This document describes how to configure secure wireless access using
Wireless LAN controllers, Microsoft Windows 2003 software and Cisco Secure
Access Control Server (ACS) 4.0 via Protected Extensible Authentication
Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP) version 2.
There is an assumption that the installer has knowledge of basic
Windows 2003 installation and Cisco controller installation as this document
only covers the specific configurations to facilitate the tests.
Before you begin, install the Microsoft Windows Server 2003 with SP1
operating system on each of the servers in the test lab and update all Service
Packs. Install the controllers and lightweight access points (LAPs) and ensure
that the latest software updates are configured.
Important: At the time of this writing, SP1 is the
latest Microsoft Windows Server 2003 update, and SP2 with update patches is the
latest software for Microsoft Windows XP Professional.
Windows Server 2003 with SP1, Enterprise Edition, is used so that
autoenrollment of user and workstation certificates for PEAP authentication can
be configured. Certificate autoenrollment and autorenewal make it easier to
deploy certificates and improve security by automatically expiring and renewing
The primary purpose of this document is to provide you the step-by-step
procedure to implement the PEAP under Unified Wireless Networks with ACS 4.0
and the Windows 2003 Enterprise server. The main emphasis is on auto-enrollment
of the client so that the client auto-enrolls and takes the certificate from
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Open the Active Directory Domains and Trusts
snap-in from the Administrative Tools folder (Start
> Programs > Administrative Tools > Active Directory Domains
and Trusts), and then right-click the domain computer
Click Raise Domain Functional Level, and then
select Windows Server 2003 on the Raise Domain Functional
Install Dynamic Host Configuration Protocol (DHCP)
as a Networking Service component by using Add or
Remove Programs in the Control Panel.
Open the DHCP snap-in from the
Administrative Tools folder (Start > Programs >
Administrative Tools > DHCP), and then highlight the DHCP server,
Click Action, and then click
Authorize in order to authorize the DHCP service.
In the console tree, right-click
DC_CA.wirelessdemo.local, and then click New
On the Welcome page of the New Scope wizard, click
On the Scope Name page, type CorpNet in the Name
Click Next and fill in these parameters:
Start IP address—172.16.100.1
End IP address—172.16.100.254
Click Next and enter 172.16.100.1
for the Start IP address and 172.16.100.100 for the End IP
address to be excluded. Then click Next. This reserves the IP
addresses in the range from 172.16.100.1 to 172.16.100.100. These reserve IP
addresses are not allotted by the DHCP server.
On the Lease Duration page, click Next.
On the Configure DHCP Options page, choose Yes, I want to
configure these options now and click Next.
On the Router (Default Gateway) page add the default router address
of 172.16.100.1 and click Next.
On the Domain Name and DNS Servers page, type
wirelessdemo.local in the Parent domain field, type
172.16.100.26 in the IP address field, and then click
Add and click Next.
On the WINS Servers page, click Next.
On the Activate Scope page, choose Yes, I want to activate
this scope now and click Next.
When you finish with the New Scope Wizard page, click
Note: IIS must be installed before you install Certificate Services and the
user should be part of the Enterprise Admin OU.
In Control Panel, open Add or Remove Programs, and
then click Add/Remove Windows Components.
In the Windows Components Wizard page, choose Certificate
Services, and then click Next.
On the CA Type page, choose Enterprise root CA and
In the CA Identifying Information page, type
wirelessdemoca in the Common name for this CA box. You can
also enter the other optional details. Then click Next and
accept the defaults on the Certificate Database Settings page.
Click Next. Upon completion of the installation,
Click OK after you read the warning message about
In the Active Directory Users and Computers console tree, click the
Computers folder and right-click on the computer for which you
want to assign wireless access. This example shows the procedure with computer
Client which you added in Step 7. Click
Properties, and then go to the Dial-in tab.
In the details pane of Active Directory Users and Computers,
double-click on the group WirelessUsers.
Go to the Members tab and click Add.
