Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
0
Helpful
17
Replies
Highlighted
Steven Williams
Enthusiast
Enthusiast
‎08-16-2019 06:33 AM
‎08-16-2019 06:33 AM

Cisco ISE and Meaki using PEAP Authentication

Currently my network is using PEAP to authenticate and is authenticating to ISE. I have not worked with PEAP much as majority of my deployments are EAP-TLS for obvious reasons. 

 

Is it possible to use MS Group Policy to make Computers join the PEAP wireless automatically? I am not really sure because it requires user credentials. I think there is an option to use logged in credentials but I am not sure how that works. Does PEAP still require a user cert? I feel like it should be using a cert from ISE or Meraki but not sure which one?

 

Anyone using PEAP? Anyone have decent articles or blogs on this? I am trying to make this as NON user interactive as possible for them to join my meraki wifi. 

Labels:
0 Helpful
Reply
17 REPLIES 17
Highlighted
patoberli
VIP Advisor VIP Advisor
VIP Advisor
In response to Steven Williams
‎08-16-2019 12:21 PM
‎08-16-2019 12:21 PM

I really suggest you get a globally valid issued certificate. Once you start to integrate mobile phones or Apple/Linux computers it gets difficult. If you only have Windows domain joined devices and are running your own CA server, you can work by issuing a CA signed certificate to the ISE and your Windows clients will trust it.

The PEAP flow is, simplified, client tries to join ssid, radius sends a (P)EAP package to client, encrypted with its certificate, client checks certificate if issuer is trusted, if ok client submits credentials, radius validates them and if ok tells the AP/WLC access ok and the client switches to associated state and starts dhcp process.
0 Helpful
Reply
Highlighted
Steven Williams
Enthusiast
Enthusiast
In response to patoberli
‎08-16-2019 12:25 PM
‎08-16-2019 12:25 PM

Ok you were on the same track as me because unless all my mobile devices within the organization are on an MDM and getting the internal CA cert or even the ISE self signed they will have issues joining.
0 Helpful
Reply
Highlighted
patoberli
VIP Advisor VIP Advisor
VIP Advisor
In response to Steven Williams
‎08-16-2019 12:48 PM
‎08-16-2019 12:48 PM

Correct, they can join, but it can be more difficult.
One more important detail, if you don't push a profile to the clients, they will get a certificate pop up which they have to check and approve. This is normal and actually required and the only protection against man in the middle attacks!
0 Helpful
Reply
Latest Contents
Cisco AP AIR-CAP702I-E-K9
Created by sahara101 on 02-18-2021 05:39 AM
0
0
0
0
 Hello Community, I have an issue where APs do not connect to the WLC. Connection is made over VPN. Until yesterday all 3 APfailed with below errors. We change the LAN connection to a cisco router and now one of the AP magically connected to the... view more
Wireless Config Analyzer Express v 0.5.9
Created by Javier Contreras on 02-15-2021 09:27 AM
3
15
3
15
Where to download Attached files on this post Alternatively, cloud version (only summaries) General information: New implementation for the WLC Config Analyzer. it is a new re-write of the application, with clean up and improved checks Support for IOS... view more
**New Episode** Cisco Champion Radio: S8|E6 Fastlane+ Optimi...
Created by aalesna on 02-09-2021 10:20 AM
0
0
0
0
Cisco Champion Radio · S8|E6: Fastlane+ Optimizes Network and Device Communication Cisco Fastlane+ is a co-developed solution with Apple that significantly improves the experience of any Wi-Fi 6 capable iPhone or iPad connected to a Cisco Catalyst 9130 A... view more
IOS-XE 17.4.1 Blog
Created by SAY on 01-26-2021 12:19 AM
1
10
1
10
We are pleased to announce the immediate availability of the IOS-XE release 17.4.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link: https://software.cisco.com/download/home/286316412/type/28204647... view more
How to manually connect a Cisco WLC to Cisco DNA Center for ...
Created by Richard Jang on 01-14-2021 05:50 PM
0
15
0
15
Table of Contents   Overview The purpose of this document is to provide step-by-step instructions regarding how to connect your read-only Catalyst 9800 WLC or AireOS WLC with Cisco DNA Center for Assurance monitoring through manual configuration. I... view more
Content for Community-Ad