Open Authentication + EAP along with None encryption valid
Last Post: June 11, 2005:
-
We do have a Cisco 1200AP, I have tried to configure encyption to None, enable Open Authentication with EAP support. The EAP authentication server is pointed to one of the Microsoft IAS server. The question here is can an agent connect to this Access point? if yes How(Using which agent application)? if no Why?
Note: We are able to successfully associate with the Access Point if the encryption is set to WEP(40/128). Using Microsoft ZeroConfig Wireless Agent, Cisco ACU, Odyssey Client Manager -
here are two links with instructions to configure EAP using Microsoft IAS.
http://www.pctechnicians.ca/help/8021x.html
http://www.foundrynet.com/solutions/appNotes/8021xportAuth.html
Now if you are going to be logging onto a domain, you are going to need to do a machine authentication. I am still trying to figure how to do this. I am getting a error message "no such DOMAIN exist" in my logs. I think I have a problem with my domain and not with my wireless configuration. I have not had time to re-install my domain. I am communicating with IAS but I can not get pass the authenication because my user credentials are failing.
I have got it to work with workgroups, just not with Domain credentials. My backgroud is more with routers, switches, and firewalls than O/S. It is taking me sometime to troubleshoot O/S problems
Also, here is a link to download a IAS log viewer. It puts it in easire format to understand and read the error messages.
http://www.deepsoftware.com/iasviewer/ -
Thanks for the information DC40.
But I do not have any problem with the IAS server or the domain authentication.
My Question is Just
"IS Open Authentication with EAP along with NONE as encryption a valid configuration/Security Scheme?"
And Now for your Problem.
Did you try registering the IAS service to the Active Directory. If no follow this?
In the IAS Application, Right clickt the Internet Authentication Service(Local) entry. In the context menu select 'Register Service in Active Directory'.
Did you request for a machine certificate for the IAS machine. If no then follow this?
Launch the run window. Enter mmc click enter. In the console window navigate to File->Add and Remove Snap-in.. In the Add and Remove Snap-in window. Click the Add button. In the Add Standalone Snap-in window, Select Certificates and click the Add button. A Certificate Snap-in window occurs. Select Computer Account radio button, click next button. Select Local computer. Click finish. In the Add Standalong Snap-in window click the close button. In the Add and Remove Snap-in window click Ok button. In the Console window ,Click the + button next to certificates. A Personal folder entry would appear. Right click the personal folder, In the context menu select All Tasks->Request New Certificate... In the wizard, select Computer click the next button, Enter the computer name for the friendly name, click next and then finish.
Now in the IAS use this certificate. -
Don't quote me, but you can only authenticate with the EAP process to the server but not associate to the AP based on the proprietary schemes of vendors.
EAP should allow you to access straight but here is the reason it may not work?
EAP is port based authentication and it takes you to the server through yes the AP. It is the device that validates you have a right to fight for the use of the AP and some vendors stop you there?
WEP /WPA is what gets you through the AP after you have authenticated with the EAP you decide on.
802.1x plus 802.11i are the supplements to the weakness of WEP.
Use both.
- 1