Security

We currently authenticate Windows laptops against an NPS server using PEAP, with an internal windows CA.

 

We have purchased Clearpass and I wish to migrate radius authentication from NPS to CPPM. I would like to carry on using PEAP for our Windows laptops and continue to use our internal root CA. We are also going to be using OnBoard, we'd like to use ClearPass as the CA for OnBoard devices (IOS/Android).

 

Is it possible use the existing internal CA for PEAP for the windows laptops and ClearPass CA for Onboard?

 

thank you

Are you using PEAP-TLS or PEAP-MS CHAPv2 for the Windows devices?

PEAP-MS CHAPv2

 

thanks

You can absolutely use both EAP methods on the same ClearPass server and even the same SSID.

 

What you'd want to do is create a service just for EAP-PEAP to handle the username/password authentication. This will require uploading a new (or if you have the private key, the old from NPS) RADIUS server certificate to ClearPass. This will serve as the server's identity in the PEAP process.

 

In your PEAP service, you can check for Machine Authenticationm, FQDN, etc and then let everything else fall through to OnBoard registration.

 

Here's an example of the service rules to separate the two methods:

 

 

Perfect, thanks

Yes this is possible. Just make sure to load the appropriate server certs on clearpass and you are good to go.

You can configure separate radius and web certs which should also make things easier for your use case