Cisco ISE and Meaki using PEAP Authentication

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 06:33 AM - edited 07-05-2021 10:52 AM
Currently my network is using PEAP to authenticate and is authenticating to ISE. I have not worked with PEAP much as majority of my deployments are EAP-TLS for obvious reasons.
Is it possible to use MS Group Policy to make Computers join the PEAP wireless automatically? I am not really sure because it requires user credentials. I think there is an option to use logged in credentials but I am not sure how that works. Does PEAP still require a user cert? I feel like it should be using a cert from ISE or Meraki but not sure which one?
Anyone using PEAP? Anyone have decent articles or blogs on this? I am trying to make this as NON user interactive as possible for them to join my meraki wifi.
- Labels:
-
ISE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 07:38 AM
If the clients are domain joined, you can push a group policy containing the whole SSID configuration to the client and it will automatically connect. You can even select if you want computer or user authentication (use user).
Here a fairly good document:
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 07:49 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 08:04 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 08:07 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 08:20 AM
If it's the same as your DCs are using and your clients are joined to the domain, they already trust that CA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 08:24 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 08:31 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 08:32 AM
Failure Reason 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
Resolution Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Root cause PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 08:47 AM
Then open the certificate management on the client and check if it trusts the root and intermediate.
Alternatively, if the cert is also used for the ISE admin site, open it in Edge or IE on the client. You should not receive a warning if it trusts the issuer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 08:54 AM
ISE does trust my Root-CA and is enabled. Administration > Certificates > Trusted Certificates.
I think the issue may be that I never generated a CSR to get signed by the root CA? I literally hate certificates.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 09:00 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 09:41 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 09:44 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2019 11:51 AM
I need to look at the flow diagrams because I am still struggling with cert stuff. I read that if I use a self signed cert I have to disable the cert validation option on the Windows Configuration. So deploying ISE's self signed cert would be an issue.
