Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
2
Helpful
2
Replies

EAP-TLS with ID/Password?

klnnnnng
Level 1
Level 1

‎01-29-2024 01:41 AM

Hello,

i am trying to set up a wireless client for EAP-TLS (ISE 3.2) authetication with client/server certificate. Unfortunately the client is not happy with only both the certificates and requires ID/password. Have you stumbled upon something like this? Is it some kind of outer identity or TEAP protocol?

Any tips will be highly appriciated. Thank you!

Regards

Preview file
740 KB
0 Helpful
2 Replies 2

marce1000
VIP
VIP

‎01-29-2024 02:11 AM

 

  - Ref : https://community.cisco.com/t5/security-knowledge-base/eap-tls/ta-p/3148923
            Have a look at this paragraph  : 5.2.1 Client Certificate Requirements

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Haydn Andrews
VIP Alumni
VIP Alumni

‎01-29-2024 01:16 PM

EAP-TLS on the device side has 3 options:

  • Computer Certificate
  • User Certificate
  • Computer or User certificate

None of them will require a user/password to be entered. That being said the user still needs to login to Windows/ MACOS to trigger the user certificate authentication.

EAP-TEAP allows you to do outer and inner authentication and then make the decision based on both for example:

If Computer Certificate give limited access to allow for the user certificate to be downloaded.

if user certificate only give BYOD access

if both user and computer certificate give corporate access.

With EAP-TEAP if you have to you can configure the outer and inner EAP authentications differently, one using MSCHAPv2 and one via TLS but it is not the recommended way to go foward.

Now for the customer wanting to also have user/password, they are aware that the method to do just that EAP-PEAP with MSHAPv2 is being depercated by Microsoft and they are moving to certificate authentication. https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues 

The user/ computer certificate is the most secure authentication currently available to windows. The misconception is because the user doesnt authenticate with a username/ password its not secure. The user still logs into the laptop (PIN, Password, FaceID etc) its just the username/password are not transmitted to the radius server.

You can still do verifications against AD, to confirm if user is valid, group membership etc. And when the certificates are generated you can also prevent them from being exported.

You compare this to a password, where its written on a piece of paper, used against every website, in some cases easily guessed.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card