Showing results for 
Search instead for 
Did you mean: 

Cisco ISE and Meaki using PEAP Authentication

Currently my network is using PEAP to authenticate and is authenticating to ISE. I have not worked with PEAP much as majority of my deployments are EAP-TLS for obvious reasons. 


Is it possible to use MS Group Policy to make Computers join the PEAP wireless automatically? I am not really sure because it requires user credentials. I think there is an option to use logged in credentials but I am not sure how that works. Does PEAP still require a user cert? I feel like it should be using a cert from ISE or Meraki but not sure which one?


Anyone using PEAP? Anyone have decent articles or blogs on this? I am trying to make this as NON user interactive as possible for them to join my meraki wifi. 


I really suggest you get a globally valid issued certificate. Once you start to integrate mobile phones or Apple/Linux computers it gets difficult. If you only have Windows domain joined devices and are running your own CA server, you can work by issuing a CA signed certificate to the ISE and your Windows clients will trust it.

The PEAP flow is, simplified, client tries to join ssid, radius sends a (P)EAP package to client, encrypted with its certificate, client checks certificate if issuer is trusted, if ok client submits credentials, radius validates them and if ok tells the AP/WLC access ok and the client switches to associated state and starts dhcp process.

Ok you were on the same track as me because unless all my mobile devices within the organization are on an MDM and getting the internal CA cert or even the ISE self signed they will have issues joining.

Correct, they can join, but it can be more difficult.
One more important detail, if you don't push a profile to the clients, they will get a certificate pop up which they have to check and approve. This is normal and actually required and the only protection against man in the middle attacks!
Content for Community-Ad