cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
476
Views
0
Helpful
1
Replies

PEAP vs EAP-FAST

dotcommadmin
Level 1
Level 1

We are currently using LEAP with two ACS servers (v3.0 & 3.2) in an NT Domain environment. We will soon be migrating to 2003 Active Directory. I am wishing to migrate off of LEAP but after researching I am still unsure what the pro's and con's are for PEAP vs EAP-FAST. Would I need a seperate certificate server to run PEAP. Any info, opinions or links to articles would be appreciated.

1 Reply 1

syanda
Level 1
Level 1

Migrating off of LEAP is a good idea since it has proven susceptible to dictionary attacks.

I've used PEAP, native Windows XP supplicant, and Active Directory authentication successfully. Remember, PEAP is specifically for authenticating clients without the need for client certs.

If you want to use existing client certs, that is called EAP-TLS, where certs exist on both the auth server and the client. To do this, you need to give your ACS servers a certificate from the same root CA you use for your client certs. Cisco has a document with a procedure for installling certs on ACS. You should also sync the two servers (if they are redundant) to the 3.3 version (latest).

This way, the clients will trust the cert ACS presents during the TLS handshake and ACS will be able to trust the certs presented by the client.

Hope that helps.

Eric Young

SY&A LLC

IT Consulting

650-368-1506

Review Cisco Networking for a $25 gift card