08-01-2016 02:34 PM
Yes, the wizard creates a service with the first Auth Type as EAP-TLS with OCSP. The second is PEAP without fast reconnect enabled.
Why PEAP without fast reconnect rather than with?
08-01-2016 02:36 PM
Fast connect is a security hole considered by most security teams. So the decision was made to default with it disabled.
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
08-02-2016 08:43 AM
Interesting. Do you by chance have any examples of this documented anywhere? My Google fu is failing me on this subject.
My understanding of the fast reconnect feature is that it is there to provide quicker authentication when roaming from NAD to NAD when properly configured against the same NAS. If the environment is all Aruba mobility controllers, does fast reconnect even provide a benefit?
08-02-2016 08:47 AM
Are you having issues in your deployment without fast reconnect?
08-02-2016 08:52 AM - edited 08-02-2016 08:52 AM
No, just trying to understand why CPPM creates the service the way it does. The documentation and associated comments on this subject appears to be nil.
08-02-2016 08:56 AM
Also keep in mind that the Onboard service generated by the wizard is designed for single SSID onboard so PEAP would only be used for the first authentication so Fast Connect would never be used anyway.
08-02-2016 09:06 AM
Yes, I know that PEAP is Microsoft but that wasn't the documentation I was referring to. I'm just trying to find something on why CPPM wizards set some of the options like they do.
PEAP would be first authentication for devices destined for OnBoard but the customer might not be interested in buying OnBoard licenses for every device they have on the network.