Has anyone configured a WING 5 system to authenticate Windows workstations using Machine Authentication and Active Directory? If so please advise on the following 1) Which form of EAP auth was used? PEAP (with or without client certs) or TLS 2) Did you use the Microsoft Radius server, Cisco ACS, or other 3) Any specifics on the WING 5, radius or AD config which are applicable?
WING 5 - Windows Machine Authentication |
3 Replies
Comments below: 1) Which form of EAP auth was used? PEAP (with or without client certs) or TLS By default Microsoft Windows workstations supports either PEAP (MSCHAPv2) or EAP-TLS for computer authentication unless a third-party supplicant has been installed which supports additional EAP methods. For example in Windows Vista and above the Intel supplicant adds support for additional EAP methods such as EAP-FAST or EAP-GTC which can be used for computer authentication. 2) Did you use the Microsoft Radius server, Cisco ACS, or other Both RADIUS servers are supported. Both Microsoft and Cisco provide examples for how to enable computer authentication with their RADIUS servers. 3) Any specifics on the WING 5, radius or AD config which are applicable? All that's required on our side is a AAA policy assigned to the EAP enabled Wireless LAN that points to the external RADIUS server(s). Everything else is completely transparent to us. ! ! Example AAA Policy ! aaa-policy EXTERNAL-AAA-SERVERS authentication server 1 host 192.168.10.6 secret 0 hellomoto authentication server 1 proxy-mode through-controller authentication server 2 host 192.168.10.7 secret 0 hellomoto authentication server 2 proxy-mode through-controller ! ! ! Example Wireless LAN ! wlan MOTO-DOT1X ssid MOTO-DOT1X vlan 13 bridging-mode local encryption-type ccmp authentication-type eap use aaa-policy EXTERNAL-AAA-SERVERS !
Marc-- Windows machine authentication is handled in the EAP exchange for which WiNG is simply the authenticator in pass-through mode when authenticating to an external RADIUS server. We are agnostic to the RADIUS server vendor and the EAP method used. There is no special config to support this in WiNG beyond the standard AAA policy. Here's some info on Windows machine authentication: http://support.microsoft.com/kb/929847
Yes Motorola Solutions uses this. We have M-Wireless running on 5.4.1 in FL08. Please contact me for a sanitized version of the radius server policy and the Wlan config