ā04-09-2012 11:27 AM - edited ā07-03-2021 09:58 PM
Hi, We've got a 5508 WLAN controller with about 200 WAPs currently deployed for guest access only. We would now like to deploy wireless for our internal network as well and would like for this to support voice as well. I'm reviewing the various options that are available and trying to figure out which one is the best. I've narrowed it down to EAP-TLS and PEAP with MS-CAHPV2 with Windows based certificates. Our management wants us to use Microsoft RADIUS servers instead of ACS. Just wanted to get some feedback to see if someone has done this in their environment before and the pros and cons of choosing one authentication method over another.
Thanks in advance for you valuable input!
ā04-09-2012 01:50 PM
wow, started this 4 times now.....
Ok, TLS would use the certificate that was installed. Technically, it would not matter if the machine were part of the domain, so long as it had the certificate. The odds on getting the certificate while not being part of the domain is another story.....Now if you were doing PEAP with machine authentication, you could tell it to check that the machine is part of the domain or not.
@George IIRC adn I may not, when you do machine auth it looks at the GUID of the device that is in AD.
The VPN cert can be used for the TLS, just a matter of what/who it's issued to, the machine or the indivdual user.
Steve
ā04-09-2012 01:55 PM
@ Steve -- Is there a good document that talks about that specifically .. I am a little rusty on that subject and need to sharpen up ...
ā04-10-2012 12:47 PM
@Stephen, I have a question about PEAP and your statement
"Actually the user shouldn't need to input credentials beyond the windows login screen. If you use the WZC, and most supplicants, when you login to the machine with domain credentials, they will be transmitted across the wireless for the user login. That being said, if there is an issue, they could get prompted. "
Are the user creds sent encrypted or are they sent clear text?
Thanks!
ā04-10-2012 12:56 PM
Raj,
If you use PEAP and WZC as your wireless supplicant, windows sends the inner identity as the outer identity, which is sent in the clear text.
So if your AD was say ADRAJ password ABC123.
If someone sniffed the network you would see ADRAJ in the clear. Other supplicants, like Intel for example, you can send a bogus outer id.
ā04-10-2012 01:00 PM
Thanks for the reply George. So how can I send the creds in encrypted format, Do I select privacy or is there another way?
ā04-10-2012 01:56 PM
Raj,
PEAP, like other EAPs use internal TLS tunnels to secure the transmission of the user account. However, these EAPS use 2 IDs, outer and inner. How the supplicant handles the outer, is supplicant specific.
WZC, at last check still sent the outer ID (by using the inner ID). There isnt anything that you can do, unless you used a different supplicant. For example, cisco anyconnect, funk OC, or like a vendor supplicant like Intel.
Let me fire up my XP box.
ā04-10-2012 02:14 PM
Hummm cant seem to find my XP box ... but here is a link that mentions this
http://dot11.info/index.php?title=CWSP-Chapter_2-Enterprise_802.11_Layer_2_Authentication_Methods
Also, another issue with this is that it requires the use of the same username for both the outer and inner tunnels.(which is against the PEAP fundamentals). So disable WZC and use a third-party supplicant software.
ā04-11-2012 05:26 PM
Just my 2 cents
PEAP is clearly easier to setup and manage as opposed to EAP-TLS
PEAP is an upgrade from Leap and once a user successfully performs a .1x authentication the PEAP certificates job is to encrypt the traffic between the client and Radius Server. Be careful to monitor your Certificates expiration date because once it expires the client can still work but no encryption is done
Sent from Cisco Technical Support iPhone App
ā04-12-2012 10:56 AM
Thanks for joining in Thomas.
Guys, let me throw another curveball at you. What about BYOD. How would we handle certificate and user based authentication with IPADs, IPhones and Android based devices?
ā04-12-2012 11:08 AM
Good timing. I am deploying ISE now.
With ISE, you MUST use a EAP. Not, a PSK, just an FYI so you know.
Identity, you don't need a CERT, but it is recommended to validate a device as being a company asset or a personal asset. This can be done with EAP-TLS.
If you dont use a cert, you then relay heavily on probes, DHCP, RADIUS, HTTP, etc. Keep in mind, identifying a device is more of an art and then a science. If you add a cert you can then say "this is a corp device" becuase you can tie the cert to a device.
A MDM like zenprise also does certs, but these certs are not used for TLS. However, if you have a PKI you can use that cert for EAP-TLS and the MDM.
ā04-13-2012 06:31 AM
It looks like we do have a requirement for IPADs, Android devices and such so we'll need ISE as well.Time to start reading up on ISE.
So can I do PEAP with ISE? I had a call with a Cisco wireless engineer yesterday and he said that I'm limited to using PEAP if we want to use Windows WZC as the .1x supplicant. I doubt if we'll be able to roll out a new wireless supplicant throughout our enterprise so I'm fairly certain we'll be using WZC.
ā04-13-2012 08:44 AM
You can also do EAP-TLS with ISE not just PEAP???
Thanks,
Scott Fella
Sent from my iPhone
ā04-13-2012 08:33 AM
Yes you can do PEAP with the ISE. you can also do EAP-TLS, with the WZC.
Steve
Sent from Cisco Technical Support iPhone App
ā04-13-2012 09:00 AM
Lets be clear...
You can only do EAP-PEAP or EAP-TLS with WZC. This is not a limitation of ISE, rather its a limitation with WZC. Take a peek at the EAP options and you will see.
ISE can be used as a radius server or you can proxy to another radius server, for example ACS. ISE allows all types of EAP types PEAP,LEAP,TLS, etc. If you use ISE as a radius server, you can also take advantage of the RADIUS probe.
One problem is CoA and WZC. If a CoA has to happen after a device is already connected, it most likely will not work with WZC. Let me give you an example.
Lets say you need to do a vlan move for a user from vlan 200 to vlan 300. ISE may not properly identify the device until after it has a IP. The users HTTP traffic is then analyze and its "hay this guy needs to move from 200 to 300". The WLC will make that move after being instructed by ISE, but your WZC is still on vlan 200 (ip address) wise. The CoA will happen on the WLC, but the WZC client will sit and spi becuase of the ip/vlan mismatch.
Suppose, if you used Cisco anyconnect wireless client. If a CoA happens like the above exmaple, the anyconnect client will detect the traffic is not passing and it will re-ip automagically.
Does that make sense?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide