Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1443
Views
0
Helpful
0
Replies

802.1X EAP Protocol Negotiation -- LEAP, PEAP, TLS?

Toivo Voll
Level 1
Level 1

‎08-17-2016 12:44 PM - edited ‎03-11-2019 12:00 AM

We are doing wireless authentication, and are having some trouble with legacy clients. Can anyone offer advice, or links to pertinent documentation? As far as I can tell this really has no relevant wireless problem, the issue is in the 802.1X / RADIUS negotiation.

We have legacy clients configured to use LEAP.

  • When we configure ISE to prefer PEAP or TLS, but allow LEAP, as soon as ISE receives the request from the client to use LEAP instead, it terminates the protocol negotiation and rejects the request instead of switching protocols.
  • If the client is configured to use PEAP or TLS, and ISE is configured to use the other protocol, ISE sees the client requesting a different protocol, and switches over. I'm trying to understand why this isn't working with LEAP in the mix.
  • If we default ISE to LEAP, the legacy clients will work, but that's obviously not really palatable. Further, if ISE defaults to LEAP, and the client requests PEAP instead, ISE again will not switch over to the requested protocol and just rejects the request.

How do we configure ISE for a scenario where we have a mix of clients using PEAP and LEAP against the same authentication policy (the same SSID and WLC)? Are there some gotchas or bugs I might be running into?

WLC 8.0.132.0, ISE 2.1.0.474, the clients are various vintages of Wyse thin clients.

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents