@ Steve -- Is there a good document that talks about that specifically .. I am a little rusty on that subject and need to sharpen up ...

@Stephen, I have a question about PEAP and your statement

"Actually the user shouldn't need to input credentials beyond the windows login screen.  If you use the WZC, and most supplicants, when you login to the machine with domain credentials, they will be transmitted across the wireless for the user login.  That being said, if there is an issue, they could get prompted. "

Are the user creds sent encrypted or are they sent clear text?

Thanks!

Raj,

If you use PEAP and WZC as your wireless supplicant, windows sends the inner identity as the outer identity, which is sent in the clear text.

So if your AD was say ADRAJ password ABC123.

If someone sniffed the network you would see ADRAJ in the clear. Other supplicants, like Intel for example, you can send a bogus outer id.

Thanks for the reply George. So how can I send the creds in encrypted format, Do I select privacy or is there another way?

Raj,

PEAP, like other EAPs use internal TLS tunnels to secure the transmission of the user account. However, these EAPS use 2 IDs, outer and inner. How the supplicant handles the outer, is supplicant specific.

WZC, at last check still sent the outer ID (by using the inner ID). There isnt anything that you can do, unless you used a different supplicant. For example, cisco anyconnect, funk OC, or like a vendor supplicant like Intel.

Let me fire up my XP box.

Hummm cant seem to find my XP box ... but here is a link that mentions this

http://dot11.info/index.php?title=CWSP-Chapter_2-Enterprise_802.11_Layer_2_Authentication_Methods

Also, another issue with this is that it requires the use of the same  username for both the outer and inner tunnels.(which is against the  PEAP fundamentals). So disable WZC and use a third-party supplicant  software. 

Thanks for joining in Thomas.

Guys, let me throw another curveball at you. What about BYOD. How would we handle certificate and user based authentication with IPADs, IPhones and Android based devices?

Good timing. I am deploying ISE now.

With ISE, you MUST use a EAP. Not, a PSK, just an FYI so you know.

Identity, you don't need a CERT, but it is recommended to validate a device as being a company asset or a personal asset. This can be done with EAP-TLS.

If you dont use a cert, you then relay heavily on probes, DHCP, RADIUS, HTTP, etc.  Keep in mind, identifying a device is more of an art and then a science. If you add a cert you can then say "this is a corp device" becuase you can tie the cert to a device.

A MDM like zenprise also does certs, but these certs are not used for TLS. However, if you have a PKI you can use that cert for EAP-TLS and the MDM.

It looks like we do have a requirement for IPADs, Android devices and such so we'll need ISE as well.Time to start reading up on ISE.

So can I do PEAP with ISE? I had a call with a Cisco wireless engineer yesterday and he said that I'm limited to using PEAP if we want to use Windows WZC as the .1x supplicant. I doubt if we'll be able to roll out a new wireless supplicant throughout our enterprise so I'm fairly certain we'll be using WZC.

You can also do EAP-TLS with ISE not just PEAP???

Thanks,

Scott Fella

Sent from my iPhone

Lets be clear...

You can only do EAP-PEAP or EAP-TLS with WZC. This is not a limitation of ISE, rather its a limitation with WZC. Take a peek at the EAP options and you will see.

ISE can be used as a radius server or you can proxy to another radius server, for example ACS. ISE allows all types of EAP types PEAP,LEAP,TLS, etc. If you use ISE as a radius server, you can also take advantage of the RADIUS probe.

One problem is CoA and WZC. If a CoA has to happen after a device is already connected, it most likely will not work with WZC. Let me give you an example.

Lets say you need to do a vlan move for a user from vlan 200 to vlan 300. ISE may not properly identify the device until after it has a IP. The users HTTP traffic is then analyze and its "hay this guy needs to move from 200 to 300". The WLC will make that move after being instructed by ISE, but your WZC is still on vlan 200 (ip address) wise. The CoA will happen on the WLC, but the WZC client will sit and spi becuase of the ip/vlan mismatch.

Suppose, if you used Cisco anyconnect wireless client. If a CoA happens like the above exmaple, the anyconnect client will detect the traffic is not passing and it will re-ip automagically.

Does that make sense?