04-09-2012 11:27 AM - edited 07-03-2021 09:58 PM
Hi, We've got a 5508 WLAN controller with about 200 WAPs currently deployed for guest access only. We would now like to deploy wireless for our internal network as well and would like for this to support voice as well. I'm reviewing the various options that are available and trying to figure out which one is the best. I've narrowed it down to EAP-TLS and PEAP with MS-CAHPV2 with Windows based certificates. Our management wants us to use Microsoft RADIUS servers instead of ACS. Just wanted to get some feedback to see if someone has done this in their environment before and the pros and cons of choosing one authentication method over another.
Thanks in advance for you valuable input!
04-09-2012 11:55 AM
FIrst for doing VoIP, make sure you have the appropriate coveraged.
RSSI -65dBm
SNR of 25 db
and 25% cell overlap.
As for PEAP vs EAP-TLS, PEAP tends to be simpler. You do need to have a certificate on the IAS/NPS server that allows it to authenticate clients, but this is the only required certificate. You can use a GPO to push the wireless config down, and the Root CA certificate to the client devices making that task a lot easeier.
With EAP-TLS, every machine/user needs a certificate. So getting everyone enrolled can be a bit of a PITA. But if a machine is lost, or a user leaves you only need to revoke those certificates, to stop the device from getting on the network.
My .02, go with PEAP. Less certificate stuff to deal with, pretty easy to deploy and maintain.
Steve
04-09-2012 12:12 PM
Stephen, thanks for your post
Regarding PEAP, from what I've read, it seems like the user will need to enter their AD credentials every time they want to connect.
With EAP-TLS, the computer certificates should automatically connect the pc to the internal wireless network once it's in range.
Am I correct with these two statements?
if so, wouldn't option 2 be easier for users, and more secure?
Regards,
Raj
04-09-2012 12:16 PM
Actually the user shouldn't need to input credentials beyond the windows login screen. If you use the WZC, and most supplicants, when you login to the machine with domain credentials, they will be transmitted across the wireless for the user login. That being said, if there is an issue, they could get prompted.
But I'd rather troubleshoot why the user loign isn't happening than have to get hip deep in PKI issues.
Yes EAP-TLS can be considered the most secure, and potentially easier on the user, so long as you are willing to do all of the certificate enrollments yourself.
Steve
04-09-2012 12:25 PM
yes, on reading the guide again, it does say that the client computer will pass on the credentials in the second phase of authentication once it has verified the identity of the NPS server using the certificate so thanks for clarifying that for me.
Agree but this will design will pass through our information security department and I'm sure they'll want me to go the EAP-TLS route.
So I have a question regarding the certificates. We already deply computer certificates on each client computer that is assigned to a user for VPN access, couldn't I just use these existing certificates for EAP-TLS or do I need to use dedicated certificates for this purpose?
04-09-2012 12:32 PM
If you only do machine level authentication for the TLS, you should be good, with what you have.
Steve
04-09-2012 12:39 PM
I want to add, but not o confuse you, but you can do PEAP/EAP-TLS with mutual authentication. Its overkill, the benny is the cert is sent inside a tunnel. If you do native TLS it is sent in the open, unless you select privacy.
But as Steve mentioned, the cert can be used. In fact, when you configure the supplicant you select what cert you want to use.
04-09-2012 01:33 PM
Thanks for chiming in George.
Stephen, with machine level authentication, I'm assuming you mean that as long as the machine is a member of the domain, has a valid certificate and the user account is active in AD, that machine should be able to connect to the wireless network using the certificate.
George, PEAP/EAP-TLS sounds like a great option that I could present as well. Could you provide some additional details? I can look it up if not but thanks for the idea.
Can you guys point me to a good step by step guide to deploy EAP-TLS with windows NPS and RADIUS. I can find one as well but you guys seem to have good experience doing this.
04-09-2012 01:37 PM
Here give a peek at these to get you started
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml
http://www.mombu.com/microsoft/windows-server-security-general/t-peap-tls-vs-eap-tls-443617.html
04-09-2012 01:38 PM
Stephen, with machine level authentication, I'm assuming you mean that as long as the machine is a member of the domain, has a valid certificate and the user account is active in AD, that machine should be able to connect to the wireless network using the certificate.
With Machine authentication the user doesn't matter. The machine certificate is the only 'credential' sent to be validated.
Steve
04-09-2012 01:42 PM
Interesting, so am I correct in assuming that PEAP/EAP-TLS would utilize both methods of authentication. It would validate the machine credentials as well as the user credentials?
04-09-2012 01:47 PM
I would not implement PEAP/TLS as not all clients will support it. However, most client support EAP/TLS. I just wanted to mention it becuase if you are new to TLS this will be one of those "oh i didnt know you could do that" ..
BTW --
The first EAP is the outter and the second eap is the inner
EAP/PEAP (Outter) - MsChapV2(Inner)
EAP/TLS (there is no tunnel unless you select "privacy")
EAP/PEAP (Outter) - TLS (inner)
04-09-2012 01:42 PM
Steve, his users have a VPN cert, this is not a machine cert, correct ? So I am thinking he would need to config his client with EAP-TLS and select the cert in the client supplicant.
Also, "machine authentcaion" uses a SID (system id). This would not use a cert, correc? Rather it would use the SID that is unquie to the device and AD, which is used insetad of a AD ID for example ...
04-09-2012 01:48 PM
Actually I believe it's a machine certificate
04-09-2012 01:51 PM
I have to say, the term "machine authentication", can mean a few different things.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide