensive.
Our production is a mixture of different hardwares(WNIC), OS Versions and smart phones. iâm not sure if EAP-TLS and/or PEAP is supported. Can i configure(fallback) a basic authentication(passphrase) for certain wifi user if something went wrong? should i repeat the same steps above to configure redundant NPS/RADIUS Servers?
Thanks .
Hi Richard,
For a single SSID you can use only choose between WPA(2) personal (pre-shared key) or enterprise (RADIUS). If you want to have a fallback mechanism between the two then itâs probably best to use two SSIDs. You could use EAP-TLS or PEAP perhaps for devices that need access to certain LAN resources. Other devices could perhaps use a pre-shared key but only for Internet access or something.
RADIUS authentication makes wireless far more secure but it it will take more time to implement and manage it.
Rene
Hi Iancu,
You can do this just like I did in my tutorial. Configure NPS to use Active Directory and then authenticate users against NPS. It will do a lookup in Active Directory. If you just want username/password authentication you can stick to PEAPâŚforget about EAP-TLS.
Rene
Thanks Rene,
it is now working, and iâm trying to have it approved for implementation.
EAP-TLS is working, if you use the same laptop to install 2 certificates(for 2 user) generated by the web enrollment, it shows a drop down menu( certificate A & B) before you can connect to WiFi, if one decided to remove Certificate A from the said laptop, because the laptop will be used by another person. how should i do this? i been trying do google âDELETING CERTIFICATE OF EAP-TLSâ, but no luck..ive also check MMC-Certificate-Personal. nothing seems related to the EAP-TLS-issued certificate.
does the certificate reside in the CA? revoking it will solve my dilemma?
Thanks again..
dear sir
i have one question. if windows 7 computer join domain will they get certificate automatically ? if we have 100 lap top on the domain do they have 100 different certificate ?
thanks
It doesnât happen as soon as you join a computer to the domain but you can configure auto-enrollment for user certificates.
Thanks for this great piece of work. Explained beautifully.
Thanks Tony!
19 posts were merged into an existing topic: PEAP and EAP-TLS on Server 2008 and Cisco WLC
Hi Rene ,
Thank you very much for your great and very useful tutorial, as we have a mixture of mobile phones and corporate laptops, we would like to have AAA authentication in place to see at least our connected usersâ usernames in the management consoles, the question is that; is it possible to have PEAP authentication on our mobile phones without installing certificate on them? I followed and configured your instructions and it worked like a charm, but personally I could not connect to the PEAP wireless network with my Iphone neither no body else.
would you please elaborate more on this topic and help me if there is other way for authentication without installing certificate on mobile phones?
I really appreciate your work.
Hi Omid,
You are welcome. If you use PEAP, the clients donât require a client certificate (thatâs what EAP-TLS is for) and normally you can disable the validation of the server certificate. This means that the clients wonât check the server certificate and only the username/password is checked by the server. This works for Windows 7, Android devices and Iâm 99% sure that you can do it on the iPhone / iPad.
Rene
Hello,
very nice blog!
One question.
My clients will receive the following question when connecting :
Enter your username and password
Use my windows user account
Connect using a certificate
Is there a GPO to automate this so this question is skipped?
Thx