Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Certificates & PEAP on the same RADIUS Server?

Good morning guys,

In a dusty corner in the back of my mind I think I remember reading once that if you use a RADIUS server for authentication that you can have either but not both Certificate based and Username/Password based authentication running at the same time? For example, we currently use LEAP and PEAP but a masochist in our group now wants to go the certificate route, do we need separate RADIUS servers for that?

Thanks in advance for any assistance or pontifications offered!


New Member

Re: Certificates & PEAP on the same RADIUS Server?


so you want in the future three different ways to authenticate

* LEAP (User/PW)

* PEAP (User/PW

* PEAP (Certificates)

I haven't a setting with all three kinds, but have successfull made settings with PEAP-MSCHAPv2 and PEAP-TLS using the same RADIUS-Server an Cisco AP1231 Accesspoints.

RADIUS-Server in my case was MS IAS running on Windows Server 2003 R2



Re: Certificates & PEAP on the same RADIUS Server?

No need for a separate server, same radius will do it, all you need to do is to enable TLS along with PEAP/LEAP.

On the clients where you want to do certificate authentication need to enable TLS and have CA and user cert.



Do rate helpfulposts

New Member

Re: Certificates & PEAP on the same RADIUS Server?

Along the same lines...

Is there a way to separate by SSID? Let's say that one SSID is EAP-TLS and another one is PEAP. As far as I can see, if you enable both, both authentication methods are available on all SSID's.

Hall of Fame Super Silver

Re: Certificates & PEAP on the same RADIUS Server?

That is because EAP-TLS and PEAP are configured the same. The only difference is that users will either need a certificate installed or not. What you can try is to play around with the radius server and try to create a policy that will not fail on the policy (EAP-TLS or PEAP).

Since these are secure type of authentication, why would you have both. If you want to make life easier and don't have to worry about installing client side certificates, then use PEAP. Usually I have clients that have different security methods, but it would be like PEAP, EAP-Fast for phones, and WEP for existing client support.

Hope this helps.

*** Please rate helpful posts ***