Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1053
Views
10
Helpful
7
Replies

Recommended Enterprise SSID Authentication

Go to solution
fiestas.cesar
Level 1
Level 1

‎05-09-2019 11:32 AM - edited ‎07-05-2021 10:21 AM

Hello Team,

 

We currently have a mix wireless devices from laptops authenticating using certificates and credentials to pre-shard key WPA2 to Pre-shared WPA2 keys with mac filtering.

 

Although, what would be recommended way (enterprise model) to authenticate for example the Cisco 8821. Should we use.

 

WEP

PSK

EAP-FAST

EAP-TLS

or PEAP-GTC

 

Thank you in advance. 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RaffyLindogan
Spotlight
Spotlight

‎05-09-2019 05:42 PM

Hi mate,

 

What I recommend is have ISE as authentication server.

If you manage the AD, then integrate ISE with AD.

EAP-TLS using machine authentication is the way I suggest as well for windows machine.

For mobile (company provided), then it would be good to have a user cert installed to it using MDM.

And that user is found on AD, so it is easier to manage.


For both non-company laptops and mobile, you have ways to go with BYOD and/or Guest network.

ISE has good feature for redirect and even social media login so it is easier for your users.

 

Cheers,

 

Raffy

View solution in original post

7 Replies 7

Go to solution
Sathiyanarayanan Ravindran
Spotlight
Spotlight

‎05-09-2019 11:40 AM

EAP-TLS will be my opinion.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html
Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-09-2019 11:42 AM

There is good article one of vip member have a look for reference :

 

https://mrncciew.com/2013/03/03/eap-overview/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Chris_78
Level 1
Level 1

‎05-09-2019 12:06 PM - edited ‎05-09-2019 12:08 PM

I had to go through the same - so EAP-TLS should be the preferred choice from security point, we were deploying certs to our endpoints for VPN purposes so we are also using the same certs for the WIFI. You have to play with Active directory PKI, and NPS. The exact AP should be very easy to configure (we did Aruba sorry to mention that here:))

 

Good thing this setup should be pretty straight forward and well documented online!

Good luck!

0 Helpful

Go to solution
fiestas.cesar
Level 1
Level 1
In response to Chris_78

‎05-09-2019 01:28 PM

Chris,

Thanks for your time. For best practice when using EAP-TLS did you use one service account for each phone or one service account for all phones?
0 Helpful

Go to solution
RaffyLindogan
Spotlight
Spotlight

‎05-09-2019 05:42 PM

Hi mate,

 

What I recommend is have ISE as authentication server.

If you manage the AD, then integrate ISE with AD.

EAP-TLS using machine authentication is the way I suggest as well for windows machine.

For mobile (company provided), then it would be good to have a user cert installed to it using MDM.

And that user is found on AD, so it is easier to manage.


For both non-company laptops and mobile, you have ways to go with BYOD and/or Guest network.

ISE has good feature for redirect and even social media login so it is easier for your users.

 

Cheers,

 

Raffy

Go to solution
fiestas.cesar
Level 1
Level 1
In response to RaffyLindogan

‎05-10-2019 09:45 AM

Raffy,

Thanks for your response, although will still need to have an AD account (service account) to authenticate the phone using this model? also how do we load the certificate into the 8821? Thanks
0 Helpful

Go to solution
Sathiyanarayanan Ravindran
Spotlight
Spotlight
In response to fiestas.cesar

‎05-11-2019 02:54 PM

Please refer the doc WiFi on 8821

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card