We have a SSID used globally in our office for example assume we are using SSID "test123". This SSID currently using EAP-PEAP (MS-CHAPV2) for authentication.
We wanted to migrate to EAP-TEAP for Machine and User Authentication for our wireless endpoints. we tried testing the same with the help of below and it worked well. guide.
Video down the bottom shows it from Windows side "How to create SSID profile for EAP-TEAP" (In the above link)
Question: Since, the SSID "test123" is already in production globally and all the computers around 7500 PC's have this profile, we are unable to use the same SSID.
As chaining the SSID does not give a good customer experience, we are stuck and wanted to check how others handle it? Is there any solution to this requirement? Please share your knowledge.
Creating a new SSID will be the easiest way. Once all the users are migrated you can disable the old SSID. This will give you the feasibility to do batch by batch as well.
I'm not sure I understand what the issue is in this scenario. The EAP type used by the client (PEAP vs. TEAP) is dictated by the network profile configured on the client, not by the SSID settings. A single SSID can support different clients authenticating using different EAP types, but you would need to ensure that your AuthC/AuthZ policies are also configured to accommodate these different use cases.
If you're pushing out the network profile changes using GPO, you could create a new group or OU structure that would allow you to slowly migrate groups of PCs to a new group/OU that has the new network settings applied. When those computers update their group policy, the network profile would be changed from using PEAP-MSCHAPv2 to using TEAP. It would be largely invisible to the end users as they would still be connecting to the same SSID, but using a different EAP method.
Thank you Greg Gibbs for your kind response. Looks the network name(SSID name) is created as profile name too.
For example: Assume, the client had already a profile with the name of "testsecure". I am unable to create new profile with the same name for EAP type Microsoft: EAP-TEAP
CLI Command "netsh wlan show profiles name=testsecure"
When trying to create a profile (on Client) with the same SSID for different Authentication method, it does not allow as already a profile exists.
This is the challenge, as I cannot use the same SSID for migrating to EAP-TEAP.
@ammahend, Thank you so much for your help. Advertising the same SSID with different WLAN-ID is good idea. However, supplicant has to send the request for EAP type. (PEAP or TEAP) for which we need to configure profile on clients. As I have to use the same SSID, I have challenge here.
Create the same SSID with a WLAN-ID of 17 or higher, then Add an AP to a separate test AP group and add this WLAN 17 to the group. So this AP advertises same SSID but with different WLAN ID. Now you can modify your policy to accommodate WLAN-ID 17 and test whatever you need to as recommended by Greg Below. Once done, you can simple add WLAN-ID 17 to all AP groups one by one as you cut over. That's one way, it give you flexibility to move slowly without effecting production and end user continue to use same SSID.