Solved: Which EAP to use

jlhainy · ‎09-29-2010

I am looking for the best EAP method to use for a diverse environment where end clients will be a mixture of Windows XP, Windows 7 and iPad devices. I would like to use one SSID and security method for all devices. Microsoft AD 2008R2 is the back end database I can authenticate to. I only want company devices to be able to authenticate.

Which EAP flavor would help in all of these criteria?

I have been looking at EAP-FAST, PEAP and EAP-TLS. Any feedback would be most appreciated.

George Stefanick · ‎08-19-2011

You could get fancy with certificates to segment the two groups. Althought after reading about ISE, it seems like its the way to go.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Serge Yasmine · ‎10-05-2010

Hello,

You need to look at what your clients support really.

I would go for the one with least configuration needed from certificates perspectives and that would be eap-fast.

eap-tls will make you install certs on clients and server along with CA

peap implementation is not very time consuming neither.

Cheers

Serge

George Stefanick · ‎10-05-2010

If you want a low management over head i would suggest EAP-PEAP v0. This is the most commonly used EAP today and it is Windows XP ZeroConfig friendly. Its not difficult to implement and its secure, but you want to validate certificates on the client.

EAP-FAST is a Cisco flavor and you will likely run into devices that do not support it.

EAP-TLS is more secure because there is 2 way cert validation. But it is a bear to manage ...

Hope this helps...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

adbaker · ‎08-18-2011

Can I jump on this discussion and change the requirments a little. A customer of mine has the same issue, he wants a security mechanism that allows the inclusion of mobile devices but wants to be able to control (read stop) the use of devices brought in from home. This is an NHS Trust that is willing to purchase ipads etc for certain staff but only those devices should be allowed to connect.

He's suggested that EAP-TLS is the only way to do this but as I'm not an expert in this area can I ask for advice?

jlhainy · ‎08-19-2011

I have stayed away from EAP-TLS for now, simply because of the managment overhead. I do agree it would be the most secure. If you don't want personal mobile devices to connect, then you don't allow them to have a certificate.

My problem is that We do want to incorporate personal devices but don't want them to go on a Internal ssid and if we allow their user name to use that ssid, what is to stop them from attaching from the Internal SSID from their personal device.

I have 2 solutions to this. One is to add mac authentication with PEAP and it works fine. It is extra overhead, but still easier than EAP-TLS. I know, I know, its not secure, but we are using it really as a way to profile corporate device vs personal devices.

The second solution is Cisco's new ISE that does device profiling and would give the same functionality without using mac authentication. That is something I really want to look into, pending budget and maturity of the product.

George Stefanick · ‎08-19-2011

You could get fancy with certificates to segment the two groups. Althought after reading about ISE, it seems like its the way to go.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

jlhainy · ‎08-19-2011

I would have to agree George. The ISE sounds way cool. The problem is that I haven't even been on ACS 5.2 for a year yet. I made the upgrade when we updated our domain controllers to 2008R2. So as much as I want the ISE, I have some hesitations.

George Stefanick · ‎08-19-2011

Cisco is merging technologys WCS/Cisco Works to NCS and ACS/NAC to ISE. Its coming... They say by 2015 90% of WLAN will be using directed "managment" if you will.

Thanks for the rating .. Yeah me! Blue Star! LOL

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Vinay Sharma · ‎08-19-2011

Not Sure if you got a chance to check the VoD by one of the wireless Developer Hemant on Cisco ISE and WLC (wireless lan controller).

https://supportforums.cisco.com/videos/2497

https://supportforums.cisco.com/videos/2496

Thanks,

Vinay Sharma

Community Manager - Wireless

Thanks & Regards

jlhainy · ‎08-22-2011

Looks like the links have either been re-located or deleted. Those are some videos I would like to see.

George Stefanick · ‎08-23-2011

https://supportforums.cisco.com/videos/2478

This link is working for me ... try it ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Vinay Sharma · ‎08-23-2011

Hi Jared,

You are right. pleas check these links:-

https://supportforums.cisco.com/videos/2478

https://supportforums.cisco.com/videos/2480

Vinay Sharma

Thanks & Regards