M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

Local 802.1X authentication & Certificates

 
Highlighted
Chris Plant1
Occasional Contributor

Local 802.1X authentication & Certificates

I learn more every day!

 

So to speed up the hand-off between different MSM422's, I now have a VSC with WPA2 opportunistic key caching enabled, a dynamic key source and (for now) local 802.1X authentication. I've also set up a Test user and disabled access control for this user.

 

I can connect to the VSC on an XP laptop, but I only get asked for my username and password if I manually change some of the authentication settings on the laptop wireless profile. Otherwise I get a certificate error. Do I have a make these changes on EVERY laptop or can anyone point me in the right direction on how to configure the certificate?

 

Bizarrely when I tried to connect to the VSC using an Android TAB, it asked me straight away for the username and password, and connected straight after.

 

Thanks in advance, Chris.

1 REPLY 1
Highlighted
Stephen Swain
Frequent Advisor

Re: Local 802.1X authentication & Certificates

First, figure out which EAP type you plan to support - EAP-TTLS, EAP-PEAPv0 or EAP-TLS (client and server certificates).

 

If username/password based access is required, then PEAP or TTLS should be used. Enable those in the Radius server settings.

 

> Do I have a make these changes on EVERY laptop

 

Yes.

 

For XP, the profile must be configured either manually or via group policy. Make sure you start with SP3 if possible to get WPA2 support and the latest XP wireless support. The profile should be set to PEAP or EAP-TTLS. If you chose EAP-TLS it just won't work without a PKI style backend that delivers certificates to clients.

 

For these EAP types you will need a certificate on the Radius server (to encrypt communications before credentials are tested), so that may need to be installed on your controller too.

 

> when I tried to connect to the VSC using an Android TAB, it asked me straight away for the username and password, and connected straight after.

 

Probably determines the security mode from the management frames, or maybe it by default uses PEAP.

 

This is just a few starter hints, enterprise wireless can get pretty involved.

 

Regards,

Steve.