Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2990
Views
5
Helpful
2
Replies

Do I need a username and pasword when using EAPTLS 802.1x

Go to solution
EBrant
Level 1
Level 1

‎10-07-2021 01:43 AM

Hello

I am not a networking person, (I did pass my Cisco CCNA many years ago). I work in IAM (Active Directory and PKI)

I have a basic question related to EAPTLS please

 

As I understand it EAPTLS used an X509 certificate at the RADIUS Server (Server authentication EKU) and at the supplicant (Client authentication EKU), which of course they both trust the issues CA

 

X509 certificates can be used for authentication in that if you both trust the  CA and are happy with each others certificate (not revoked, chains up OK etc.) then you in effect are saying I believe you are who you say your are (Subject/Common Name/UPN in the cert). Therefore is this not good enough to then let the client into the network, without a second factor of authentication e.g. a username and password sent within the TLS tunnel?

 

For example you can authenticate to Active Directory using an X509 certificate (Schannel, using UPN in the SAN of the certificate). Therefore do you still needs to send username and password? or is their an option to authenticate between RADIUS and Active Directory just based on the certificates.

 

Thanks very much in advance

EBrant

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-07-2021 02:56 AM

EAP-TLS is complete certificate based machine authentication, you can have EAP-TEAP if you require machine+user authentication. But there is limited support available on certain devices for EAP-TEAP, so make sure that you research and test yourself with the expected clients to connect before deploying.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

2 Replies 2

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-07-2021 02:56 AM

EAP-TLS is complete certificate based machine authentication, you can have EAP-TEAP if you require machine+user authentication. But there is limited support available on certain devices for EAP-TEAP, so make sure that you research and test yourself with the expected clients to connect before deploying.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Go to solution
EBrant
Level 1
Level 1

‎10-07-2021 12:04 PM

Hello Arshadsaf

 

Thanks very much for taking the time to reply to my question.

I would like to avoid using username and password, thanks again for the information

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card