Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Eap-peap-public explanation

This thread has been viewed 5 times

  • 1.  Eap-peap-public explanation

    Posted Sep 14, 2014 03:28 AM
    Clearpass 6.4 supports Eap-peap-public , which apparently allows sharing a publicly known username/password as a login to a 8021x protected network. How is this different then just using a user from the internal DB? any clues on its use case would be awesome.


  • 2.  RE: Eap-peap-public explanation

    EMPLOYEE
    Posted Sep 14, 2014 04:43 AM
    We have had a lot of financial and enterprise customers asking an easy way of setting up a secure guest access. They don't want to issue personal devices certificates so they asked to have a PEAP with a common username and password they could hand out and the guest could do a self reg just like a normal guest.

    EAP-PEAP-Public
    The EAP-PEAP-Public method is used for authenticating and providing a secured wireless guest access to the endpoints. To provide a secured wireless guest access, the Wi-Fi Protected Access (WPA) is provided for publicly known username and password. This ensures that every device gets a unique wireless session key that is used to encrypt the traffic and provide secured wireless access without intruding the privacy of others though the same username and password is shared to all devices


  • 3.  RE: Eap-peap-public explanation

    Posted Sep 15, 2014 12:56 PM

    I saw that blurb in the release notes, just not sure on the usage.   No disrespect, but how is this different then just making a Guest/Guest user in Clearpass and letting people use it for 802.1x auth?  It does not seem like a new feature to me... It still requires the end device to support 802.1x auth correct?   Shared 802.1x is way better then WPA2PSK because of the unique session key, but is limited to devices that support 802.1x.     Unique PSK for each user (personal-PSK) would be something cool but seems to be owned by AeroHive.



  • 4.  RE: Eap-peap-public explanation

    EMPLOYEE
    Posted Sep 15, 2014 01:00 PM
    I think you'll find that most guest users are using a 1X capable device.

    You can simply make the username/password the SSID name.


  • 5.  RE: Eap-peap-public explanation
    Best Answer

    EMPLOYEE
    Posted Sep 15, 2014 11:20 PM

    Matt,

     

    After a few emails I was able to get a little more background on it. 

     

    EAP-PEAP Public is specifically created to be used in High Capacity Guest mode to provide secure WiFi for guest users. In HCG mode we don’t allow normal PEAP method to be configured that can authenticate against any repository, as it can be used for enterprise class 802.1X.

     

    The EAP-PEAP Public method can’t authenticate with any repository, it will only accept the configured public username/password.



  • 6.  RE: Eap-peap-public explanation

    Posted Sep 16, 2014 12:31 AM

    thanks for tracking that down, that makes sense.