Security

Reply
Frequent Contributor II

Eap-peap-public explanation

Clearpass 6.4 supports Eap-peap-public , which apparently allows sharing a publicly known username/password as a login to a 8021x protected network. How is this different then just using a user from the internal DB? any clues on its use case would be awesome.
Aruba

Re: Eap-peap-public explanation

We have had a lot of financial and enterprise customers asking an easy way of setting up a secure guest access. They don't want to issue personal devices certificates so they asked to have a PEAP with a common username and password they could hand out and the guest could do a self reg just like a normal guest.

EAP-PEAP-Public
The EAP-PEAP-Public method is used for authenticating and providing a secured wireless guest access to the endpoints. To provide a secured wireless guest access, the Wi-Fi Protected Access (WPA) is provided for publicly known username and password. This ensures that every device gets a unique wireless session key that is used to encrypt the traffic and provide secured wireless access without intruding the privacy of others though the same username and password is shared to all devices
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II

Re: Eap-peap-public explanation

I saw that blurb in the release notes, just not sure on the usage.   No disrespect, but how is this different then just making a Guest/Guest user in Clearpass and letting people use it for 802.1x auth?  It does not seem like a new feature to me... It still requires the end device to support 802.1x auth correct?   Shared 802.1x is way better then WPA2PSK because of the unique session key, but is limited to devices that support 802.1x.     Unique PSK for each user (personal-PSK) would be something cool but seems to be owned by AeroHive.

Guru Elite

Re: Eap-peap-public explanation

I think you'll find that most guest users are using a 1X capable device.

You can simply make the username/password the SSID name.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba

Re: Eap-peap-public explanation

Matt,

 

After a few emails I was able to get a little more background on it. 

 

EAP-PEAP Public is specifically created to be used in High Capacity Guest mode to provide secure WiFi for guest users. In HCG mode we don’t allow normal PEAP method to be configured that can authenticate against any repository, as it can be used for enterprise class 802.1X.

 

The EAP-PEAP Public method can’t authenticate with any repository, it will only accept the configured public username/password.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II

Re: Eap-peap-public explanation

thanks for tracking that down, that makes sense.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: