ā07-03-2024 04:58 AM
Hi All,
I am using Cisco 9800-CL as the WLC and the Microsoft NPS as the Radius Server.
I need to know whether the same client can be authenticated from both the methods EAP-PEAP and EAP-TLS simultaneously. As a brief, user need to log in to the same SSID using Username and Password as we as certificate authentication also need to be done via EAP-TLS.
Thank you.
Solved! Go to Solution.
ā07-09-2024 04:20 AM
The only way to do authentication chaining is by using TEAP (Only supported in Windows 11 at this time, and not with all RADIUS servers).
What are you trying to get with this setup? Is it not enough to use EAP-TLS with server certificate validation which is more standard and widely supported by all clients and servers?
ā07-09-2024 05:10 AM - edited ā07-09-2024 05:10 AM
The already suggested TEAP is likely the best solution, but not supported on NPS. The Cisco ISE supports TEAP but is not only better, but also more expensive.
What you can do on Windows "out of the box" is authenticate both the domain computer and the user. However, without TEAP, the user's authentication is not tied to the machine. And both authentications must use the same method.
If you buy the Cisco Secure Client with the NAM, you could use EAP-TLS for the machine and PEAP with username/password for the user.
But all in all, I recommend going 100% EAP-TLS if you already have the CA in place.
ā07-09-2024 04:20 AM
The only way to do authentication chaining is by using TEAP (Only supported in Windows 11 at this time, and not with all RADIUS servers).
What are you trying to get with this setup? Is it not enough to use EAP-TLS with server certificate validation which is more standard and widely supported by all clients and servers?
ā07-09-2024 07:50 AM
Thank you @JPavonM, Finally we are going with EAP-TLS.
ā07-09-2024 05:10 AM - edited ā07-09-2024 05:10 AM
The already suggested TEAP is likely the best solution, but not supported on NPS. The Cisco ISE supports TEAP but is not only better, but also more expensive.
What you can do on Windows "out of the box" is authenticate both the domain computer and the user. However, without TEAP, the user's authentication is not tied to the machine. And both authentications must use the same method.
If you buy the Cisco Secure Client with the NAM, you could use EAP-TLS for the machine and PEAP with username/password for the user.
But all in all, I recommend going 100% EAP-TLS if you already have the CA in place.
ā07-09-2024 07:53 AM
Thank you for the reply @Karsten Iwen , we are now using EAP-TLS as the authentication method. I just need to know by adding domain computers group as a condition in NPS and making the client certificate unexportable we can prevent accessing the Wi-Fi by non-domain users. Am I right ?
ā07-09-2024 12:27 PM
Sadly, no. For this, you need EAP-Chaining, which is only available in TEAP. A domain user can still use his iPad and connect to your SSID, and the user authentication will succeed.
But if you want to ensure that only domain PCs can connect, then the RADIUS server can be configured to only allow that and no user authentication. However, here, you can't distinguish between different user roles.
With NPS, your options are quite limited.
ā07-09-2024 07:59 AM
https://networklessons.com/uncategorized/peap-and-eap-tls-on-server-2008-and-cisco-wlc
check this friend
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide