https://community.cisco.com/t5/network-security/authentication-method-for-wired-and-wireless/m-p/4845530#M1101040 Yes, it is possible to build a similar process for wired and wireless networks using a combination of 802.1X authentication, EAP-TLS for certificate-based authentication, and RADIUS for password-based authentication and authorization. Here's a high-level overview of the process:<BR /><BR />1. Configure your wired and wireless infrastructure to support 802.1X authentication. This typically involves configuring your switches and wireless access points to act as Authenticators for 802.1X.<BR /><BR />2. Set up a RADIUS server, such as Cisco Identity Services Engine (ISE), if you haven't already. This server will handle the password-based authentication and authorization.<BR /><BR />3. Configure your RADIUS server to use EAP-TLS as the authentication method. EAP-TLS supports mutual authentication using client and server certificates. You will need to import the Certificate Authority (CA) certificate that issued the client and server certificates to the RADIUS server.<BR /><BR />4. Configure your network clients to use 802.1X and EAP-TLS for authentication. This typically involves installing a client certificate on each client device and configuring the network settings to use 802.1X with EAP-TLS.<BR /><BR />5. If you want to extract the username from the client certificate's Common Name (CN) and use it for password-based authentication, you will need to configure your RADIUS server to do so. In Cisco ISE, this can be done by creating a custom EAP-TLS authentication rule that extracts the username from the CN and passes it to the RADIUS server for password-based authentication.<BR /><BR />6. Configure your RADIUS server to perform password-based authentication and authorization once the client certificate has been verified.<BR /><BR />7. Test your wired and wireless network to ensure that the authentication process works as expected. Clients should be authenticated first using their certificates and then using their passwords.<BR /><BR />By following these steps, you should be able to create a secure wired and wireless network that uses both client certificate and password-based authentication. Tue, 30 May 2023 15:52:22 GMT Cisco_Virtual_Engineer 2023-05-30T15:52:22Z https://community.cisco.com/t5/network-security/authentication-method-for-wired-and-wireless/m-p/4843723#M1100916 <P>Hi,</P><P>I'm a starter in configure an enterprise level auth for wired and wireless.</P><P>I previously config a VPN use cisco FTD and anyconnect as client. the authentication on VPN I can use both certificate and password, I notice that RADIUS server in this case only do the password authentication and authorization, FTD server will take after the client certificate check before the password check.</P><P>Is it possible to build a semiller proccess for wired and wireless? both client certificate and password auth</P><P>First verify server and client certificate, then check password (get username from client certificate comman name)</P><P>Thanks!</P> Fri, 26 May 2023 16:24:44 GMT https://community.cisco.com/t5/network-security/authentication-method-for-wired-and-wireless/m-p/4843723#M1100916 chengl031 2023-05-26T16:24:44Z https://community.cisco.com/t5/network-security/authentication-method-for-wired-and-wireless/m-p/4845530#M1101040 Yes, it is possible to build a similar process for wired and wireless networks using a combination of 802.1X authentication, EAP-TLS for certificate-based authentication, and RADIUS for password-based authentication and authorization. Here's a high-level overview of the process:<BR /><BR />1. Configure your wired and wireless infrastructure to support 802.1X authentication. This typically involves configuring your switches and wireless access points to act as Authenticators for 802.1X.<BR /><BR />2. Set up a RADIUS server, such as Cisco Identity Services Engine (ISE), if you haven't already. This server will handle the password-based authentication and authorization.<BR /><BR />3. Configure your RADIUS server to use EAP-TLS as the authentication method. EAP-TLS supports mutual authentication using client and server certificates. You will need to import the Certificate Authority (CA) certificate that issued the client and server certificates to the RADIUS server.<BR /><BR />4. Configure your network clients to use 802.1X and EAP-TLS for authentication. This typically involves installing a client certificate on each client device and configuring the network settings to use 802.1X with EAP-TLS.<BR /><BR />5. If you want to extract the username from the client certificate's Common Name (CN) and use it for password-based authentication, you will need to configure your RADIUS server to do so. In Cisco ISE, this can be done by creating a custom EAP-TLS authentication rule that extracts the username from the CN and passes it to the RADIUS server for password-based authentication.<BR /><BR />6. Configure your RADIUS server to perform password-based authentication and authorization once the client certificate has been verified.<BR /><BR />7. Test your wired and wireless network to ensure that the authentication process works as expected. Clients should be authenticated first using their certificates and then using their passwords.<BR /><BR />By following these steps, you should be able to create a secure wired and wireless network that uses both client certificate and password-based authentication. Tue, 30 May 2023 15:52:22 GMT https://community.cisco.com/t5/network-security/authentication-method-for-wired-and-wireless/m-p/4845530#M1101040 Cisco_Virtual_Engineer 2023-05-30T15:52:22Z