Which EAP to use

Answered Question
Sep 29th, 2010

I am looking for the best EAP method to use for a diverse environment where end clients will be a mixture of Windows XP, Windows 7 and iPad devices.  I would like to use one SSID and security method for all devices.  Microsoft AD 2008R2 is the back end database I can authenticate to.  I only want company devices to be able to authenticate.

Which EAP flavor would help in all of these criteria?

I have been looking at EAP-FAST, PEAP and EAP-TLS.  Any feedback would be most appreciated.

I have this problem too.
0 votes
Correct Answer by George Stefanick about 5 years 2 months ago

You could get fancy with certificates to segment the two groups. Althought after reading about ISE, it seems like its the way to go.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Serge Yasmine Tue, 10/05/2010 - 15:37


You need to look at what your clients support really.

I would go for the one with least configuration needed from certificates perspectives and that would be eap-fast.

eap-tls will make you install certs on clients and server along with CA

peap implementation is not very time consuming neither.



George Stefanick Tue, 10/05/2010 - 22:33

If you want a low management over head i would suggest EAP-PEAP v0. This is the most commonly used EAP today and it is Windows XP ZeroConfig friendly. Its not difficult to implement and its secure, but you want to validate certificates on the client.

EAP-FAST is a Cisco flavor and you will likely run into devices that do not support it.

EAP-TLS is more secure because there is 2 way cert validation.  But it is a bear to manage ...

Hope this helps...

adbaker Thu, 08/18/2011 - 23:46

Can I jump on this discussion and change the requirments a little. A customer of mine has the same issue, he wants a security mechanism that allows the inclusion of mobile devices but wants to be able to control (read stop) the use of devices brought in from home. This is an NHS Trust that is willing to purchase ipads etc for certain staff but only those devices should be allowed to connect.

He's suggested that EAP-TLS is the only way to do this but as I'm not an expert in this area can I ask for advice?

jlhainy Fri, 08/19/2011 - 05:52

I have stayed away from EAP-TLS for now, simply because of the managment overhead.  I do agree it would be the most secure.  If you don't want personal mobile devices to connect, then you don't allow them to have a certificate. 

My problem is that We do want to incorporate personal devices but don't want them to go on a Internal ssid and if we allow their user name to use that ssid, what is to stop them from attaching from the Internal SSID from their personal device.

I have 2 solutions to this.  One is to add mac authentication with PEAP and it works fine.  It is extra overhead, but still easier than EAP-TLS.  I know, I know, its not secure, but we are using it really as a way to profile corporate device vs personal devices.

The second solution is Cisco's new ISE that does device profiling and would give the same functionality without using mac authentication.  That is something I really want to look into, pending budget and maturity of the product.

Correct Answer
George Stefanick Fri, 08/19/2011 - 06:01

You could get fancy with certificates to segment the two groups. Althought after reading about ISE, it seems like its the way to go.

jlhainy Fri, 08/19/2011 - 08:31

I would have to agree George.  The ISE sounds way cool.  The problem is that I haven't even been on ACS 5.2 for a year yet.  I made the upgrade when we updated our domain controllers to 2008R2.  So as much as I want the ISE, I have some hesitations.

George Stefanick Fri, 08/19/2011 - 08:39

Cisco is merging technologys WCS/Cisco Works to NCS and ACS/NAC to ISE. Its coming... They say by 2015 90% of WLAN will be using directed "managment" if you will.

Thanks for the rating .. Yeah me! Blue Star! LOL

jlhainy Mon, 08/22/2011 - 05:58

Looks like the links have either been re-located or deleted.  Those are some videos I would like to see.


This Discussion



Trending Topics - Security & Network