Thank-you for everyone's quick reply and valuable suggestions. I think it's clear now that EAP-TLS (machine auth) followed by PEAP (user auth) is not possible using a native Windows supplicant or possibly any supplicant. However, using the same EAP type for both is possible. A good demo of this using EAP-TLS is shown in a LabMinutes video #SEC0046. Thanks Again
_____ From: Justin Kurynny [mailto:[email protected]] Sent: October-25-13 5:00 PM To: 'Marvin Krym'; '[email protected]' Subject: RE: [OSL | CCIE_Wireless] Windows Wireless Client/Supplicant ConfigQuestion Marvin, Just to add on to my previous comment, you may be able to use EAP-TTLS, which is supported natively in Windows 8 (according to the Wikipedia article on EAP). I'm not sure what you'd use for a AAA server, however. I'm pretty sure ISE and ACS don't support EAP-TTLS. W2k13 Server may support it. Justin From: Justin Kurynny Sent: Friday, October 25, 2013 13:53 To: 'Marvin Krym'; [email protected] Subject: RE: [OSL | CCIE_Wireless] Windows Wireless Client/Supplicant Config Question Marvin, Are you trying to use both authentication types simultaneously (AND)? If so, I don't know of any support for this except for maybe EAP Chaining with AnyConnect as supplicant and ISE as authenticator, and even then I think you'll need to use EAP-FAST as one of the methods. If you are trying to do this as an OR authentication (such as with connect before login), you may be able to do this natively on W7 or higher, but I've never tried it and the configuration dialogs don't look promising. It's possible you could be able to do it with AnyConnect, but you'd need to set up an AnyConnect profile using the administration tool. As a side note, I recall reading about Tunneled EAP (TEAP), which was a draft proposal to the IETF in 2011 and renewed in 2012. I believe TEAP would have supported multiple authentication methods inside a tunnel. I'm not sure where that initiative stands now, but it would be nice to have a method for using more than one EAP method to authenticate an endpoint/user combination. Justin From: [email protected] [mailto:[email protected]] On Behalf Of Marvin Krym Sent: Friday, October 25, 2013 10:16 To: [email protected] Subject: [OSL | CCIE_Wireless] Windows Wireless Client/Supplicant Config Question Is it possible to configure the Windows wireless client/supplicant to do machine auth by sending a machine cert (ie EAP-TLS) and then do user auth by using PEAP/MSCHAP? It seems to me that I have to chose one EAP type or the other. Any clarifciation would be appreciated. Thanks.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
