Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Best EAP Method Given these Requirements

Which EAP method would be the most secure in this case, and fulfill these requirements:

1) Want to authenticate user's via LDAP to an Active Directory Database

2) Also want to require that they have a unique certificate on their PC's (Which we manually install on them).

3) Supports signal signon (pass-through) authentication from a Windows XP machine.

4 REPLIES
New Member

Re: Best EAP Method Given these Requirements

You can use EAP-TLS. That requires a server and a client side cert. You can use microsoft IAS (RADIUS) server for user auth that points to the AD database.

New Member

Re: Best EAP Method Given these Requirements

Keep in mind with Windows XP/2k3 (sp2/default client authentication)that if your users move from station to station, it does not support a 'cert roaming' environment. The problem I faced was if a doc used his laptop then tried to access one of our wireless carts on the floor, he couldn't login because his cert had never been applied to that cart and was already active on a different device. We ended up turning off client certificate authentication on XP and are only using 'computer certificate' authentiction. If you need more information on this I'd be glad to help. I'm unfamiliar on the IAS side as I use ACS.

New Member

Re: Best EAP Method Given these Requirements

Perhaps I am confused on the idea of client certificates. I was thinking I would put one universal certificate on the PC's that would have wireless access. I did not think that they would be a unique certificate per user.

How could I get away with requiring a 'company' certificate on each company PC and then just have them authenticate with their AD username (via LDAP/RADIUS)? Would this be machine certificates?

Re: Best EAP Method Given these Requirements

you could do PEAP as well. EAP-TLS requires a per user certificate, while PEAP only requires the Root CA certificate be installed on the end machines.

HTH,

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
543
Views
0
Helpful
4
Replies
CreatePlease to create content