Security

Hello,

 

I have an environment with Windows 7, 10, vista and XP.

My service has a EAP TLS as authentication mode, but my XP systems is not connecting in that service.

 

I would like to know, if can I insert a MS-CHAP V2 in the service as authentication mode and force the xp systems to use this method in roles?

Short answer: yes, you can support multiple EAP methods on the same SSID.



Question: Is the Windows XP client configured for EAP-TLS?

• Edit your service and go to the Authentication tab.
• Under the "Authentication Methods" section click the "-- Select to Add--" dropdown box
• Add whatever other methods you need.

Hi my friend,

 

I don't want to user TLS for XP devices, I qant to configure for MSCHAP-V2 but if I put the EAP-MSCHAP-V2 in the authentication methods, other devices will can connect too.

 

I need a way that only XP can be connect by EAP-MSCHAP-V2.

Not necessarily, it depends on how you configure the your clients and how you configure your service.

 

If you configure your other devices to use EAP-TLS, then they will only use EAP-TLS and not EAP-MSCHAPv2.

 

If you want to be really strict though, you could figure out of a way of identifing what OS the device is using (probably through the Endpoints database) and then use a roll mapping and enforcement to block the device if it is not using the EAP method you want.

 

So for instance, if you have a Windows 10 device and it tries connecting using EAP-MSCHAPv2, then it will be denied. You would then need to identify why the device is using EAP-MSCHAPv2 vs EAP-TLS.

 

On a side note, the authentication methods defined in the service do not dictate what method your client uses, it only indicates what authenticaiton methods the service will process or handle.

Hi,

 

I think that is the way.

 

I will try to configure it and will report here.