cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1039
Views
0
Helpful
9
Replies
Highlighted

802.1x Authentication Procedures

Hi,

I am sure this has been asked many times here, but couldn't find any consolidated answers for this question:

- How many 802.1x authentication methods are there? And along with the Name of each, can somebody also tell the advantageof deploying the method, reason to deploy it & disadvantage of it?

I will be very grateful for any help in this regards.

Thanks,

Usama

9 REPLIES 9
Highlighted
Hall of Fame Master

That is a very open ended question. It depends on what your radius can support along with your clients. Here is a link to the various eap types.

http://en.m.wikipedia.org/wiki/Extensible_Authentication_Protocol#section_1

The most common is PEAP and EAP-TLS. PEAP uses a server signed certificate and EAP-TLS requires a server and client certificate.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Highlighted

HI Scott,

Thanks for the quick reply. The link is quite helpful but what about MSCHAP PEAP?

The reason for this question is that I have to suggest the best practice for deploying 802.1x in our current setup

The current setup is

1- WiSM 2 (7.2 IOS -> planned upgrade to 7.3)

2- ACS 5.2

3- ISE 1.1

The environment it will be running in consists of 10,000 user devices varying from Windows, Linux & MAC OS.

We want two seperate SSIDs, one for these machines and the other for BYOD (iPADS, Smartphones etc).

Kindly suggest which methods to use for both of these SSIDs.

And the thing is we can get any other hardware or software if the need arise.

Highlighted
Hall of Fame Master

PEAP same as MSchapv2.... It depends in your client. Now window domain computers can use EAP-TLS or PEAP and the Linux and OSX can use both also. Just depends on if you want to install certs on these non window domain devices. ISE should be able to profile these devices and you can have a policy that out them in their own vlan or named ACLs. So if you don't have a PKI infrastructure then go with PEAP MSchapv2.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Highlighted

Thanks Scott that helps a lot. Since we do not have PKI infrastructure we will go for PEAP. However, can you kindly share a document which elaborates the configuration for PEAP with WiSM 2 & ISE? and will we need CA & IAS to create this setup?

Highlighted

Well that would be configured in ISE. The WLC config is pretty straight forward. I would ask your ISE engineer if they understand what has to be done on the ISE side. It's not really possible to explain every single step on this thread. Way too much info. There are good Cisco docs out there for ISE and the WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Highlighted
Hall of Fame Master

Here is an old link that explains the config in the WLC side.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml#con3

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Highlighted

Hi Scott,

Thanks for the link, I have setup PEAP before using the guide tht u just shared thts the reason i asked if we would need IAS & CA.

I found the ISE configuration guide detailing integration with AD and tht covers all the protocols.

Thanks

Regards,

Usama

Highlighted

I would think you would want to have a CA, but IAS is not needed since you have ISE.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Highlighted
Cisco Employee

Following are the different Extensible Authentication Protocol (EAP)  Types:
PEAP-MSCHAPv2 (Username/Password-based auth)
PEAP-EAP-TLS  (Certificate-based auth)
EAP-TLS (Certificate-based auth)
EAP-FAST (like  PEAP, auth based on inner method such as MSCHAPv2, EAP-TLS, or  EAP-GTC

According to your scenario you can use  PEAP-MSCHAPv2 or EAP-TLS . AS you have mentioned that your are having 10,000  users and using BYOD as well you can use ISE for this.

The following link will help to configure  Protocol Settings on ISE
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1146161

Content for Community-Ad