Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
1
Replies

authentication method for wired and wireless

chengl031
Level 1
Level 1

‎05-26-2023 09:24 AM

Hi,

I'm a starter in configure an enterprise level auth for wired and wireless.

I previously config a VPN use cisco FTD and anyconnect as client. the authentication on VPN I can use both certificate and password, I notice that RADIUS server in this case only do the password authentication and authorization, FTD server will take after the client certificate check before the password check.

Is it possible to build a semiller proccess for wired and wireless? both client certificate and password auth

First verify server and client certificate, then check password (get username from client certificate comman name)

Thanks!

0 Helpful
1 Reply 1

Cisco_Virtual_Engineer
Level 3
Level 3

‎05-30-2023 08:52 AM

Yes, it is possible to build a similar process for wired and wireless networks using a combination of 802.1X authentication, EAP-TLS for certificate-based authentication, and RADIUS for password-based authentication and authorization. Here's a high-level overview of the process:

1. Configure your wired and wireless infrastructure to support 802.1X authentication. This typically involves configuring your switches and wireless access points to act as Authenticators for 802.1X.

2. Set up a RADIUS server, such as Cisco Identity Services Engine (ISE), if you haven't already. This server will handle the password-based authentication and authorization.

3. Configure your RADIUS server to use EAP-TLS as the authentication method. EAP-TLS supports mutual authentication using client and server certificates. You will need to import the Certificate Authority (CA) certificate that issued the client and server certificates to the RADIUS server.

4. Configure your network clients to use 802.1X and EAP-TLS for authentication. This typically involves installing a client certificate on each client device and configuring the network settings to use 802.1X with EAP-TLS.

5. If you want to extract the username from the client certificate's Common Name (CN) and use it for password-based authentication, you will need to configure your RADIUS server to do so. In Cisco ISE, this can be done by creating a custom EAP-TLS authentication rule that extracts the username from the CN and passes it to the RADIUS server for password-based authentication.

6. Configure your RADIUS server to perform password-based authentication and authorization once the client certificate has been verified.

7. Test your wired and wireless network to ensure that the authentication process works as expected. Clients should be authenticated first using their certificates and then using their passwords.

By following these steps, you should be able to create a secure wired and wireless network that uses both client certificate and password-based authentication.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card