https://community.cisco.com/t5/network-access-control/lost-in-the-eap-authentication-jungle/m-p/2138663#M156607 <P>Hi,</P><P></P><P>I am trying to set up device (laptops/desktop XP and Vista, iPhone, tablet) and user authentication. Mostly to diferentiate corp and private devices. So far I have successfully been able to authenticate wireless users that is in a AD group, using ISE as RADIUS (PEAP MSchapV2). Now I have to figure out a way to authenticate/authorize devices. </P><P>One option is to see if the device is part of an AD group, but this is only suitable for computers, not phones/tablets.</P><P>All corp devices has got a root cert from our CA, is this being used during the PEAP process and can we authenticate devices with this cert?</P><P></P><P>If not, is the only options to implement machine cert? The problem I see there is how to use certificate for device and PEAP for user, since I can't find an option in Vista to send both machine cert and AD username/pwd.</P><P></P><P></P><P>Regards</P><P>Philip</P> Mon, 11 Mar 2019 02:52:57 GMT Philip Vilhelmsson 2019-03-11T02:52:57Z https://community.cisco.com/t5/network-access-control/lost-in-the-eap-authentication-jungle/m-p/2138663#M156607 <P>Hi,</P><P></P><P>I am trying to set up device (laptops/desktop XP and Vista, iPhone, tablet) and user authentication. Mostly to diferentiate corp and private devices. So far I have successfully been able to authenticate wireless users that is in a AD group, using ISE as RADIUS (PEAP MSchapV2). Now I have to figure out a way to authenticate/authorize devices. </P><P>One option is to see if the device is part of an AD group, but this is only suitable for computers, not phones/tablets.</P><P>All corp devices has got a root cert from our CA, is this being used during the PEAP process and can we authenticate devices with this cert?</P><P></P><P>If not, is the only options to implement machine cert? The problem I see there is how to use certificate for device and PEAP for user, since I can't find an option in Vista to send both machine cert and AD username/pwd.</P><P></P><P></P><P>Regards</P><P>Philip</P> Mon, 11 Mar 2019 02:52:57 GMT https://community.cisco.com/t5/network-access-control/lost-in-the-eap-authentication-jungle/m-p/2138663#M156607 Philip Vilhelmsson 2019-03-11T02:52:57Z https://community.cisco.com/t5/network-access-control/lost-in-the-eap-authentication-jungle/m-p/2138664#M156631 <HTML><HEAD></HEAD><BODY><P>Hello Philip-</P><P></P><P>The root certificate that you are using in PEAP is optional and it is only used to encrypt the inner method of the authentication which in your scenario is MS-CHAPv2. Thus, that certificate cannot be used to perform machine authentication. </P><P></P><P>To perform machine authentication you should perhaps look into using EAP-TLS. For this though you will need some sort of a PKI can issue and sign digital certificates. Microsoft servers have that feature and it the most common out there. </P><P></P><P>On the other hand, if you don't want to use certificates then you can use the <STRONG>profiling </STRONG>feature of ISE. With profiling you can use the built in and create your own/custom rules to profile different devices and authorize them on the network.</P><P></P><P>Hope this helps!</P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Sat, 15 Dec 2012 18:13:39 GMT https://community.cisco.com/t5/network-access-control/lost-in-the-eap-authentication-jungle/m-p/2138664#M156631 nspasov 2012-12-15T18:13:39Z