02-11-2014 02:26 PM
We now have an 802.1x wireless SSID. I looking for a source that can tell me in detail how this authentication occurs. We are using the following:
Termination EAP-Type: eap-peap
Termination Inner EAP-Type: eap-mschapv2
We are terminating on the controller
Use Windows RADIUS and an Active Directory server
We have 2 RADIUS servers and we had to terminate on the controller to get the fail-through to work on AOS 22.214.171.124
I don't understand what "inner EAP" is and can't find a resource to explain it. I would love to have a details list of stepes that take place for the type of authentication.
Thanks for your help,
Solved! Go to Solution.
02-11-2014 03:15 PM
PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2, EAP-GTC, and EAP-SIM refer to the inner authentication methods which provide user or device authentication.
When you use EAP-MSCHAPV2 as an inner type means that you don't require a client certificate but need a server certificate and the clients need a password instead.
The PEAP (outer) creates a TLS tunnel to secure this transaction over the network.
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
02-11-2014 07:00 PM
With PEAP-MSCHAPv2, it is important to always configure the client to validate the server certificate. Many people turn this off for troubleshooting and then don't turn it back on. Also, many people think it eases the client configuration piece but in reality you are bypassing the server authentication part of the PEAP process which is important for securing client credentials.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP