Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
9
Replies

My EAP-PEAP Setup

jain.manish94
Spotlight
Spotlight

‎03-18-2022 03:59 AM

Hello Team, 

I have setup EAP-PEAP. 

1. created one corp-ssid for all the users. 

2. define setting under the gpo policy which is pushing from AD end to all the laptops. 

3. i am broadcasting the SSID from my WLC. 

 

now my concern here that when user using their personal laptop still they can see that Corp-SSID and they know about their AD credentials as well and they are connecting successfully. 

 

i did not get why this is happening or any more configuration over the cisco ise or AD GPO policy. 

 

Could you please suggest me. 

 

under the cisco ISE authentication Policy -- i only define Wreless_802.1x --- AD

 

authorization policy --- wireless_802.1x and SSID name. thats it. 

 

GPO --- there is eap-peap, AES, MSCHAPv2, root certificate. 

 

Thanks

Manish Jain 

Labels:
0 Helpful
9 Replies 9

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎03-18-2022 04:05 AM

To stop private laptops on your network, you must use the EAP-TLS protocol, but you must installed certificate on your corporate laptops.

More info here:

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html

 

Regards

Dont forget to rate helpful posts

0 Helpful

jain.manish94
Spotlight
Spotlight
In response to Sandeep Choudhary

‎03-18-2022 06:05 AM

can not use this please give me eap-peap solution for no-domain laptop. 

0 Helpful

ammahend
VIP
VIP

‎03-18-2022 05:46 AM

Agree with Sandeep, eap-tls is a good way to go, if you can not do this immediately then you can also add an additional condition, checking if machine was authenticated against AD domain computers, that way only domain machines can join and personal devices won’t. 

-hope this helps-
0 Helpful

jain.manish94
Spotlight
Spotlight
In response to ammahend

‎03-18-2022 06:06 AM

how to configure this and where i need to configure this. 

 

over cisco ise ? or AD

 

could you please suggest configuration which i need to to. 

0 Helpful

ammahend
VIP
VIP
In response to jain.manish94

‎03-18-2022 08:22 AM - edited ‎03-18-2022 08:26 AM

This is fairly old but the concept still applies,  for wireless you will have to setup the supplicant bit differently to do authentication before logon. But you can start here. 

https://youtu.be/raDFQDTt9uY

if you have any connect supplicant installed on machines then it would be even better, then Google or YouTube for eapchaining. 

tone of good ise resources are available here on community

https://community.cisco.com/t5/security-documents/cisco-ise-amp-nac-resources/ta-p/3621621

-hope this helps-
0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎03-18-2022 01:18 PM

EAP-PEAP is considered obsolete due to multiple reasons.

1. Vulnerable to certain attacks when not properly configured.

2. Windows credential guard behavior impacts EAP-PEAP in the newer updates of Windows 

 

As other suggested check the possibility of using EAP-TLS, otherwise you also have the option of doing posturing using anyconnect+ISE or use your endpoint management platform to restrict connectivity.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

jain.manish94
Spotlight
Spotlight
In response to Arshad Safrulla

‎03-18-2022 10:10 PM

can not use EAP-TLS because there are 2000 users and don have 2000 user certificate.

Can you please help to setup eap peap without any issue.

One more thing I am not understanding that one laptop or system is part of workgroup how it can be connected to our corporate SSID if this SSID is visible to all.

Because until and unless you will join the domain with your laptop how u will get that GPO policy for corporate wifi.

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎03-19-2022 12:37 PM

I assume that you have a Microsoft AD infra working, if yes why not just use it's CA services and automate the complete certificate issuing process using a GPO. It's very few clicks here and there if you know what to do. You will not be paying for the certs as these are issues by your own enterprise CA (not from public CA)

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

jain.manish94
Spotlight
Spotlight
In response to Arshad Safrulla

‎03-19-2022 09:11 PM

Yes this is from our internal CA but again confused now because I am thinking that here also we have to buy some licence to all the user if we use EAP-TLS.

Who will provide user certificate to all the corporate device?

If only root certificate is required then what is difference between eap peap and eap TLS?

As per my knowledge i think eap TLS required some extra hardware and computing power to provide client certificate to each devices if using eap TLS.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card