cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
937
Views
5
Helpful
5
Replies

EAP-TEAP Profiling-Unable to use the same old SSID

Puru
Level 1
Level 1

Hi,

We have a SSID used globally in our office for example assume we are using SSID "test123". This SSID currently using EAP-PEAP (MS-CHAPV2) for authentication.

We wanted to migrate to EAP-TEAP for Machine and User Authentication for our wireless endpoints. we tried testing the same with the help of below and it worked well. guide.

https://community.cisco.com/t5/security-knowledge-base/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289 

Video down the bottom shows it from Windows side "How to create SSID profile for EAP-TEAP" (In the above link)

Question: Since, the SSID "test123" is already in production globally and all the computers around 7500 PC's have this profile, we are unable to use the same SSID.

As chaining the SSID does not give a good customer experience, we are stuck and wanted to check how others handle it? Is there any solution to this requirement? Please share your knowledge.

Thank you.

Regards,

Puru

5 Replies 5

Arshad Safrulla
VIP Alumni
VIP Alumni

Creating a new SSID will be the easiest way. Once all the users are migrated you can disable the old SSID. This will give you the feasibility to do batch by batch as well.

Hi Arshad Safrulla,

Thank you very much for your response. I agree.

But my company wants to use the same SSID. Any other options we have?

Regards,

Puru

 

 

I'm not sure I understand what the issue is in this scenario. The EAP type used by the client (PEAP vs. TEAP) is dictated by the network profile configured on the client, not by the SSID settings. A single SSID can support different clients authenticating using different EAP types, but you would need to ensure that your AuthC/AuthZ policies are also configured to accommodate these different use cases.

If you're pushing out the network profile changes using GPO, you could create a new group or OU structure that would allow you to slowly migrate groups of PCs to a new group/OU that has the new network settings applied. When those computers update their group policy, the network profile would be changed from using PEAP-MSCHAPv2 to using TEAP. It would be largely invisible to the end users as they would still be connecting to the same SSID, but using a different EAP method.

Thank you Greg Gibbs for your kind response. Looks the network name(SSID name) is created as profile name too. 

For example: Assume, the client had already a profile with the name of "testsecure". I am unable to create new profile with the same name for EAP type Microsoft: EAP-TEAP

Windows 10

CLI Command "netsh wlan show profiles name=testsecure"

Puru_0-1665038644507.png

When trying to create a profile (on Client) with the same SSID for different Authentication method, it does not allow as already a profile exists.

Puru_1-1665038971999.png

This is the challenge, as I cannot use the same SSID for migrating to EAP-TEAP.

@ammahend, Thank you so much for your help. Advertising the same SSID with different WLAN-ID is good idea. However, supplicant has to send the request for EAP type. (PEAP or TEAP) for which we need to configure profile on clients. As I have to use the same SSID, I have challenge here. 

 

 

ammahend
VIP
VIP

Create the same SSID with a WLAN-ID of 17 or higher, then Add an AP to a separate test AP group and add this WLAN 17 to the group. So this AP advertises same SSID but with different WLAN ID. Now you can modify your policy to accommodate WLAN-ID 17 and test whatever you need to as recommended by Greg Below. Once done, you can simple add WLAN-ID 17 to all AP groups one by one as you cut over. That's one way, it give you flexibility to move slowly without effecting production and end user continue to use same SSID.

-hope this helps-
Review Cisco Networking for a $25 gift card