cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

241
Views
0
Helpful
17
Replies
Highlighted
VIP Advocate

Re: Cisco ISE and Meaki using PEAP Authentication

I really suggest you get a globally valid issued certificate. Once you start to integrate mobile phones or Apple/Linux computers it gets difficult. If you only have Windows domain joined devices and are running your own CA server, you can work by issuing a CA signed certificate to the ISE and your Windows clients will trust it.

The PEAP flow is, simplified, client tries to join ssid, radius sends a (P)EAP package to client, encrypted with its certificate, client checks certificate if issuer is trusted, if ok client submits credentials, radius validates them and if ok tells the AP/WLC access ok and the client switches to associated state and starts dhcp process.
Enthusiast

Re: Cisco ISE and Meaki using PEAP Authentication

Ok you were on the same track as me because unless all my mobile devices within the organization are on an MDM and getting the internal CA cert or even the ISE self signed they will have issues joining.
VIP Advocate

Re: Cisco ISE and Meaki using PEAP Authentication

Correct, they can join, but it can be more difficult.
One more important detail, if you don't push a profile to the clients, they will get a certificate pop up which they have to check and approve. This is normal and actually required and the only protection against man in the middle attacks!
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards