topic Which EAP to use in Wireless

Which EAP to use

jlhainy — Sun, 04 Jul 2021 02:13:56 GMT

I am looking for the best EAP method to use for a diverse environment where end clients will be a mixture of Windows XP, Windows 7 and iPad devices. I would like to use one SSID and security method for all devices. Microsoft AD 2008R2 is the back end database I can authenticate to. I only want company devices to be able to authenticate.

Which EAP flavor would help in all of these criteria?

I have been looking at EAP-FAST, PEAP and EAP-TLS. Any feedback would be most appreciated.

Re: Which EAP to use

Serge Yasmine — Tue, 05 Oct 2010 22:37:05 GMT

Hello,

You need to look at what your clients support really.

I would go for the one with least configuration needed from certificates perspectives and that would be eap-fast.

eap-tls will make you install certs on clients and server along with CA

peap implementation is not very time consuming neither.

Cheers

Serge

Re: Which EAP to use

George Stefanick — Wed, 06 Oct 2010 05:33:44 GMT

If you want a low management over head i would suggest EAP-PEAP v0. This is the most commonly used EAP today and it is Windows XP ZeroConfig friendly. Its not difficult to implement and its secure, but you want to validate certificates on the client.

EAP-FAST is a Cisco flavor and you will likely run into devices that do not support it.

EAP-TLS is more secure because there is 2 way cert validation. But it is a bear to manage ...

Hope this helps...

Which EAP to use

adbaker — Fri, 19 Aug 2011 06:46:32 GMT

Can I jump on this discussion and change the requirments a little. A customer of mine has the same issue, he wants a security mechanism that allows the inclusion of mobile devices but wants to be able to control (read stop) the use of devices brought in from home. This is an NHS Trust that is willing to purchase ipads etc for certain staff but only those devices should be allowed to connect.

He's suggested that EAP-TLS is the only way to do this but as I'm not an expert in this area can I ask for advice?

Which EAP to use

jlhainy — Fri, 19 Aug 2011 12:52:37 GMT

I have stayed away from EAP-TLS for now, simply because of the managment overhead. I do agree it would be the most secure. If you don't want personal mobile devices to connect, then you don't allow them to have a certificate.

My problem is that We do want to incorporate personal devices but don't want them to go on a Internal ssid and if we allow their user name to use that ssid, what is to stop them from attaching from the Internal SSID from their personal device.

I have 2 solutions to this. One is to add mac authentication with PEAP and it works fine. It is extra overhead, but still easier than EAP-TLS. I know, I know, its not secure, but we are using it really as a way to profile corporate device vs personal devices.

The second solution is Cisco's new ISE that does device profiling and would give the same functionality without using mac authentication. That is something I really want to look into, pending budget and maturity of the product.

Which EAP to use

George Stefanick — Fri, 19 Aug 2011 13:01:09 GMT

You could get fancy with certificates to segment the two groups. Althought after reading about ISE, it seems like its the way to go.

Which EAP to use

jlhainy — Fri, 19 Aug 2011 15:31:25 GMT

I would have to agree George. The ISE sounds way cool. The problem is that I haven't even been on ACS 5.2 for a year yet. I made the upgrade when we updated our domain controllers to 2008R2. So as much as I want the ISE, I have some hesitations.

Which EAP to use

George Stefanick — Fri, 19 Aug 2011 15:39:04 GMT

Cisco is merging technologys WCS/Cisco Works to NCS and ACS/NAC to ISE. Its coming... They say by 2015 90% of WLAN will be using directed "managment" if you will.

Thanks for the rating .. Yeah me! Blue Star! LOL