Certificates & PEAP on the same RADIUS Server?

Unanswered Question
May 21st, 2008

Good morning guys,

In a dusty corner in the back of my mind I think I remember reading once that if you use a RADIUS server for authentication that you can have either but not both Certificate based and Username/Password based authentication running at the same time? For example, we currently use LEAP and PEAP but a masochist in our group now wants to go the certificate route, do we need separate RADIUS servers for that?

Thanks in advance for any assistance or pontifications offered!

Regards.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mkren Wed, 05/21/2008 - 11:59

Hello,

so you want in the future three different ways to authenticate

* LEAP (User/PW)

* PEAP (User/PW

* PEAP (Certificates)

I haven't a setting with all three kinds, but have successfull made settings with PEAP-MSCHAPv2 and PEAP-TLS using the same RADIUS-Server an Cisco AP1231 Accesspoints.

RADIUS-Server in my case was MS IAS running on Windows Server 2003 R2

regards

Martin

Jagdeep Gambhir Fri, 05/23/2008 - 05:34

No need for a separate server, same radius will do it, all you need to do is to enable TLS along with PEAP/LEAP.

On the clients where you want to do certificate authentication need to enable TLS and have CA and user cert.

Regards,

~JG

Do rate helpfulposts

d-berlinski Tue, 05/27/2008 - 03:12

Along the same lines...

Is there a way to separate by SSID? Let's say that one SSID is EAP-TLS and another one is PEAP. As far as I can see, if you enable both, both authentication methods are available on all SSID's.

Scott Fella Tue, 05/27/2008 - 03:51

That is because EAP-TLS and PEAP are configured the same. The only difference is that users will either need a certificate installed or not. What you can try is to play around with the radius server and try to create a policy that will not fail on the policy (EAP-TLS or PEAP).

Since these are secure type of authentication, why would you have both. If you want to make life easier and don't have to worry about installing client side certificates, then use PEAP. Usually I have clients that have different security methods, but it would be like PEAP, EAP-Fast for phones, and WEP for existing client support.

Hope this helps.

Actions

This Discussion

 

 

Trending Topics - Security & Network