Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
3
Helpful
6
Replies

Simultaneous use of EAP-PEAP and EAP-TLS on same device

Go to solution
nips
Level 1
Level 1

‎07-03-2024 04:58 AM

Hi All,

I am using Cisco 9800-CL as the WLC and the Microsoft NPS as the Radius Server.

I need to know whether the same client can be authenticated from both the methods EAP-PEAP and EAP-TLS simultaneously. As a brief, user need to log in to the same SSID using Username and Password as we as certificate authentication also need to be done via EAP-TLS.

Thank you.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
JPavonM
VIP
VIP

‎07-09-2024 04:20 AM

The only way to do authentication chaining is by using TEAP (Only supported in Windows 11 at this time, and not with all RADIUS servers).

What are you trying to get with this setup? Is it not enough to use EAP-TLS with server certificate validation which is more standard and widely supported by all clients and servers?

View solution in original post

Go to solution
Karsten Iwen
VIP
VIP

‎07-09-2024 05:10 AM - edited ‎07-09-2024 05:10 AM

The already suggested TEAP is likely the best solution, but not supported on NPS. The Cisco ISE supports TEAP but is not only better, but also more expensive.

What you can do on Windows "out of the box" is authenticate both the domain computer and the user. However, without TEAP, the user's authentication is not tied to the machine. And both authentications must use the same method.

If you buy the Cisco Secure Client with the NAM, you could use EAP-TLS for the machine and PEAP with username/password for the user.

But all in all, I recommend going 100% EAP-TLS if you already have the CA in place.

View solution in original post

6 Replies 6

Go to solution
JPavonM
VIP
VIP

‎07-09-2024 04:20 AM

The only way to do authentication chaining is by using TEAP (Only supported in Windows 11 at this time, and not with all RADIUS servers).

What are you trying to get with this setup? Is it not enough to use EAP-TLS with server certificate validation which is more standard and widely supported by all clients and servers?

Go to solution
nips
Level 1
Level 1
In response to JPavonM

‎07-09-2024 07:50 AM

Thank you @JPavonM, Finally we are going with EAP-TLS.

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎07-09-2024 05:10 AM - edited ‎07-09-2024 05:10 AM

The already suggested TEAP is likely the best solution, but not supported on NPS. The Cisco ISE supports TEAP but is not only better, but also more expensive.

What you can do on Windows "out of the box" is authenticate both the domain computer and the user. However, without TEAP, the user's authentication is not tied to the machine. And both authentications must use the same method.

If you buy the Cisco Secure Client with the NAM, you could use EAP-TLS for the machine and PEAP with username/password for the user.

But all in all, I recommend going 100% EAP-TLS if you already have the CA in place.

Go to solution
nips
Level 1
Level 1
In response to Karsten Iwen

‎07-09-2024 07:53 AM

Thank you for the reply @Karsten Iwen , we are now using EAP-TLS as the authentication method. I just need to know by adding domain computers group as a condition in NPS and making the client certificate unexportable we can prevent accessing the Wi-Fi by non-domain users. Am I right ?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to nips

‎07-09-2024 12:27 PM

Sadly, no. For this, you need EAP-Chaining, which is only available in TEAP. A domain user can still use his iPad and connect to your SSID, and the user authentication will succeed.

But if you want to ensure that only domain PCs can connect, then the RADIUS server can be configured to only allow that and no user authentication. However, here, you can't distinguish between different user roles.

With NPS, your options are quite limited.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card