cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

239
Views
0
Helpful
17
Replies
Enthusiast

Cisco ISE and Meaki using PEAP Authentication

Currently my network is using PEAP to authenticate and is authenticating to ISE. I have not worked with PEAP much as majority of my deployments are EAP-TLS for obvious reasons. 

 

Is it possible to use MS Group Policy to make Computers join the PEAP wireless automatically? I am not really sure because it requires user credentials. I think there is an option to use logged in credentials but I am not sure how that works. Does PEAP still require a user cert? I feel like it should be using a cert from ISE or Meraki but not sure which one?

 

Anyone using PEAP? Anyone have decent articles or blogs on this? I am trying to make this as NON user interactive as possible for them to join my meraki wifi. 

17 REPLIES 17
VIP Advocate

Re: Cisco ISE and Meaki using PEAP Authentication

By default a Window client that is joined to a domain will use the credentials of the logged in user, or computername, to authenticate on a PEAP SSID. PEAP does not require a user Cert, but the computer must trust the root cert of the radius certificate.
If the clients are domain joined, you can push a group policy containing the whole SSID configuration to the client and it will automatically connect. You can even select if you want computer or user authentication (use user).
Here a fairly good document:
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise
Enthusiast

Re: Cisco ISE and Meaki using PEAP Authentication

So if ISE is my radius server, do I need to import the root cert to it ? or export a cert in ISE and then push via GP to all machines/users?
Highlighted
VIP Advocate

Re: Cisco ISE and Meaki using PEAP Authentication

You need to import on the clients the root cert, which certified/validated the ISE radius cert.


Enthusiast

Re: Cisco ISE and Meaki using PEAP Authentication

So ISE is trusting my Corporate CA. The system cert marked for EAP auth, admin, portal, and RADIUS DTLS is self signed. So I need to export that one and import to clients?
VIP Advocate

Re: Cisco ISE and Meaki using PEAP Authentication

Your clients must trust the Corporate CA in this case.

If it's the same as your DCs are using and your clients are joined to the domain, they already trust that CA.


Enthusiast

Re: Cisco ISE and Meaki using PEAP Authentication

Just seems silly that you have your radius server trust your CA, your Machines and Users are joined to the domain and trusting the Root CA and you use PEAP-TLS, I feel like its not much more effort to just go to EAP....
VIP Advocate

Re: Cisco ISE and Meaki using PEAP Authentication

Not sure what you want to say. I'm using PEAP mschapv2 here (username/password), not PEAP-TLS.


Enthusiast

Re: Cisco ISE and Meaki using PEAP Authentication

Event 5400 Authentication failed
Failure Reason 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
Resolution Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Root cause PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
VIP Advocate

Re: Cisco ISE and Meaki using PEAP Authentication

Sounds like the client doesn't trust the issuer of the ISE certificate. Check the certificate on the ISE and check which root and intermediate issued it.
Then open the certificate management on the client and check if it trusts the root and intermediate.
Alternatively, if the cert is also used for the ISE admin site, open it in Edge or IE on the client. You should not receive a warning if it trusts the issuer.
Enthusiast

Re: Cisco ISE and Meaki using PEAP Authentication

Ya I think there is a process that wasn't done. The ISE cert used for RADIUS is a signed by itself (Self-Signed) so clients will not trust it. Administration > Certificates > System Certificates.

ISE does trust my Root-CA and is enabled. Administration > Certificates > Trusted Certificates.

I think the issue may be that I never generated a CSR to get signed by the root CA? I literally hate certificates.
VIP Advocate

Re: Cisco ISE and Meaki using PEAP Authentication

Correct. You have to create a CSR which you sign by the root, then you import that into the ISE and select it for the EAP processes.
Enthusiast

Re: Cisco ISE and Meaki using PEAP Authentication

So because ISE is joined to two domains and I have clients from two domains I think it is easier just to import the self signed cert for ISE to all clients. It exports as a .pem though which doesn't seem to work when wanting to distribute via Group Policy so any other way I can export it in a valid format?
VIP Advocate

Re: Cisco ISE and Meaki using PEAP Authentication

Not that I know of, but you can convert it using openssl. Just Google pem to whatever format you want it.
Enthusiast

Re: Cisco ISE and Meaki using PEAP Authentication

I did figure that out. Still having issues so I think I need to go back through and understand how all this should work.

I need to look at the flow diagrams because I am still struggling with cert stuff. I read that if I use a self signed cert I have to disable the cert validation option on the Windows Configuration. So deploying ISE's self signed cert would be an issue.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards