Implementing Cisco LWAPP with PEAP-MSCHAP-V2 and IAS

Wow, lotta buzzwords there!  Ok, this may turn out to be a bit of a longish post but here goes:

Let’s say you just got your LWAPP AP’s in with your Cisco WLC 440x.  Works great except you also want to do user based authentication.  No static keys for you!  Oh yeah, your boss says you’ve already spent too much on new stuff and tells you to make do with what you have.  Here’s how to make it work with AD, IAS and the built in Windows XP supplicant.

First, make sure the wireless side is working.  This includes the ability for clients to get a DHCP address.  Use WPA with a static key if you must.  Now, in the controller change the security method to WPA1+WPA2 and set the key management to 802.1x.  Don’t forget to point a RADIUS server at your IAS server.  That’s about all you have to do on the controller.

Now, add your controller as a RADIUS client to IAS.  Add a Remote Access Policy for the controller.  You can set the parameters to match the IP address of the controller or you can set the NAS-Port-Type to match “Wireless – other OR Wireless – IEEE 802.11”.  Also add a match for the AD group you want to have wireless access.  This can be everyone or a specific subset.  Edit the profile and under Authentication set the EAP method to PEAP.  The Advanced tab should be set to Service-Type = RADIUS Standard Framed.

It’s important to add users AND computers to the group you want to have access.  Without computers added the laptops will use cached credentials.  That’s not the end of the world but it’s a bit of a security risk.  Also makes for slow logins.  By adding the computers the computer is connected and actively authenticates the user when they login.

Ok, now it’s necessary to add a Root Cert Authority and create a cert for IAS.  Alternatively you could just buy a cert.  Either way, the issuing CA must be in the trusted list for the computers you wish to have access.

So, the final step is to push out the CA, the cert and the wireless settings.  This is done through a GPO.  I’m still sketchy on the whole GPO thing (I’m a router jockey, don’t forget) but it’s basically forced reg hacks to the clients.  Hat tip to Steve for that one.  Force the gpupdate or wait for it to propagate.  Either way, the clients should have the SSID, key settings and the new CA to trust.

There you have it.  The quick and dirty guide to PEAP using Cisco LWAPP and Microsoft IAS.

2 thoughts on “Implementing Cisco LWAPP with PEAP-MSCHAP-V2 and IAS

  1. This is a good little document but not quite a technical document that could be used for setting up the APs/WLC/WCS (if you have it). Good general info though. If you are up to putting together a useful document, I would be interested in collaborating on making a very useful document. I have a very large portion of a good document done already for my company with screen shots, but I would need to strip out all of the company stuff and redo some of it.

  2. I appreciate the offer but I think I’m way to busy for such a thing. One of the main reasons for the blog is to jog my memory at a later date. I think it’s quite useful in that regard!

Leave a Reply