Certificates & PEAP on the same RADIUS Server?

Unanswered Question
May 21st, 2008
User Badges:

Good morning guys,

In a dusty corner in the back of my mind I think I remember reading once that if you use a RADIUS server for authentication that you can have either but not both Certificate based and Username/Password based authentication running at the same time? For example, we currently use LEAP and PEAP but a masochist in our group now wants to go the certificate route, do we need separate RADIUS servers for that?

Thanks in advance for any assistance or pontifications offered!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mkren Wed, 05/21/2008 - 11:59
User Badges:


so you want in the future three different ways to authenticate

* LEAP (User/PW)

* PEAP (User/PW

* PEAP (Certificates)

I haven't a setting with all three kinds, but have successfull made settings with PEAP-MSCHAPv2 and PEAP-TLS using the same RADIUS-Server an Cisco AP1231 Accesspoints.

RADIUS-Server in my case was MS IAS running on Windows Server 2003 R2



Jagdeep Gambhir Fri, 05/23/2008 - 05:34
User Badges:
  • Red, 2250 points or more

No need for a separate server, same radius will do it, all you need to do is to enable TLS along with PEAP/LEAP.

On the clients where you want to do certificate authentication need to enable TLS and have CA and user cert.



Do rate helpfulposts

d-berlinski Tue, 05/27/2008 - 03:12
User Badges:

Along the same lines...

Is there a way to separate by SSID? Let's say that one SSID is EAP-TLS and another one is PEAP. As far as I can see, if you enable both, both authentication methods are available on all SSID's.

Scott Fella Tue, 05/27/2008 - 03:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

That is because EAP-TLS and PEAP are configured the same. The only difference is that users will either need a certificate installed or not. What you can try is to play around with the radius server and try to create a policy that will not fail on the policy (EAP-TLS or PEAP).

Since these are secure type of authentication, why would you have both. If you want to make life easier and don't have to worry about installing client side certificates, then use PEAP. Usually I have clients that have different security methods, but it would be like PEAP, EAP-Fast for phones, and WEP for existing client support.

Hope this helps.


This Discussion



Trending Topics - Security & Network