cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
584
Views
3
Helpful
6
Replies

Simultaneous use of EAP-PEAP and EAP-TLS on same device

nips
Level 1
Level 1

Hi All,

I am using Cisco 9800-CL as the WLC and the Microsoft NPS as the Radius Server.

I need to know whether the same client can be authenticated from both the methods EAP-PEAP and EAP-TLS simultaneously. As a brief, user need to log in to the same SSID using Username and Password as we as certificate authentication also need to be done via EAP-TLS.

Thank you.

2 Accepted Solutions

Accepted Solutions

JPavonM
VIP
VIP

The only way to do authentication chaining is by using TEAP (Only supported in Windows 11 at this time, and not with all RADIUS servers).

What are you trying to get with this setup? Is it not enough to use EAP-TLS with server certificate validation which is more standard and widely supported by all clients and servers?

View solution in original post

The already suggested TEAP is likely the best solution, but not supported on NPS. The Cisco ISE supports TEAP but is not only better, but also more expensive.

What you can do on Windows "out of the box" is authenticate both the domain computer and the user. However, without TEAP, the user's authentication is not tied to the machine. And both authentications must use the same method.

If you buy the Cisco Secure Client with the NAM, you could use EAP-TLS for the machine and PEAP with username/password for the user.

But all in all, I recommend going 100% EAP-TLS if you already have the CA in place.

View solution in original post

6 Replies 6

JPavonM
VIP
VIP

The only way to do authentication chaining is by using TEAP (Only supported in Windows 11 at this time, and not with all RADIUS servers).

What are you trying to get with this setup? Is it not enough to use EAP-TLS with server certificate validation which is more standard and widely supported by all clients and servers?

Thank you @JPavonM, Finally we are going with EAP-TLS.

 

The already suggested TEAP is likely the best solution, but not supported on NPS. The Cisco ISE supports TEAP but is not only better, but also more expensive.

What you can do on Windows "out of the box" is authenticate both the domain computer and the user. However, without TEAP, the user's authentication is not tied to the machine. And both authentications must use the same method.

If you buy the Cisco Secure Client with the NAM, you could use EAP-TLS for the machine and PEAP with username/password for the user.

But all in all, I recommend going 100% EAP-TLS if you already have the CA in place.

Thank you for the reply @Karsten Iwen , we are now using EAP-TLS as the authentication method. I just need to know by adding domain computers group as a condition in NPS and making the client certificate unexportable we can prevent accessing the Wi-Fi by non-domain users. Am I right ?

Sadly, no. For this, you need EAP-Chaining, which is only available in TEAP. A domain user can still use his iPad and connect to your SSID, and the user authentication will succeed.

But if you want to ensure that only domain PCs can connect, then the RADIUS server can be configured to only allow that and no user authentication. However, here, you can't distinguish between different user roles.

With NPS, your options are quite limited.

Review Cisco Networking for a $25 gift card