cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
823
Views
2
Helpful
2
Replies

EAP-TLS with ID/Password?

klnnnnng
Level 1
Level 1

Hello,

i am trying to set up a wireless client for EAP-TLS (ISE 3.2) authetication with client/server certificate. Unfortunately the client is not happy with only both the certificates and requires ID/password. Have you stumbled upon something like this? Is it some kind of outer identity or TEAP protocol?

Any tips will be highly appriciated. Thank you!

Regards

2 Replies 2

marce1000
VIP
VIP

 

  - Ref : https://community.cisco.com/t5/security-knowledge-base/eap-tls/ta-p/3148923
            Have a look at this paragraph  : 5.2.1 Client Certificate Requirements

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Haydn Andrews
VIP Alumni
VIP Alumni

EAP-TLS on the device side has 3 options:

  • Computer Certificate
  • User Certificate
  • Computer or User certificate

None of them will require a user/password to be entered. That being said the user still needs to login to Windows/ MACOS to trigger the user certificate authentication.

EAP-TEAP allows you to do outer and inner authentication and then make the decision based on both for example:

If Computer Certificate give limited access to allow for the user certificate to be downloaded.

if user certificate only give BYOD access

if both user and computer certificate give corporate access.

With EAP-TEAP if you have to you can configure the outer and inner EAP authentications differently, one using MSCHAPv2 and one via TLS but it is not the recommended way to go foward.

Now for the customer wanting to also have user/password, they are aware that the method to do just that EAP-PEAP with MSHAPv2 is being depercated by Microsoft and they are moving to certificate authentication. https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues 

The user/ computer certificate is the most secure authentication currently available to windows. The misconception is because the user doesnt authenticate with a username/ password its not secure. The user still logs into the laptop (PIN, Password, FaceID etc) its just the username/password are not transmitted to the radius server.

You can still do verifications against AD, to confirm if user is valid, group membership etc. And when the certificates are generated you can also prevent them from being exported.

You compare this to a password, where its written on a piece of paper, used against every website, in some cases easily guessed.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card