PEAP vs EAP-FAST
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-24-2005 12:08 PM - edited 07-04-2021 10:30 AM
We are currently using LEAP with two ACS servers (v3.0 & 3.2) in an NT Domain environment. We will soon be migrating to 2003 Active Directory. I am wishing to migrate off of LEAP but after researching I am still unsure what the pro's and con's are for PEAP vs EAP-FAST. Would I need a seperate certificate server to run PEAP. Any info, opinions or links to articles would be appreciated.
- Labels:
-
Wireless Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2005 02:38 PM
Migrating off of LEAP is a good idea since it has proven susceptible to dictionary attacks.
I've used PEAP, native Windows XP supplicant, and Active Directory authentication successfully. Remember, PEAP is specifically for authenticating clients without the need for client certs.
If you want to use existing client certs, that is called EAP-TLS, where certs exist on both the auth server and the client. To do this, you need to give your ACS servers a certificate from the same root CA you use for your client certs. Cisco has a document with a procedure for installling certs on ACS. You should also sync the two servers (if they are redundant) to the 3.3 version (latest).
This way, the clients will trust the cert ACS presents during the TLS handshake and ACS will be able to trust the certs presented by the client.
Hope that helps.
Eric Young
SY&A LLC
IT Consulting
650-368-1506
