Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1275
Views
0
Helpful
4
Replies

802.1X LAN Implementation Using Certificates

Go to solution
zekebashi
Level 4
Level 4

‎03-01-2017 12:52 PM - edited ‎03-10-2019 12:47 AM

Hello, 

Can we use certificates for authentication when implementing 802.1X on the LAN? 

Thanks in advance. 

Best, ~zK 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to zekebashi

‎03-01-2017 02:56 PM

There is no easy answer ...

  • Are you willing to install/license AnyConnect for your Users of Windows PCs? If not, EAP-FAST can't be used there as the native Windows supplicant doesn't support it.
  • Do you have an easy way to enroll client-certificates? Is there already a PKI in place? Then EAP-TLS could be an option.
  • If both answers are "no", go for PEAP.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎03-01-2017 01:56 PM

Certificates can be used regardless of the access-method (wired, wireless, VPN).

All you need to do is enroll your endpoints/users with certificates and make sure that both the ISE and the endpoints trust your root. Based on your tools to enroll the endpoints with certificates, using PEAP could be an option. There the endpoints only need the root-certificate and the ISEs need an identity certificate.

0 Helpful

Go to solution
zekebashi
Level 4
Level 4
In response to Karsten Iwen

‎03-01-2017 02:48 PM

Thanks for the quick response, Karsten! 

Which auth protocol should we use for the wired 802.1X: EAP-TLS, EAP-FAST, or PEAP? 

Best, ~zK 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to zekebashi

‎03-01-2017 02:56 PM

There is no easy answer ...

  • Are you willing to install/license AnyConnect for your Users of Windows PCs? If not, EAP-FAST can't be used there as the native Windows supplicant doesn't support it.
  • Do you have an easy way to enroll client-certificates? Is there already a PKI in place? Then EAP-TLS could be an option.
  • If both answers are "no", go for PEAP.
0 Helpful

Go to solution
zekebashi
Level 4
Level 4
In response to Karsten Iwen

‎03-02-2017 10:08 AM

That's very helpful! 

- We've a mix of PANs and ASAs client VPN implementations, so we have clients with Anyconnect and clients with GlobalProtect.

- Yes, we do have an enterprise PKI in place, so I guess we will consider EAP-TLS

I found this blog, which might be helpful for others who might stumble on this post, that compares and explains the differences between the EAP auth methods: http://www.networkworld.com/article/2223672/access-control/which-eap-types-do-you-need-for-which-identity-projects.html 

Thanks again. 

Best, ~zK 

0 Helpful
Customers Also Viewed These Support Documents