Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2577
Views
0
Helpful
9
Replies

802.1x Authentication Procedures

Usama Waheed Khan
Level 1
Level 1

‎02-28-2013 06:02 AM - edited ‎07-03-2021 11:38 PM

Hi,

I am sure this has been asked many times here, but couldn't find any consolidated answers for this question:

- How many 802.1x authentication methods are there? And along with the Name of each, can somebody also tell the advantageof deploying the method, reason to deploy it & disadvantage of it?

I will be very grateful for any help in this regards.

Thanks,

Usama

Labels:
0 Helpful
9 Replies 9

Scott Fella
Hall of Fame
Hall of Fame

‎02-28-2013 06:18 AM

That is a very open ended question. It depends on what your radius can support along with your clients. Here is a link to the various eap types.

http://en.m.wikipedia.org/wiki/Extensible_Authentication_Protocol#section_1

The most common is PEAP and EAP-TLS. PEAP uses a server signed certificate and EAP-TLS requires a server and client certificate.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Usama Waheed Khan
Level 1
Level 1
In response to Scott Fella

‎02-28-2013 06:27 AM

HI Scott,

Thanks for the quick reply. The link is quite helpful but what about MSCHAP PEAP?

The reason for this question is that I have to suggest the best practice for deploying 802.1x in our current setup

The current setup is

1- WiSM 2 (7.2 IOS -> planned upgrade to 7.3)

2- ACS 5.2

3- ISE 1.1

The environment it will be running in consists of 10,000 user devices varying from Windows, Linux & MAC OS.

We want two seperate SSIDs, one for these machines and the other for BYOD (iPADS, Smartphones etc).

Kindly suggest which methods to use for both of these SSIDs.

And the thing is we can get any other hardware or software if the need arise.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎02-28-2013 06:31 AM

PEAP same as MSchapv2.... It depends in your client. Now window domain computers can use EAP-TLS or PEAP and the Linux and OSX can use both also. Just depends on if you want to install certs on these non window domain devices. ISE should be able to profile these devices and you can have a policy that out them in their own vlan or named ACLs. So if you don't have a PKI infrastructure then go with PEAP MSchapv2.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Usama Waheed Khan
Level 1
Level 1
In response to Scott Fella

‎02-28-2013 06:39 AM

Thanks Scott that helps a lot. Since we do not have PKI infrastructure we will go for PEAP. However, can you kindly share a document which elaborates the configuration for PEAP with WiSM 2 & ISE? and will we need CA & IAS to create this setup?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Usama Waheed Khan

‎02-28-2013 07:04 AM

Well that would be configured in ISE. The WLC config is pretty straight forward. I would ask your ISE engineer if they understand what has to be done on the ISE side. It's not really possible to explain every single step on this thread. Way too much info. There are good Cisco docs out there for ISE and the WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎02-28-2013 07:32 AM

Here is an old link that explains the config in the WLC side.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml#con3

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Usama Waheed Khan
Level 1
Level 1
In response to Scott Fella

‎02-28-2013 08:07 AM

Hi Scott,

Thanks for the link, I have setup PEAP before using the guide tht u just shared thts the reason i asked if we would need IAS & CA.

I found the ISE configuration guide detailing integration with AD and tht covers all the protocols.

Thanks

Regards,

Usama

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Usama Waheed Khan

‎02-28-2013 08:08 AM

I would think you would want to have a CA, but IAS is not needed since you have ISE.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎03-06-2013 09:57 PM

Following are the different Extensible Authentication Protocol (EAP)  Types:
PEAP-MSCHAPv2 (Username/Password-based auth)
PEAP-EAP-TLS  (Certificate-based auth)
EAP-TLS (Certificate-based auth)
EAP-FAST (like  PEAP, auth based on inner method such as MSCHAPv2, EAP-TLS, or  EAP-GTC

According to your scenario you can use  PEAP-MSCHAPv2 or EAP-TLS . AS you have mentioned that your are having 10,000  users and using BYOD as well you can use ISE for this.

The following link will help to configure  Protocol Settings on ISE
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1146161

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card