Implementing 802.1x on Wireless Networks with Cisco and Microsoft

Access Point Setup

    These instructions assume that your access point is already setup to function normally, i.e., you've set the proper SSID and channel on which the access point will operate, and you've taken the proper steps to secure the access point itself from compromise. Documentation on the Cisco Access Points can be found here.  These instructions use the web management interface, although the identical configuration options are available from the terminal connection.  Its important that you're running at least 11.08T firmware, as of this writing the latest 11.10T is best.

Step 1 - Set Radius Server

• From the home start screen, select Setup.

• Select Security from under Services.

• Select Authentication Server.

• Under Server Name/IP, enter the ip address of the authentication server you've already setup with the Internet Authentication Service.

• Make sure that Draft 10 (the latest at the time of this writing) is selected as the 802.1X Protocol Version.

• Server Type should be RADIUS, port 1812, and enter the shared secret that you set in step 5 of the server setup. Timeout can probably remain at the default 20 seconds, and ensure EAP Authentication is selected.

• Select OK.

Step 2 - Enable 802.1x EAP Authentication

• Go back to the Security screen.  Select Radio Data Encryption (WEP).

• Deselect all authentication types except for the Open options of Accept Authentication Type and Require EAP.

• Select OK.

Step 3 - Enable Encryption (Optional - see note on Using Dynamically Keyed WEP with Windows XP and Cisco APs)

    The only way to ensure strong mutual authentication between Windows XP and the access point is to enable dynamic WEP - without it, your machines are vulnerable to a man in the middle attack. 802.1x port access authentication isn't enough by itself.

• Go back to the Radio Data Encryption (WEP) page.

• Enter the encryption key, and select the appropriate key size.

• Click OK.

• Go to the Radio Data Encryption page once again.

• Select Full Encryption from the Use of Data Encryption by Stations drop box.

• Click OK.

This how-to is still under development, comments, questions, problems and feedback welcomed at mvanopst@cs.umd.edu
Last updated January 30th, 2002 by Mike van Opstal