Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1086
Views
1
Helpful
3
Replies

Common Endpoint Authentication Scenarios

Go to solution
55cfffb534
Level 1
Level 1

‎04-02-2018 02:23 PM

Hello,

I'm in the process of implementing 2.3 with a mixture of Windows 7 and Windows 10 [wired] endpoints but I'm curious what people consider "standard" in terms of 802.1x authentication for Windows workstations (wired or wireless). More specifically, PEAP-EAP-MSCHAPv2 or PEAP-EAP-TLS?

I have gotten both working but am currently leaning towards EAP-TLS. Using group policy to configure Wired AutoConfig conjunction with our Windows Certificate Services Enterprise CA, things seem to work pretty well (surprisingly fast). I want to make sure that I'm not trying to do anything out of the ordinary though. In other words, is this how many of you are handling endpoint authentication or should I look at MSCHAPv2 instead?

If you are using EAP-TLS, are you publishing your computer certificates to Active Directory? I am at the moment but I'm having trouble determining if that is a requirement?

I appreciate any input on this rather mundane topic.

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎04-03-2018 04:36 AM

I would say if you are only doing computer authentication which is very common if you trying to only answer the question "Is the attaching device a corporate asset" then PEAP computer authentication is the simplest way to go.  We have been using it as a standard for years. 

If you also require user information then you have a few options:

  1. EAP-TLS- probably the best way to do it, but you have to deal with the user first login issue, i.e. the supplicant is told to transition to user mode authentication but the user hasn't autoenrolled their certificate yet.
  2. PEAP User- by itself not great because you can't tell by they are still logged onto a corporate asset.  This opens up security risks by allowing users to bring in whatever type of device they want as long as they can pass AD user credentials.
  3. PEAP User + MAR- tie PEAP user with MAR cache.  Make sure you understand the caveats of MAR cache.
  4. PEAP User + profiling as corporate computer- user profiling to determine corporate computer, AD profiler, DHCP profiler, etc.
  5. PEAP  User + MAR + Profiling- combine MAR with profiling to cover the holes in each method.
  6. EAP-Chaining- requires the use of NAM and I don't believe is widely deployed, but could be wrong
  7. PEAP Computer  + CWA chaining- authenticate the computer and gather AD credentials via CWA portal
  8. PEAP Computer + Passive ID- if you only require user information to pass to other systems via pxGrid you could explore Passive ID techniques to gather user information while keeping active path computer only.

I am sure I missed some.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-02-2018 02:52 PM

Its easier for the user if you manage the certificates and use TLS, its also more secure as you can revoke the certificate without compromising the users username/password credentials.

It would be considered best practice to try and use TLS

Go to solution
paul
Level 10
Level 10

‎04-03-2018 04:36 AM

I would say if you are only doing computer authentication which is very common if you trying to only answer the question "Is the attaching device a corporate asset" then PEAP computer authentication is the simplest way to go.  We have been using it as a standard for years. 

If you also require user information then you have a few options:

  1. EAP-TLS- probably the best way to do it, but you have to deal with the user first login issue, i.e. the supplicant is told to transition to user mode authentication but the user hasn't autoenrolled their certificate yet.
  2. PEAP User- by itself not great because you can't tell by they are still logged onto a corporate asset.  This opens up security risks by allowing users to bring in whatever type of device they want as long as they can pass AD user credentials.
  3. PEAP User + MAR- tie PEAP user with MAR cache.  Make sure you understand the caveats of MAR cache.
  4. PEAP User + profiling as corporate computer- user profiling to determine corporate computer, AD profiler, DHCP profiler, etc.
  5. PEAP  User + MAR + Profiling- combine MAR with profiling to cover the holes in each method.
  6. EAP-Chaining- requires the use of NAM and I don't believe is widely deployed, but could be wrong
  7. PEAP Computer  + CWA chaining- authenticate the computer and gather AD credentials via CWA portal
  8. PEAP Computer + Passive ID- if you only require user information to pass to other systems via pxGrid you could explore Passive ID techniques to gather user information while keeping active path computer only.

I am sure I missed some.

0 Helpful

Go to solution
55cfffb534
Level 1
Level 1
In response to paul

‎04-03-2018 06:37 AM

Thanks, Paul. This helps get the ball rolling on user authentication.

0 Helpful
Customers Also Viewed These Support Documents