Radius & PAP (Aironet -> AD)

[Crazed LLama]

I'm testing out setting up Radius from our Aironet's that uses Active Directory for authentication, however it seems the only supported authentication (unless you get Cisco Secure Access Control Server) is PAP.

This makes me sort of wary as PAP is plain text, but I'm not sure as to the risk in this case. In a situation like dial-in VPN obviously sending the plaintext password is easily discoverable, but is the connection already secured by the time the password is transmitted over a wireless link? ie) you wouldn't be sending the plaintext password over the wireless link?

 

[Eickst]

What aironet do you have and what's the software version?

 

[Crazed LLama]

I'm testing off of a AIR-AP1142N-A-K9 running 12.4(21a)JA1.

 

[cyr0n_k0r]

Are these lightweight or autonomous?
We run EAP with WPA2-PSK using certificates pushed via group policy and it works great.
We authenticate via RADIUS

 

[Crazed LLama]

autonomous, we have it running with certificates now but the problem is iPads and other devices that we can't push certs to through GP

 

[timberdoodle]

You could use the online responder but it would get tedious if you have a lot of Mac clients.

 

[cyr0n_k0r]

but the problem is iPads

exactly. ipads and other apple garbage is not fit for the enterprise.

 

[SpaceHonkey]

exactly. ipads and other apple garbage is not fit for the enterprise.

Err - no. Use the iPhone Configuration Utility, it gives you a file that you email to the user and presto, the device is configured. Easy as pie.

 

[-Dragon-]

I'm still kind of light on the whole RADIUS thing but I do use RADIUS for my home network wifi connections using the NPS service to provide authentication and I don't have PAP enabled at all and iPhone's work just fine. This is on DD-WRT devices. The phones do give an confirmation whenever you connect up to them for the unknown cert but if you load up your root CA cert to the phone then that message goes away (so do email related messages for connecting to custom signed exchange servers). The only "less secure authentication methods" I use are MS-CHAP v1 and v2.

 

[Eickst]

I'm still kind of light on the whole RADIUS thing but I do use RADIUS for my home network wifi connections using the NPS service to provide authentication and I don't have PAP enabled at all and iPhone's work just fine. This is on DD-WRT devices. The phones do give an confirmation whenever you connect up to them for the unknown cert but if you load up your root CA cert to the phone then that message goes away (so do email related messages for connecting to custom signed exchange servers). The only "less secure authentication methods" I use are MS-CHAP v1 and v2.

PEAP works fine on almost everything I have tried, it's EAP-TLS that is a nightmare for anything that isn't a Windows device. We had a hell of a time getting macbooks to work with it back when Leopard came out....it may be different now but honestly I couldn't care less since I've written them off for enterprise since then for many additional reasons.

 

[-Dragon-]

Like I said I'm light on RADIUS, and I pretty much just use it around the house because I think that being able to load a cert on a computer or iphone and run an encrypted wifi connection without having to use a shared password, or using windows login/password instead of a shared password is neat. I think being able to use my windows login for a small business router I have is also neat. So while my experience is limited the OP's complaint was that he was having to use PAP for authentication for IOS devices with his setup and I know I can use CHAP with mine since PAP is disabled, I'm wondering if the problem is with his RADIUS configuration more than the AP configuration/choice. I may not know much about RADIUS but I know that with iPhones you don't have to use PAP cause mine work perfectly without it.