ā11-13-2017 10:03 PM - edited ā02-21-2020 10:38 AM
Hello
I was reading the CiscoLive BRKSEC-2045 document and the author has an interesting slide that shows that Windows doesn't support the mixing of EAP methods when doing machine AND user authentication. In other words, you have to use either EAP-PEAP for both, or use EAP-TLS for both. He goes on to say that on MACOS this is different because that OS's supplicant allows mixing.
Anyone got experience with this?
I want to do the following:
Maybe I misinterpreted the BRKSEC-2045 document, but it seems this mixing of EAP methods is not possible.
BRKSEC-2045
Solved! Go to Solution.
ā11-14-2017 10:02 AM
Hi Arne!
The slide is correct, I'm afraid you can't mix different authentication types in the Windows native supplicant. You have to picked one or the other.
AnyConnect Network Access Module (NAM) supports mixing certificates and credentials on Windows machines. You would use either PEAP or EAP-FAST as the outer method and then you could mix EAP-TLS (certificate) and MSCHAPv2 (credentials) inside it. Using this you can use a machine certificate for the machine when it boots and then trigger a new authentication based on MSCHAPv2 when the user logs into Windows.
I'm afraid I have never deployed double authentication for macOS so I'm not sure how it works there.
ā11-14-2017 10:02 AM
Hi Arne!
The slide is correct, I'm afraid you can't mix different authentication types in the Windows native supplicant. You have to picked one or the other.
AnyConnect Network Access Module (NAM) supports mixing certificates and credentials on Windows machines. You would use either PEAP or EAP-FAST as the outer method and then you could mix EAP-TLS (certificate) and MSCHAPv2 (credentials) inside it. Using this you can use a machine certificate for the machine when it boots and then trigger a new authentication based on MSCHAPv2 when the user logs into Windows.
I'm afraid I have never deployed double authentication for macOS so I'm not sure how it works there.
ā11-14-2017 01:50 PM
thanks Jacob. You have become my EAP questions go-to guy ;-)
ā11-15-2017 08:44 AM
No problem, glad to help :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide