Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
0
Helpful
4
Replies

Certificates & PEAP on the same RADIUS Server?

whitelp
Level 1
Level 1

‎05-21-2008 02:59 AM - edited ‎07-03-2021 03:54 PM

Good morning guys,

In a dusty corner in the back of my mind I think I remember reading once that if you use a RADIUS server for authentication that you can have either but not both Certificate based and Username/Password based authentication running at the same time? For example, we currently use LEAP and PEAP but a masochist in our group now wants to go the certificate route, do we need separate RADIUS servers for that?

Thanks in advance for any assistance or pontifications offered!

Regards.

Labels:
0 Helpful
4 Replies 4

mkren
Level 1
Level 1

‎05-21-2008 11:59 AM

Hello,

so you want in the future three different ways to authenticate

* LEAP (User/PW)

* PEAP (User/PW

* PEAP (Certificates)

I haven't a setting with all three kinds, but have successfull made settings with PEAP-MSCHAPv2 and PEAP-TLS using the same RADIUS-Server an Cisco AP1231 Accesspoints.

RADIUS-Server in my case was MS IAS running on Windows Server 2003 R2

regards

Martin

0 Helpful

Jagdeep Gambhir
Level 10
Level 10

‎05-23-2008 05:34 AM

No need for a separate server, same radius will do it, all you need to do is to enable TLS along with PEAP/LEAP.

On the clients where you want to do certificate authentication need to enable TLS and have CA and user cert.

Regards,

~JG

Do rate helpfulposts

0 Helpful

d-berlinski
Level 1
Level 1
In response to Jagdeep Gambhir

‎05-27-2008 03:12 AM

Along the same lines...

Is there a way to separate by SSID? Let's say that one SSID is EAP-TLS and another one is PEAP. As far as I can see, if you enable both, both authentication methods are available on all SSID's.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to d-berlinski

‎05-27-2008 03:51 AM

That is because EAP-TLS and PEAP are configured the same. The only difference is that users will either need a certificate installed or not. What you can try is to play around with the radius server and try to create a policy that will not fail on the policy (EAP-TLS or PEAP).

Since these are secure type of authentication, why would you have both. If you want to make life easier and don't have to worry about installing client side certificates, then use PEAP. Usually I have clients that have different security methods, but it would be like PEAP, EAP-Fast for phones, and WEP for existing client support.

Hope this helps.

-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card