Recommended protocol for enterprise authentication

dan.letkeman — Mon, 11 Mar 2019 07:49:03 GMT

Hello,

I was wondering if anyone has any recommendations for authentication protocols in our scenario.

We need to be able to send user information from our ISE server to our Firepower system. In order to gather user information from Domain joined computers, enterprise owned mobile devices, byod devices, and guest devices I am thinking of using the following for the respective wireless networks

SSID: Guest - Captive portal, self registration or pre defined guest accounts

SSID: BYOD - PEAP-MSCHAPv2 with AD Authentication, Register to endpoint groups. Users will need to be part of the correct AD group in order to login

SSID: Corporate - PEAP-MSCHAPv2

I was thinking of using PEAP-MSCHAPv2 instead of EAP-TLS (which is what we are currently using, but only for machine authentication) for corporate access because we have many shared machines. Shared machines don't have user certificates so user authentication wont work in this scenario because I need the user certificate to do EAP-TLS and user authentication. I cannot put user certificates on the computers because there may be 100's of users that use the machine over time.

The problem with using PEAP-MSCHAPv2 for corporate access is that I am finding it difficult to find a way to keep mobile byod devices from connect to the corporate SSID. Does anyone have any authentication policies that I can try in order to disable non domain joined devices from connecting?

Anyone have any suggestions for a better way?

Thanks,

Dan.

SSID: Corporate - PEAP

Ambuj M — Sun, 09 Jul 2017 16:19:20 GMT

SSID: Corporate - PEAP-MSCHAPv2

add a condition to ISE policy to check if the machine belongs to the domain, if yes then use desired result, else deny or limited access.

**rate helpful posts**

topic Recommended protocol for enterprise authentication in Network Access Control

Recommended protocol for enterprise authentication

SSID: Corporate - PEAP