I know the the difference of the need for certificates/PKI vs. Username/Password but if you have the PKI in place and need to entertain one vs. the other what other reasons would you choose one over the other?
This is for microsoft managed domain PC's with Active Directory and microsoft PKI. We also have non managed devices connecting as well but I am just trying to decide on the microsoft managed PC's and how we should move forward for those devices.
Does it really matter if we move them over to EAP-TLS or just keep doing EAP-PEAP?
Are there any performance gains with wireless authentication one over the other?
Let me know your thoughts?
In my opinion it boils down to what is easier. If you are authenticating users, then usernames and passwords are easier for humans to use. If you are authenticating devices, certificates are easier to maintain. (It all depends on the definition of "easy", of course.)
Performancewise it doesn't matter. The authentication process is only used at the beginning of the session. During use the encryption is the same.
The choice of EAP method is going to depend on your requirements. If you feel that MS-CHAPv2 is an inferior method, you can use a certificate for the inner authentication in conjunction with PEAP. Like people have mentioned before me, PEAP is going to work great right out of the box on Windows 7 or 8 boxes.
EAP-TLS is the only EAP methodology that requires a server certificate in addition to client certificates.
For DoD and Intel networks, EAP-TLS is mandated.
@Seeker: I am afraid it is the other way round:
EAP-TLS is the only EAP methodology that requires client certificates in addition to a server certificate.
Thanks Petri; I am brain dead after 15+ hours.
Really the only other factor would be cost. I assume if one has MS AD that the staff is familiar with setting up and maintaining any EAP methodology.
Cost comes into play since each device requires a client certificate. Also, if client certificate must be installed onto a BYOD that is not part of an organization (e.g., partner); for this type of implementation, a MDM server integrated with GPO would be a better solution.