In the Select Users, Contacts, Computers, or Groups dialog box,
type the name of the users that you want to add to the group. This example
shows how to add the user wirelessuser to the group. Click
In the Multiple Names Found dialog box, click OK.
The WirelessUser user account is added to the WirelessUsers group.
Click OK in order to save changes to the
Repeat this procedure to add more users to the
Cisco Secure ACS is a computer that runs Windows Server 2003 with SP1,
Standard Edition, that provides RADIUS authentication and authorization for the
controller. Complete the procedures in this section in order to configure ACS
as a RADIUS server:
Use a Domain Administrator account in order to login to the
computer named ACS to install Cisco Secure ACS.
Note: Only installations performed at the computer where you install
Cisco Secure ACS are supported. Remote installations performed using Windows
Terminal Services or products such as Virtual Network Computing (VNC) are not
tested, and are not supported.
Insert the Cisco Secure ACS CD into a CD-ROM drive on the computer.
If the CD-ROM drive supports the Windows autorun feature, the Cisco
Secure ACS for Windows Server dialog box appears.
Note: If the computer does not have a required service pack installed,
a dialog box appears. Windows service packs can be applied either before or
after you install Cisco Secure ACS. You can continue with the installation, but
the required service pack must be applied after the installation is complete.
Otherwise, Cisco Secure ACS might not function reliably.
Perform one of these tasks:
If the Cisco Secure ACS for Windows Server dialog box appears,
If the Cisco Secure ACS for Windows Server dialog box does not
appear, run setup.exe, located in the root directory of the
Cisco Secure ACS CD.
The Cisco Secure ACS Setup dialog box displays the software license
Read the software license agreement. If you accept the software
license agreement, click Accept.
The Welcome dialog box displays basic information about the setup
After you have read the information in the Welcome dialog box,
The Before You Begin dialog box lists items that you must complete
before you continue with the installation. If you have completed all items
listed in the Before You Begin dialog box, check the corresponding box for each
item and click Next.
Note: If you have not completed all items listed in the Before You
Begin dialog box, click Cancel and then click Exit
Setup. After you complete all items listed in the Before You Begin
dialog box, restart the installation.
The Choose Destination Location dialog box appears. Under
Destination Folder, the installation location appears. This is the drive and
path where the setup program installs Cisco Secure ACS.
If you want to change the installation location, complete these
Click Browse. The Choose Folder dialog box
appears. The Path box contains the installation location.
Change the installation location. You can either type the new
location in the Path box or use the Drives and Directories lists to select a
new drive and directory. The installation location must be on a drive local to
Note: Do not specify a path that contains a percent character, "%".
If you do so, the installation might appear to continue properly but fails
before it completes.
Note: If you specified a folder that does not exist, the setup
program displays a dialog box to confirm the creation of the folder. In order
to continue, click Yes.
In the Choose Destination Location dialog box, the new installation
location appears under Destination Folder.
The Authentication Database Configuration dialog box lists options
for authenticating users. You can authenticate with the Cisco Secure user
database only, or also with a Windows user database.
Note: After you install Cisco Secure ACS, you can configure
authentication support for all external user database types in addition to
Windows user databases.
If you want to authenticate users with the Cisco Secure user
database only, choose the Check the Cisco Secure ACS database
If you want to authenticate users with a Windows Security Access
Manager (SAM) user database or Active Directory user database in addition to
the Cisco Secure user database, complete these steps:
Choose the Also check the Windows User Database
The Yes, refer to "Grant dialin permission to user"
setting check-box becomes available.
Note: The Yes, refer to "Grant dialin permission to user" setting
check-box applies to all forms of access controlled by Cisco Secure ACS, not
just dial-in access. For example, a user who accesses the network through a VPN
tunnel does not dial into a network access server. However, if the Yes,
refer to "Grant dialin permission to user" setting box is checked,
Cisco Secure ACS applies the Windows user dial-in permissions in order to
determine whether to grant the user access to the network.
If you want to allow access to users who are authenticated by a
Windows domain user database only when they have dial-in permission in their
Windows account, check the Yes, refer to "Grant dialin permission to
user" setting box.
The setup program installs Cisco Secure ACS and updates the Windows
Note: The listed features appear in the Cisco Secure ACS HTML interface
only if you enable them. After installation, you can enable or disable them on
the Advanced Options page in the Interface Configuration section.
For each feature you want to enable, check the corresponding box.
The Active Service Monitoring dialog box appears.
Note: After installation, you can configure active service monitoring
features on the Active Service Management page in the System Configuration
If you want Cisco Secure ACS to monitor user authentication
services, check the Enable Login Monitoring box. From the
Script to Execute list, choose the option you want applied in the event of
authentication service failure:
No Remedial Action—Cisco Secure ACS does not run
Note: This option is useful if you enable event mail notifications.
Reboot—Cisco Secure ACS runs a script that
reboots the computer that runs Cisco Secure ACS.
Restart All—Cisco Secure ACS restarts all Cisco
Secure ACS services.
Restart RADIUS/TACACS+—Cisco Secure ACS restarts
only the RADIUS and TACACS+ services.
If you want Cisco Secure ACS to send an e-mail message when service
monitoring detects an event, check the Mail Notification box.
The Database Encryption Password dialog box appears.
Note: The Database Encryption Password is encrypted and stored in the
ACS registry. You might need to reuse this password when critical problems
arise and the database needs to be accessed manually. Keep this password at
hand so that Technical Support can gain access to the database. The password
can be changed each expiration period.
Enter a password for database encryption. The password needs to be
at least eight characters long and needs to contain both characters and digits.
There are no invalid characters.
The setup program finishes and the Cisco Secure ACS Service
Initiation dialog box appears.
For each Cisco Secure ACS Services Initiation option you want,
check the corresponding box. The actions associated with the options occur
after the setup program finishes.
Yes, I want to start the Cisco Secure ACS Service
now—Starts the Windows services that compose Cisco Secure ACS. If you
do not select this option, the Cisco Secure ACS HTML interface is not available
unless you reboot the computer or start the CSAdmin service.
Yes, I want Setup to launch the Cisco Secure ACS
Administrator from my browser following installation—Opens the Cisco
Secure ACS HTML interface in the default web browser for the current Windows
Yes, I want to view the Readme File—Opens the
README.TXT file in Windows Notepad.
If you selected an option, the Cisco Secure ACS services start. The
Setup Complete dialog box displays information about the Cisco Secure ACS HTML
Note: The rest of the configuration is documented under the section for
the EAP type that is configured.
Note: The assumption is that the controller has basic connectivity to the
network and IP reachability to the management interface is successful.
Browse to https://172.16.101.252 in order to login
to the controller.
Login with the default user admin and default
Create a new Interface for VLAN mapping under
In the Interface name field type Employee. (This
field can be any value you like.)
In the VLAN ID field type 20. (This field can be
any VLAN that is carried in the network.)
Configure the information as this Interfaces > Edit window
Click the WLANs tab.
Choose Create New and click
Enter a Profile Name and in theWLAN SSID field type
Choose an ID for the WLAN and click
Configure the information for this WLAN when the WLANs > Edit
Note: WPAv2 is the chosen Layer 2 encryption method for this lab. In
order to allow WPA with TKIP-MIC clients to associate to this SSID, you can
also check the WPA compatibility mode and Allow WPA2
TKIP Clients boxes or those clients that do not support the 802.11i
AES encryption method.
On the WLANs > Edit screen, click the General
Ensure that the Status box is checked for Enabled
and the appropriate Interface (employee) is chosen. Also, make
sure to check the Enabled check box for Broadcast SSID.
Click the Security tab.
Under the Layer 2 sub-menu check WPA +
WPA2 for Layer 2 Security. For WPA2 encryption check AES +
TKIP in order to allow TKIP clients.
Choose 802.1x as the authentication method.
Skip the Layer 3 sub-menu as it is not required. Once the RADIUS
server is configured the appropriate server can be chosen from the
The QoS and Advanced tabs can be
left at default unless any special confiugrations are
Click the Security menu to add the RADIUS
Under the RADIUS sub-menu click
Authentication. Then, click
Add the RADIUS server IP address (172.16.100.25) which is the ACS
server configured earlier.
Ensure that the shared key matches the AAA client configured in the
ACS server. Ensure that the Network User box is checked and click
The basic configuration is now complete and you can begin to test
PEAP with MS-CHAP version 2 requires certificates on the ACS servers
but not on the wireless clients. Auto enrollment of computer certificates for
the ACS servers can be used to simplify a deployment.
In order to configure DC_CA to provide autoenrollment for computer and
user certificates, complete the procedures in this section.
Note: Microsoft has changed the Web Server template with the release of the
Windows 2003 Enterprise CA so that keys are no longer exportable and the option
is greyed out. There are no other certificate templates supplied with
certificate services that are for server authentication and give the ability to
mark keys as exportable that are available in the drop-down so you have to
create a new template that does so.
Note: Windows 2000 allows for exportable keys and these procedures do not
need to be followed if you use Windows 2000.
In the Details pane of the Certificate Templates snap-in, click the
Web Server template.
On the Action menu, click Duplicate Template.
In the Template display name field, type
Go to the Request Handling tab and check Allow private key
to be exported. Also ensure that Signature and
Encryption is selected from the Purpose drop-down menu.
Choose Requests must use one of the following CSPs
and check Microsoft Base Cryptographic Provider v1.0. Uncheck
any other CSPs that are checked and then click OK.
Go to the Subject Name tab, choose Supply in the
request and click OK.
Go to the Security tab, highlight the Domain Admins
Group and ensure that the Enroll option is checked
Important: If you choose to build from this Active
Directory information only check the User principal name (UPN)
and uncheck the Include email name in subject name and E-mail
name because an e-mail name was not entered for the Wireless User account in
the Active Directory Users and Computers snap-in. If you do not disable these
two options, autoenrollment attempts to use e-mail, which results in an
There are additional security measures if needed to prevent
certificates from being automatically pushed out. These can be found under the
Issuance Requirements tab. This is not discussed further in this document.
Click OK to save the template and move onto
issuing this template from the Certificate Authority snap-in.
Important: The ACS server must obtain a server
certificate from the enterprise root CA server in order to authenticate a WLAN
Important: Ensure that the IIS Manager is not open
during the certificate setup process as causes problems with cached
Log into the ACS server with an account that has Enterprise Admin
On the local ACS machine, point the browser at the Microsoft
certification authority server at
http://IP-address-of-Root-CA/certsrv. In this case, the IP
address is 172.16.100.26.
Log in as the Administrator.
Choose Request a Certificate and click
Choose Advanced Request and click
Choose Create and submit a request to this CA and
Important: The reason for this step is due to the
fact that Windows 2003 does not allow for exportable keys and you need to
generate a certificate request based on the ACS Certificate that you created
earlier that does.
From the Certificate Templates select the certificate template
created earlier named ACS. The options change after you select
Configure the Name to be the fully qualified
domain name of the ACS server. In this case the ACS server name is
cisco_w2003.wirelessdemo.local. Ensure that Store certificate in the
local computer certificate store is checked and click
A pop up window appears warning about a potential scripting
violation. Choose Yes.
Click Install this certificate.
A pop up window appears again and warns about a potential scripting
violation. Choose Yes.
After you click Yes, the certificate is installed.
At this point, the certificate is installed in the Certificates MMC
under Personal > Certificates.
Now that the certificate is installed to the local computer (ACS or
cisco_w2003 in this example), you need to generate a certificate file (.cer)
for the ACS 4.0 certificate file configuration.
On the ACS server (cisco_w2003 in this example), point the browser
at the Microsoft Certification Authority server to http://172.16.100.26
In our example, CLIENT is a computer that runs Windows XP Professional
with SP that acts as a wireless client and obtains access to Intranet resources
through the wireless AP. Complete the procedures in this section in order to
configure CLIENT as a wireless client.
Disconnect the CLIENT computer from the Intranet network segment.
Restart the CLIENT computer, and then log on using the local
Install the wireless network adapter.
Important: Do not install the manufacturer's
configuration software for the wireless adapter. Install the wireless network
adapter drivers using the Add Hardware Wizard. Also, when prompted, provide the
CD provided by the manufacturer or a disk with updated drivers for use with
Windows XP Professional with SP2.
Log off and then log on by using the WirelessUser account in the
Choose Start > Control Panel, double-click
Network Connections, and then right-click Wireless
Click Properties, go to the Wireless Networks tab,
and ensure that the Use Windows to configure my wireless network
settings is checked.
Under the Association tab, type Employee in the
Network name (SSID) field.
Select WPA for the Network Authentication and
ensure that Data Encryption is set to TKIP.
Go to the Authentication tab.
Validate that EAP type is configured to use Protected EAP
(PEAP). If it is not, select it from the drop-down menu.
If you want the machine to be authenticated prior to login (which
allows login scripts or group policy pushes to be applied) check
Authenticate as computer when computer information is
As PEAP involves authentication of Server by the client ensure that
Validate server certificate is checked. Also, make sure the CA that issued the
ACS certificate is checked under the Trusted Root Certification
Choose Secured password (EAP-MSCHAP v2) under
Authentication Method as it is used for inner
Make sure the Enable Fast Reconnect check box is checked. Then,
click OK three times.
Right-click the wireless network connection icon in systray and
then click View Available Wireless Networks.
Click the Employee wireless network and click
These screen shots indicate if the connection completes
After authentication is successful, check the TCP/IP configuration
for the wireless adapter by using Network Connections. It should have an
address range of 172.16.100.100-172.16.100.254 from the DHCP scope or the scope
created for the wireless clients.
In order to test functionality, open up a browser and browse to
http://wirelessdemoca (or the IP address of the Enterprise CA
When your client fails PEAP authentication with an ACS server, check if
you find the "NAS duplicated authentication attempt" error
message in the Failed attempts option under the Report
and Activity menu of the ACS.
You might receive this error message when Microsoft Windows XP SP2 is
installed on the client machine and Windows XP SP2 authenticates against a
third party server other than a Microsoft IAS server. In particular, Cisco
RADIUS server (ACS) uses a different method to calculate the Extensible
Authentication Protocol Type:Length:Value format (EAP-TLV) ID than the method
Windows XP uses. Microsoft has identified this as a defect in the XP SP2
For a Hotfix, contact Microsoft and refer to article
underlying issue is that on the client side, with windows
utility, the Fast Reconnect option is disabled for
PEAP by default. However, this option is enabled by default on the server side
(ACS). In order to resolve this issue, uncheck the Fast
Reconnect option on the ACS server and press
submit+restart. Alternatively, you can enable the Fast
Reconnect option on the client side to resolve the issue.
Complete these steps in order to enable Fast Reconnect on the client
that runs Windows XP using Windows Utility:
Click Start > Settings > Control
Double click the Network Connections
Right click the Wireless Network Connection icon
and click Properties.
Click the Wireless Networks
Check the Use Windows to configure my wireless network
settings option to enable windows to configure the client
If you have already configured an SSID, choose the SSID and click
Properties. If not, click New to add a
Enter the SSID under the Association tab. Make
sure that Network Authentication is Open
and Data Encryption is set to
Check the Enable IEEE 802.1x authentication for this
Choose the EAP Type as PEAP
and click Properties.
Check the Enable Fast Reconnect option at the
bottom of the page.