cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
916
Views
1
Helpful
3
Replies

Common Endpoint Authentication Scenarios

55cfffb534
Level 1
Level 1

Hello,

I'm in the process of implementing 2.3 with a mixture of Windows 7 and Windows 10 [wired] endpoints but I'm curious what people consider "standard" in terms of 802.1x authentication for Windows workstations (wired or wireless). More specifically, PEAP-EAP-MSCHAPv2 or PEAP-EAP-TLS?

I have gotten both working but am currently leaning towards EAP-TLS. Using group policy to configure Wired AutoConfig conjunction with our Windows Certificate Services Enterprise CA, things seem to work pretty well (surprisingly fast). I want to make sure that I'm not trying to do anything out of the ordinary though. In other words, is this how many of you are handling endpoint authentication or should I look at MSCHAPv2 instead?

If you are using EAP-TLS, are you publishing your computer certificates to Active Directory? I am at the moment but I'm having trouble determining if that is a requirement?

I appreciate any input on this rather mundane topic.

Thanks!

1 Accepted Solution

Accepted Solutions

paul
Level 10
Level 10

I would say if you are only doing computer authentication which is very common if you trying to only answer the question "Is the attaching device a corporate asset" then PEAP computer authentication is the simplest way to go.  We have been using it as a standard for years. 

If you also require user information then you have a few options:

  1. EAP-TLS- probably the best way to do it, but you have to deal with the user first login issue, i.e. the supplicant is told to transition to user mode authentication but the user hasn't autoenrolled their certificate yet.
  2. PEAP User- by itself not great because you can't tell by they are still logged onto a corporate asset.  This opens up security risks by allowing users to bring in whatever type of device they want as long as they can pass AD user credentials.
  3. PEAP User + MAR- tie PEAP user with MAR cache.  Make sure you understand the caveats of MAR cache.
  4. PEAP User + profiling as corporate computer- user profiling to determine corporate computer, AD profiler, DHCP profiler, etc.
  5. PEAP  User + MAR + Profiling- combine MAR with profiling to cover the holes in each method.
  6. EAP-Chaining- requires the use of NAM and I don't believe is widely deployed, but could be wrong
  7. PEAP Computer  + CWA chaining- authenticate the computer and gather AD credentials via CWA portal
  8. PEAP Computer + Passive ID- if you only require user information to pass to other systems via pxGrid you could explore Passive ID techniques to gather user information while keeping active path computer only.

I am sure I missed some.

View solution in original post

3 Replies 3

Jason Kunst
Cisco Employee
Cisco Employee

Its easier for the user if you manage the certificates and use TLS, its also more secure as you can revoke the certificate without compromising the users username/password credentials.

It would be considered best practice to try and use TLS

paul
Level 10
Level 10

I would say if you are only doing computer authentication which is very common if you trying to only answer the question "Is the attaching device a corporate asset" then PEAP computer authentication is the simplest way to go.  We have been using it as a standard for years. 

If you also require user information then you have a few options:

  1. EAP-TLS- probably the best way to do it, but you have to deal with the user first login issue, i.e. the supplicant is told to transition to user mode authentication but the user hasn't autoenrolled their certificate yet.
  2. PEAP User- by itself not great because you can't tell by they are still logged onto a corporate asset.  This opens up security risks by allowing users to bring in whatever type of device they want as long as they can pass AD user credentials.
  3. PEAP User + MAR- tie PEAP user with MAR cache.  Make sure you understand the caveats of MAR cache.
  4. PEAP User + profiling as corporate computer- user profiling to determine corporate computer, AD profiler, DHCP profiler, etc.
  5. PEAP  User + MAR + Profiling- combine MAR with profiling to cover the holes in each method.
  6. EAP-Chaining- requires the use of NAM and I don't believe is widely deployed, but could be wrong
  7. PEAP Computer  + CWA chaining- authenticate the computer and gather AD credentials via CWA portal
  8. PEAP Computer + Passive ID- if you only require user information to pass to other systems via pxGrid you could explore Passive ID techniques to gather user information while keeping active path computer only.

I am sure I missed some.

Thanks, Paul. This helps get the ball rolling on user authentication.