Monday, March 22, 2010

Running PEAP with Cisco Aeronet 1231G and Cisco Wireless IP Phone 7925G

To run WiFi with WPA and PEAP using Cisco Aeronet and Windows IAS/NPS, you need the following:
  • Cisco Aeronet Access Point
  • Windows Server (2003/2008) running IAS/NPS as the Radius server
  • Server authentication certificate (commercial or self-signed)

Setting the Access Point

Login to the access point using HTTP/HTTPS, navigate to Security - Server Manager

1

Create a new radius server, point it to the Windows IAS/NPS (installed later). Speficy the shared secret and port for authentication and accounting

2

Set the default server priorities to or the new Radius server's IP address you just added

3

Navigate to Security - SSID Manager

4

Create a new SSID, attach it to the VLAN and tick the Radio checkbox

5

For Client Authentication Settings, tick Open Authentication with EAP and Network EAP. Change the Server Priorities to Customize or use defaults

6

For Client Authentication Key Management, select Mandatory for Key Management and tick WPA

7

SSID Settings. (optional) select Multiple SSID if you are running this SSID as multiple SSID

8

Navigate to Security - Encryption Manager

9

Select Encryption Modes to Chipher with AES CCMP + TKIP

10

Select Encryption Keys to Key 2 and let the value blank

11

Setting IAS/NPS

Once the NPS installed, run the wizard to setup the Wireless network.
We need to add a radius client which is the IP address of the Cisco Access Point

12

Navigate to Advancced tab, select the vendor name to Cisco

13

Navigate to Policies and select Connection Request Policies. Select the Secure Wireless Policy

14

Most of the following settings are the default value

15

16

17

18

19

20

21

22

Navigate to Use Windows authentication for all users. The following settings are having the default value

23

24

Navigate to Secure Wireless Connections. The following settings are having the default value

25

We specify which AD Security Group has access to this policy

26

27

Up to this stage, you need to import a server authentication certificate. This can be a commercial certificate or self-signed certificate. If you use self-signed certificate, you need to make sure the clients machine that is going to connect to this WiFi must trust the Root CA who generate this certificate

Select Microsoft Protected EAP (PEAP) and select Edit

28

If you have the certificate installed correctly, you should see the option which certificate you want to use

29

On the Settings tab

30

31

32

33

34

35

36

1 comment:

Peter Floyd said...

The Cisco Wireless IP Phone 7925G" not only provides internet access, but also combines the functions of a few other gadgets to make life even more convenient for everyone.If you want to give Cisco test you can visit our site.