https://community.cisco.com/t5/wireless/best-eap-method-given-these-requirements/m-p/1149005#M10869 <HTML><HEAD></HEAD><BODY><P>you could do PEAP as well. EAP-TLS requires a per user certificate, while PEAP only requires the Root CA certificate be installed on the end machines. </P><P></P><P>HTH,</P><P>Steve</P></BODY></HTML> Tue, 13 Jan 2009 23:46:16 GMT Stephen Rodriguez 2009-01-13T23:46:16Z https://community.cisco.com/t5/wireless/best-eap-method-given-these-requirements/m-p/1149001#M10865 <P>Which EAP method would be the most secure in this case, and fulfill these requirements:</P><P></P><P>1) Want to authenticate user's via LDAP to an Active Directory Database</P><P></P><P>2) Also want to require that they have a unique certificate on their PC's (Which we manually install on them).</P><P></P><P>3) Supports signal signon (pass-through) authentication from a Windows XP machine.</P> Sat, 03 Jul 2021 23:57:14 GMT https://community.cisco.com/t5/wireless/best-eap-method-given-these-requirements/m-p/1149001#M10865 Lucas Phelps 2021-07-03T23:57:14Z https://community.cisco.com/t5/wireless/best-eap-method-given-these-requirements/m-p/1149002#M10866 <HTML><HEAD></HEAD><BODY><P>You can use EAP-TLS. That requires a server and a client side cert. You can use microsoft IAS (RADIUS) server for user auth that points to the AD database.</P></BODY></HTML> Thu, 08 Jan 2009 01:26:45 GMT https://community.cisco.com/t5/wireless/best-eap-method-given-these-requirements/m-p/1149002#M10866 semmie.rush 2009-01-08T01:26:45Z https://community.cisco.com/t5/wireless/best-eap-method-given-these-requirements/m-p/1149003#M10867 <HTML><HEAD></HEAD><BODY><P>Keep in mind with Windows XP/2k3 (sp2/default client authentication)that if your users move from station to station, it does not support a 'cert roaming' environment. The problem I faced was if a doc used his laptop then tried to access one of our wireless carts on the floor, he couldn't login because his cert had never been applied to that cart and was already active on a different device. We ended up turning off client certificate authentication on XP and are only using 'computer certificate' authentiction. If you need more information on this I'd be glad to help. I'm unfamiliar on the IAS side as I use ACS.</P></BODY></HTML> Tue, 13 Jan 2009 21:26:56 GMT https://community.cisco.com/t5/wireless/best-eap-method-given-these-requirements/m-p/1149003#M10867 raun.williams 2009-01-13T21:26:56Z https://community.cisco.com/t5/wireless/best-eap-method-given-these-requirements/m-p/1149004#M10868 <HTML><HEAD></HEAD><BODY><P>Perhaps I am confused on the idea of client certificates. I was thinking I would put one universal certificate on the PC's that would have wireless access. I did not think that they would be a unique certificate per user.</P><P></P><P>How could I get away with requiring a 'company' certificate on each company PC and then just have them authenticate with their AD username (via LDAP/RADIUS)? Would this be machine certificates?</P></BODY></HTML> Tue, 13 Jan 2009 21:39:21 GMT https://community.cisco.com/t5/wireless/best-eap-method-given-these-requirements/m-p/1149004#M10868 Lucas Phelps 2009-01-13T21:39:21Z https://community.cisco.com/t5/wireless/best-eap-method-given-these-requirements/m-p/1149005#M10869 <HTML><HEAD></HEAD><BODY><P>you could do PEAP as well. EAP-TLS requires a per user certificate, while PEAP only requires the Root CA certificate be installed on the end machines. </P><P></P><P>HTH,</P><P>Steve</P></BODY></HTML> Tue, 13 Jan 2009 23:46:16 GMT https://community.cisco.com/t5/wireless/best-eap-method-given-these-requirements/m-p/1149005#M10869 Stephen Rodriguez 2009-01-13T23:46:16Z