The customer has the below equipments 3 AP (Cisco Aironet 1230) & ACS 3.3 on Windows 2003 server std. edition which has IIS and certificate services enabled.
While configuring I used IBM laptop with external PCMCIA Cisco 350 Series Client Adapter. I was able to successfully test for three different scenarios namely LEAP, PEAP and EAP-FAST.
For PEAP I was able to download the certificate from the ACS, install it and configure the PEAP settings & got secure authentication.
As for EAP-FAST I configured only TKIP and configured the settings on the ACU on the laptop, logged out and while logging in the PAC (Protected Access Credential) authentication happened and was able to connect securely.
The customer wants his clients who come to his premises with laptops having inbuilt client cards (Cisco compatible mainly used is Intel) to be able to connect to internet with authentication. He doesnÃ¢Â€Â™t bother if their connection is secure. But, they should get authenticated with user id and password.
As for his corporate users they should have a secure connection.
He doesnÃ¢Â€Â™t want his engineers to go and configure the clientÃ¢Â€Â™s laptop either for certificate services (as required for PEAP). But they should be able to login to the network (as it happens in HOTSPOTS). Question is how can I achieve this weird requirement?
We have the following observations:
WEP will be out of question since he wants to use ACS for authentication.
PEAP is ruled out since he doesnÃ¢Â€Â™t want to install the certificate generated by the server or configure any of the settings on the laptops.
EAP-FAST is ruled out since (a) ACU can be installed only on laptops with Cisco client cards (b) Also he doesnÃ¢Â€Â™t want his engineers to do any extra configuration even if the client has Cisco client cards.
Check the below links:
Have you considered setting up seperate VLANs and DMZs for those users in addition to accounting for there access on the ACS ?
Multiple VLANs with varying security requirements could be used in this environment. You could have open VLAN with access only to the Internet where people could associate then use a VPN client. Another VLAN could allow EAP-whatever depending on your WLAN Security Policy. Other VLANs could be configured to allow voice clients and implement QoS.
Implementing it this way would make it more complex to support but would allow you to manage users based on their client capabilities rather than force significant changes on them.
You should consider the Bluesocket Wireless Controller - an appliance solution that is a bi-directional stateful firewall with an authentication gateway. Create guest accounts either on the appliance or on an external directory, and assign the guest role the rights (protocol, direction, destination, schedule, location) and bi-directional bandwidth you want. You can also force an acknowledgement of terms/conditions.
For more information see http://www.bluesocket.com