WLC School for Network Admin’s Who Can Read Real Good: Part 2 (Ok, so it has been awhile)

As I promised, Part 2 is here, PEAP! It is the Protected Extensible Authentication Protocol and is used in our situation where machines are members of the domain and we are looking for a permanent method of wireless connectivity for users, tied to Active Directory. While there are multiple Radius type approaches, including using ACS, I like Microsoft’s IAS. If you are running an Active Directory, you have IAS’s Radius capabilities free. If you are starting from scratch, check out Part 1

First, since we have Active Directory, why don’t we use it? Create a group for your PEAP Authenticated Users, that way we can bind it to the Remote Access Policy we create later.

Step 1. Active Directory Users and Computers

Next, when you create your users, add them to the group you just created.

Step 2.

Now Click on the “Dial-in” tab and ensure “Control access through Remote Access Policy is selected.

Step 3.

Now that the user and group are set up to read the permissions set in the IAS Remote Access Policy, we need to get a spot on the network up and running for this configuration. On your Cisco switch you will need to create your Vlan and the layer 3 Interface for that Vlan.

Step 3.

interface Vlan20

description PEAP Users

ip address

no shutdown

vlan 20

name PEAP

state active

Since the interface from the switch to the WLC was already trunked from our last exercise, unless you have implemented vlan pruning or vlan allowed configurations, you should not need to change that LACP Vlan Trunk. Now it gets strange. I will be bouncing from IAS, the WLC, and the Wireless Client throughout the rest of this scenario. I do this because it will at least make sense to me, and hopefully that would imply it will make sense to others as well.

From the WLC web interface you will need to create the following: Network Interface, DHCP Scope, and Wireless SSID. We will do the Network Interface and DHCP Scope first.

Step 4. Interface Configuration

Once you are logged into the WLC, go to the “Controller” link at the top of the page, then to the “Interfaces” sidebar option. Click the “New” button in the upper right hand corner. Here you will enter the name of the interface (I would recommend against any spaces or funky symbols just in case). Take note of the “Interface Name,” you may use this later when dealing with “VSA” options in Remote Access Policy configurations. Then enter the Vlan Id you created on the switch for this network. Click “Apply” in the upper right hand corner.

Step 5.

This page actually defines the specific information regarding the Interface. Choose an IP Address on the network you have chosen. Since the Interface IP on the Switch was .1, I chose .2 (sometimes I choose .254, all depends on the situation). The Netmask of course is self-explanatory, and the Gateway is the IP Address you set as the Interface IP for the Vlan. The Primary DHCP Server IP is the IP of the Management Interface defined in the last exercise. Click “Apply” in the upper right hand corner of the page.

Step 6. DHCP Configuration

Then expand the “Internal DHCP Server” Sidebar option and click on “DHCP Scope”. Click the “New” button and enter the name for the DHCP scope that will answer requests on this PEAP network of ours.

Step 7.

You will then populate the respective information for this DHCP Scope, this screen is pretty much self-explanatory as well. Choose “Enabled” on the “Status” dropdown. Click “Apply”

Now we will update the WLC with the AAA settings from our IAS.

Step 8.

You will be clicking on the “Security” link at the top and then expand AAA -> RADIUS -> Authentication. Click on the “New” button and match the settings to those used in the “Add RADIUS Client” step in Part 1.

Now that we have all these pieces completed, we can join them together in the creation of the “WLAN”. So fittingly we will go to the “WLAN” link at the top and expand “WLANs” in the Sidebar. Click the “WLANs” option and then choose “Create New” in the drop down and click the “Go” button.

Step 9. WLAN Configuration

Here name the profile and the SSID, which is what people will see when they browse for wireless networks (unless broadcasting is disabled). Note the ID of the WLAN; this is also a VSA option. Click “Apply”.

Step 10.

On the “General” Tab, click the “Enabled” checkbox, choose the appropriate interface from the “Interface” dropdown, and then you will see the Broadcast SSID we spoke about earlier. Now check the box if you want to actually see it when you are searching for networks.

Step 11.

On the “Security” Tab -> “Layer 2” Tab, Choose the “WPA+WPA2” dropdown under Layer 2 Security, choose WPA2 Policy and WPA2 Encryption checkboxes with the 802.1x dropdown option in Auth Key Mgmt.

Step 12.

Next move over to the “AAA Servers” tab and chose the server you identified earlier as your IAS server.

Step 13.

Here we only have a couple settings to configure to round out our WLAN configuration. Here choose the “Allow AAA Override” and “DHCP Addr. Assignment” checkboxes are selected. Click “Apply” to wrap this bit up.

Now we must set up the actual policy which dictates how our user should be treated when connecting to this WLAN.

Open IAS and right-click on “Remote Access Policies” then choose “New Remote Access Policy”. This will open the “New Remote Access Policy Wizard”. On the first page choose a relevant Name for the Remote Access Policy. Remote Access Policies flow from top to bottom, like most ACL’s. So one option is to start with the most broad set of criteria and build rules down from there, similar to creating group policies in a hierarchical design. However for simplicity sake, and considering how few policies we will actually be creating, we will create all the rules and match criteria in a single policy.

Step 14. Remote Access Policy Wizard

For our purposes we choose “PEAP for Wireless Users” and the “Set up a custom policy” radio button. Click “Next”.

Step 15.

On the “Policy Conditions” step in the wizard, click the “Add” Button. Find the “Client-IP-Address” Attribute type then click the “Add…” button. You will enter the IP Address of the WLC and then move on to the next step.

Step 16.

Click the “Windows-Group” Attribute type. And choose the “Peap Wireless” (or whatever you created in the “Create Windows Group” Step.

Step 17.

Once you have the two Attribute types listed above click “Next”.

Step 18.

Choose the option to “Grant remote access permission” if the settings here match the connection settings RADIUS will receive. Click “Next”.

Step 19.

On the “Profile” page, click the “Edit Profile…” button then on the “Edit Dial-in Profile” window, click the “Advanced” tab and highlight any options you see here. Click the “Remove” button for each item until this window is empty.

Step 20.

Then click the “Add…” button. On the new “Add Attribute” window highlight the “Service-Type” Attribute and click “Add”. On the “Enumerable Attribute Information” window choose the “Login” drop down and click the “OK” button.

Step 21.

Next choose the “Vendor-Specific” Attribute and click the “Add…” button. On the “Multivalued Attribute Information” window click the “Add” button. The “Vendor-Specific Attribute Information” window will open and select the “Enter Vendor Code:” radio button and enter 14179 as the code. Choose the “Yes. It conforms.” Option and click the “Configure Attribute…” button

Step 22.

Now we are at the VSA settings I was forshadowing earlier on. VSA’s are Vendor Specific Attributes, attributes AAA servers can pass onto the client. The following table shows the VSA’s available when connecting to a WLC. In this option, I want a dynamic Vlan scenario. When a user connects to the PEAP network, I want to place the user on the “peapauth” interface, vlan 20. This may seem pretty straightforward given what we have configured so far, however if your enterprise is utilizing end-to-end Vlan’s, you may want particular users on particular vlan’s at all times. This VSA is how that can be done.

Attribute Name VSA Number Attribute Format Value
Airespace-WLAN-ID 1 Decimal WLAN ID
Airespace-QOS-Level 2 Decimal Blank-Silver, 1-Gold,
Airespace-DSCP 3 Decimal DSCP Value
Airespace-802.1p-Tag 4 Decimal 802.1p Tag
Airespace-Interface-Name 5 String Interface Name on WLC
Airespace-ACL-Name 6 String ACL Name


We will also choose Airspace-QOS-Level, I choose “Blank” which equates to 0 or “Silver”. This is useful if there is a class of individuals whose performance on the network is paramount. Albeit this option is generally set for political purposes, who ever said that IT decisions are purely “Technically” driven?

Step 23.

After adding all your VSA’s, they should appear on the window above. Click the “OK” button.

Step 24.

Back on the “Edit Dial-in Profile” window, choose the “Authentication” Tab and uncheck all boxes on this tab. Click the “EAP Methods” button and on the “Select EAP Providers” windows click the “Add…” button. On the “Add EAP” window highlight “Protected EAP (PEAP)” and click the “OK” button.

Step 25.

When you return to the “Select EAP Properties” windows, highlight “Protected EAP (PEAP)” and click the “Edit…” button. When the “Protected EAP Properties” window opens, check the “Enable Fast Reconnect” box and then click the “OK” button.

And that is it for the servers, but of course the backend would not exist were it not for the users connecting on the front end, which leads us to the configuration of the client.

PEAP configuration on the client will be focused around the basic “Wireless Zero Configuration” setup. If you are running a third party supplicant, try to match up these options as best as you can.

Step 26. Wireless Client Configuration

Get to your wireless network adapter and right-click it to get to its properties. Click on the “Wireless Networks” tab and select the appropriate wireless network. Change its settings to reflect the following configuration. On the “Association” tab choose WPA and AES for “Network Authentication:” and “Data encryption:” respectively.

Step 27.

On the “Authentication” tab make sure both checkboxes are clear then change the “EAP type:” choose “Protected EAP (PEAP)” and click the “Properties” button.

Step 28.

On the “Protected EAP Properties” window, uncheck the “Validate server certificate” checkbox and check the “Enable Fast Reconnect” checkbox. Click the “Configure…” button to show the “EAP MSCHAPv2 Properties” window and ensure the “Automatically use my Windows logon name and password (and domain if any).” is checked.

To troubleshoot any issues, begin with the IAS event viewer, I would normally run into issues revolving around mistyped VSA’s, bad windows groups, or faulty client configurations. The event viewer in IAS will normally spell out the issues if they are authentication related, and at the very least get you on the right track. This sum’s up Part 2.


~ by lavazzza on May 29, 2010.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: