Results 1 to 5 of 5

Thread: Wireless Authentication LEAP or MS-CHAPV2

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    140

    Wireless Authentication LEAP or MS-CHAPV2

    I worked for a small educational environment (college), we have got Aironet AP 1230, what will the recommended authentication for such environment ? does LEAP do the job or MS-CHAPV2 or something else

    Thanks

  2. #2
    Well im no expert on the subject however MS-ChapV2 we know is an insecure protocal. and Leap is crackable to not to mention there is only a short list of cards that support it. I would Suggest PEAP and using Certs. This allows you to keep it open but hold users accountable to the system. You also have to decide if you wish to protect clients from other clients. If that is the case id block every thing cept ports 80 and 443. This allows all web traffic and if the user is smart they can still run most IM clients. Just do it over port 80. Peap will alow your users to use what wifi cards they allready have as well. Here is a short article about it and im sure google has more on the subject. http://www.microsoft.com/technet/sec...tc/peap_1.mspx

    Just my two cents hope this helps.
    ...."Cant stop the signal Mel, Every thing goes some where and i go every where."...... "From here to the eyes and the ears of the verse, thats my motto or might be if i start having a motto" - Mr. Universe "Serenity"

  3. #3
    Junior Member
    Join Date
    Apr 2005
    Posts
    1
    We're using MS-CHAPv2 with PEAP (with WPA encryption) so that the user's AD credentials combined with the user certificate will log them in over the wireless with full access to their network shares and exchange.
    If you don\'t believe in God why do you pray before restoring your back-ups?

  4. #4
    Member aciscorouter's Avatar
    Join Date
    Mar 2002
    Location
    Brampton, ON, Canada
    Posts
    35
    We have layer 2, 802.1x encapsulating MS-CHAPv2 in a Protected EAP session (PEAP) to a Microsoft IAS (RADIUS) server which in turn provides Active Directory challenge response to both user and hardware authentication. We have WPA-TKIP configured to re-key using 802.1x every 900 seconds.

    We have a server certificate instead of individual client certificates.

    Cheers,
    aCISCOrouter

    "I used up all my sick days, so I’m calling in dead."
    http://www.facebook.com/profile.php?id=554370423

  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    Thanks for sharing

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •