Cisco AP's & 802.1x

Andyt_uk · 1 Sep 2008 at 20:05

Evening all,

Just wondering if anyone here has any Cisco AP's setup using 802.1x authentication against an IAS box?

I'm starting to look into it for work but could do with some pointers & useful links if anyone had any?

Cheers,

Andy

Chief Wiggum · 1 Sep 2008 at 21:07

I've setup AP's with 802.1x (leap) to work with a Cisco ACS, which backs onto LDAP authentication, is there anything you want to know in particular?

Andyt_uk · 1 Sep 2008 at 21:16

We're currently using ACS boxes as well but seeing as were adding some IAS boxes to handle 802.1x wired connections, i thought it would be a good idea of moving the AP's/WDS boxes at the same time. The ACS boxes have never behaved and just generally caused us problems.

I guess I was after some configs from where people have set this up. Also would be good to know if people use machine or user certs as well.

Chief Wiggum · 1 Sep 2008 at 21:23

ah, ok. We're heavy users of the ACS, and find that they generally work ok (but that's neither here nor there)
As a starter, I'd recommend investigating the Wireless Domain Services (WDS) capabilities, this allows roaming between AP's without re-authentication, so you setup a master AP that controls this. The configuration itself is pretty simple, when I did ours I didn't have a good understanding of AP CLI, so used the web interface (which was really easy), I found a good guide on the cisco website for this - I'll try and dig it out...
The 802.1x part can be handled by RADIUS, so assuming that IAS supports this (would have thought so) then it's all standards based with EAP, for which you can use Certs or not - I've never used certs for this as we use LEAP which backs off to NT LDAP.

As an aside, how are you finding the IAS boxes? I'm looking to use 802.1x to map users to VLAN's...

/edit - Doc from Cisco - gives a good overview + config, some applies to ACS, but sure you could adapt to fit:
http://www.cisco.com/en/US/products...s_configuration_example09186a00801c951f.shtml

Andyt_uk · 1 Sep 2008 at 22:28

from the wired side of things, IAS is working quite nicely. We setup groups in AD, then policies on the IAS and dependent on what group the machine is sat in determines what vlan they get put in. The guest stuff isn't brilliant at the mo but i think thats a misconfiguration on my side.

We've got WDS points as well now, originally we were all cisco (ACS, WLSE's, WDS's and the AP's). I've never got along with the ACS - may just be our outdated version though but now we have the IAS doing wired, it makes sense to consolidate.

I'll take a look at that link anyways

Cheers

Chief Wiggum · 2 Sep 2008 at 09:29

Cool

Looking at your kit list, I'd be tempted to run it all via the WLSE then configure WLSE to run everything to the IAS via Radius at the backend - sadly don't have much experiance of WLSE (trying to get some money to buy some new wireless kit at the mo)