My EAP-PEAP Setup

jain.manish94 · ‎03-18-2022

My EAP-PEAP Setu

Hello Team,

I have setup EAP-PEAP.

1. created one corp-ssid for all the users.

2. define setting under the gpo policy which is pushing from AD end to all the laptops.

3. i am broadcasting the SSID from my WLC.

now my concern here that when user using their personal laptop still they can see that Corp-SSID and they know about their AD credentials as well and they are connecting successfully.

i did not get why this is happening or any more configuration over the cisco ise or AD GPO policy.

Could you please suggest me.

under the cisco ISE authentication Policy -- i only define Wreless_802.1x --- AD

authorization policy --- wireless_802.1x and SSID name. thats it.

GPO --- there is eap-peap, AES, MSCHAPv2, root certificate.

Thanks

Manish Jain

ammahend · ‎03-19-2022

You sort of answered your own question .. when you use peap .. the client authenticates with username and password, so anyone who has one can join. You have to use something which is unique to laptops owned by your organization and not on personal devices for e.g install a client certificate on your owned laptops and use eap-tls this is also more secure. Or use machine and user authentication both with peap, where the machine name match against the AD domain computer, this condition won’t be matches for personal devices so they won’t connect.
eap-tls is more secure and a better option but it also requires a CA, and have some management overhead managing the certificates, but again you don’t have to give unique cert to every device you can just give one generic cert to all corporate owned devices, that will get the job done as far as authentication is concerned.

-hope this helps-

jain.manish94 · ‎03-19-2022

What does your mean here that every device don need one unique certificate because as per my knowledge if we are using eap TLS we need user certificate and if there are 100 user in that case we need 100 user certificate isn't?

ammahend · ‎03-19-2022

You can use a single generic certificate to authenticate every device, just like you can use a single PSK to authenticate every device. Although it’s not the most recommended way but sometime because of shortage of resource to manage Certificates and certificate authority people do that.
Let’s say if you did that and a machine with cert is lost or stolen, that machine has access to network, how do you stop it ?? Well you revoke the cert but it was a generic cert so guess what now none of the devices will authenticate .. so ideally you want to have a unique cert per device. You have to access what your team is capable of managing and provisioning.
there can a lot more reasons but I think you get the idea

-hope this helps-

Flavio Miranda · ‎03-19-2022

I highly recommend you to play with EAP-TLS, for managebility and also for security. This problem you are facing would desaper instantinialy if you were using certificates.

But we all know the burden of certificates. One suggestion I´d like to contribute, besides those already suggested, is to limit the number of device per user. "Employee Registered Devices". That way, users can´t use two notebook on the network at the same time. But, this doesn´t prevent them to log with the personal notebook only. For that, you can use mac filter on the WLC. This is a burden as well cause you will need to register every employee mac address on the WLC and keep it always up to date. But, depending on the size of your company, it may worth it to try.

This will not solve the problem 100% cause users can change notebook mac address, if they have privilege, and bypass this rule but is better then you have today.