cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
378
Views
0
Helpful
1
Replies

Lost in the EAP/authentication-jungle

Hi,

I am trying to set up device (laptops/desktop XP and Vista, iPhone, tablet) and user authentication. Mostly to diferentiate corp and private devices. So far I have successfully been able to authenticate wireless users that is in a AD group, using ISE as RADIUS (PEAP MSchapV2). Now I have to figure out a way to authenticate/authorize devices.

One option is to see if the device is part of an AD group, but this is only suitable for computers, not phones/tablets.

All corp devices has got a root cert from our CA, is this being used during the PEAP process and can we authenticate devices with this cert?

If not, is the only options to implement machine cert? The problem I see there is how to use certificate for device and PEAP for user, since I can't find an option in Vista to send both machine cert and AD username/pwd.

Regards

Philip

1 Reply 1

nspasov
Cisco Employee
Cisco Employee

Hello Philip-

The root certificate that you are using in PEAP is optional and it is only used to encrypt the inner method of the authentication which in your scenario is MS-CHAPv2. Thus, that certificate cannot be used to perform machine authentication.

To perform machine authentication you should perhaps look into using EAP-TLS. For this though you will need some sort of a PKI can issue and sign digital certificates. Microsoft servers have that feature and it the most common out there.

On the other hand, if you don't want to use certificates then you can use the profiling feature of ISE. With profiling you can use the built in and create your own/custom rules to profile different devices and authorize them on the network.

Hope this helps!

Thank you for rating!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: