Configuring Cisco Secure ACS for Windows PEAP-MS-CHAPv2 - [Part 1]

Posted by Ahsan Tasneem | 5:00 AM | , , , , , | 2 comments »

 I was working on improving and managing (logging) the security of my wireless network and for this purpose I was searching for steelbelted RADIUS which used to be a freeware, but recently I found that Juniper bought it and its no more freeware now. Therefore I started looking for an alternative and I found one that is Cisco ACS. My plan was to place RADIUS behind the wireless routers placed in my office and authenticate the users trying to connect to Wifi through RADIUS server preventing the unauthorized users access and also generate their logs. Below article helped me in the process I have also specified the changes done by me to make things work. The procedure mentioned below is for the workgroup environment not for the Domain environment.

Do let me know if you face any problem I'll be posting more on this soon keep following @ahsantasneem


Both PEAP and EAP-TLS build and use a TLS/Secure Socket Layer (SSL) tunnel. PEAP uses only server-side authentication; only the server has a certificate and proves its identity to the client. EAP-TLS, however, uses mutual authentication in which both the ACS (authentication, authorization, and accounting [AAA]) server and clients have certificates and prove their identities to each other.
PEAP is convenient because clients do not require certificates. EAP-TLS is useful for authenticating headless devices, because certificates require no user interaction.

Network Diagram

This document uses the network setup shown in the diagram below.

Obtain a Certificate for the ACS Server (Self-Signed Certificate)

The Self signed certificate will be valid for 1 year.

  1. Click System Configuration.
  2. Click ACS Certificate Setup.
  3. Click Install ACS Certificate.
  4. Choose Read certificate file and type the location of the cert in my case it was c:\xxxx.cer

  5. Click Submit.
  6. Click System Configuration.
  7. Click Service Control and then click Restart.
  8. Click System Configuration.
  9. Click Global Authentication Setup.
  10. Check Allow EAP-MSCHAPV2 and Allow EAP-GTC.
  11. Click Submit + Restart.
  12. Click System Configuration.
Follow these steps to restart the service and configure PEAP settings.
  1. Click System Configuration, and then click Service Control.
  2. Click Restart to restart the service.
  3. To configure PEAP settings, click System Configuration, and then click Global Authentication Setup.
  4. Check the two settings shown below, and leave all other settings as default. If you wish, you can specify additional settings, such as Enable Fast Reconnect. When you are finished, click Submit.
    • Allow EAP-MSCHAPv2
    • Allow MS-CHAP Version 2 Authentication
    Note: For more information on Fast Connect, refer to "Authentication Configuration Options" in System Configuration: Authentication and Certificates.

Specify and Configure the Access Point as an AAA Client

Follow these steps to configure the access point (AP) as an AAA client.
  1. Click Network Configuration. Under AAA Clients, click Add Entry.
  2. Enter the AP's hostname in the AAA Client Hostname field and its IP address in the AAA Client IP Address field. Enter a shared secret key for the ACS and the AP in the Key field. Select RADIUS (Cisco Aironet) as the authentication method. When you are finished, click Submit.

Configure the Linksys Wireless Router

And thats it, your Linksys wireless router is configured now with you Cisco ACS RADIUS server.

Related Articles
Configuring Cisco Secure ACS for Windows PEAP-MS-CHAPv2 - [Part 2]


  1. Anonymous // July 6, 2012 at 1:30 AM  

    Nicely explained. Looks like everything is covered in part 1.
    Is that why there is no part 2 anymore?
    And, now that your AP is configured this way, does it allow only .1x clients? Cant this configuration be done via CLI ?
    I hope you can answer.

  2. Ahsan Tasneem // July 6, 2012 at 5:57 AM  

    @Anonymous, thanks for posting your feedback. The link to Part 2 was done have just fixed it you can check it now here
    Everything related to ACS server is covered in part 1, while part 2 contains the configuration of the client machines.
    No CLI configuration is required in this scenario.

Related Posts Plugin for WordPress, Blogger...