Cisco ISE and Meaki using PEAP Authentication

Steven Williams · ‎08-16-2019

Currently my network is using PEAP to authenticate and is authenticating to ISE. I have not worked with PEAP much as majority of my deployments are EAP-TLS for obvious reasons.

Is it possible to use MS Group Policy to make Computers join the PEAP wireless automatically? I am not really sure because it requires user credentials. I think there is an option to use logged in credentials but I am not sure how that works. Does PEAP still require a user cert? I feel like it should be using a cert from ISE or Meraki but not sure which one?

Anyone using PEAP? Anyone have decent articles or blogs on this? I am trying to make this as NON user interactive as possible for them to join my meraki wifi.

patoberli · ‎08-16-2019

By default a Window client that is joined to a domain will use the credentials of the logged in user, or computername, to authenticate on a PEAP SSID. PEAP does not require a user Cert, but the computer must trust the root cert of the radius certificate.
If the clients are domain joined, you can push a group policy containing the whole SSID configuration to the client and it will automatically connect. You can even select if you want computer or user authentication (use user).
Here a fairly good document:
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise

Steven Williams · ‎08-16-2019

So if ISE is my radius server, do I need to import the root cert to it ? or export a cert in ISE and then push via GP to all machines/users?

patoberli · ‎08-16-2019

You need to import on the clients the root cert, which certified/validated the ISE radius cert.

Steven Williams · ‎08-16-2019

So ISE is trusting my Corporate CA. The system cert marked for EAP auth, admin, portal, and RADIUS DTLS is self signed. So I need to export that one and import to clients?

patoberli · ‎08-16-2019

Your clients must trust the Corporate CA in this case.

If it's the same as your DCs are using and your clients are joined to the domain, they already trust that CA.

Steven Williams · ‎08-16-2019

Just seems silly that you have your radius server trust your CA, your Machines and Users are joined to the domain and trusting the Root CA and you use PEAP-TLS, I feel like its not much more effort to just go to EAP....

patoberli · ‎08-16-2019

Not sure what you want to say. I'm using PEAP mschapv2 here (username/password), not PEAP-TLS.

Steven Williams · ‎08-16-2019

Event 5400 Authentication failed
Failure Reason 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
Resolution Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Root cause PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

patoberli · ‎08-16-2019

Sounds like the client doesn't trust the issuer of the ISE certificate. Check the certificate on the ISE and check which root and intermediate issued it.
Then open the certificate management on the client and check if it trusts the root and intermediate.
Alternatively, if the cert is also used for the ISE admin site, open it in Edge or IE on the client. You should not receive a warning if it trusts the issuer.

Steven Williams · ‎08-16-2019

Ya I think there is a process that wasn't done. The ISE cert used for RADIUS is a signed by itself (Self-Signed) so clients will not trust it. Administration > Certificates > System Certificates.

ISE does trust my Root-CA and is enabled. Administration > Certificates > Trusted Certificates.

I think the issue may be that I never generated a CSR to get signed by the root CA? I literally hate certificates.

patoberli · ‎08-16-2019

Correct. You have to create a CSR which you sign by the root, then you import that into the ISE and select it for the EAP processes.

Steven Williams · ‎08-16-2019

So because ISE is joined to two domains and I have clients from two domains I think it is easier just to import the self signed cert for ISE to all clients. It exports as a .pem though which doesn't seem to work when wanting to distribute via Group Policy so any other way I can export it in a valid format?

patoberli · ‎08-16-2019

Not that I know of, but you can convert it using openssl. Just Google pem to whatever format you want it.

Steven Williams · ‎08-16-2019

I did figure that out. Still having issues so I think I need to go back through and understand how all this should work.

I need to look at the flow diagrams because I am still struggling with cert stuff. I read that if I use a self signed cert I have to disable the cert validation option on the Windows Configuration. So deploying ISE's self signed cert would be an issue.