Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1730
Views
0
Helpful
17
Replies

Cisco ISE and Meaki using PEAP Authentication

Steven Williams
Level 4
Level 4

‎08-16-2019 06:33 AM - edited ‎07-05-2021 10:52 AM

Currently my network is using PEAP to authenticate and is authenticating to ISE. I have not worked with PEAP much as majority of my deployments are EAP-TLS for obvious reasons. 

 

Is it possible to use MS Group Policy to make Computers join the PEAP wireless automatically? I am not really sure because it requires user credentials. I think there is an option to use logged in credentials but I am not sure how that works. Does PEAP still require a user cert? I feel like it should be using a cert from ISE or Meraki but not sure which one?

 

Anyone using PEAP? Anyone have decent articles or blogs on this? I am trying to make this as NON user interactive as possible for them to join my meraki wifi. 

Labels:
0 Helpful
17 Replies 17

patoberli
VIP Alumni
VIP Alumni
In response to Steven Williams

‎08-16-2019 12:21 PM

I really suggest you get a globally valid issued certificate. Once you start to integrate mobile phones or Apple/Linux computers it gets difficult. If you only have Windows domain joined devices and are running your own CA server, you can work by issuing a CA signed certificate to the ISE and your Windows clients will trust it.

The PEAP flow is, simplified, client tries to join ssid, radius sends a (P)EAP package to client, encrypted with its certificate, client checks certificate if issuer is trusted, if ok client submits credentials, radius validates them and if ok tells the AP/WLC access ok and the client switches to associated state and starts dhcp process.
0 Helpful

Steven Williams
Level 4
Level 4
In response to patoberli

‎08-16-2019 12:25 PM

Ok you were on the same track as me because unless all my mobile devices within the organization are on an MDM and getting the internal CA cert or even the ISE self signed they will have issues joining.
0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Steven Williams

‎08-16-2019 12:48 PM

Correct, they can join, but it can be more difficult.
One more important detail, if you don't push a profile to the clients, they will get a certificate pop up which they have to check and approve. This is normal and actually required and the only protection against man in the middle attacks!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card