Skip to main content

Where are all the AAA and PKI solutions gone for Dot1x

More Question than answers

(This series will be based on an enterprise with >20,000 dot1x devices)

I have been looking into dot1x authentication for Wired and Wireless devices based on device identity using x.509 Certificates. While I understand PKI, AAA, PEAP and sorts I had never really had the opertunity to bring these technologies together. I quickly found out that despite this stuff being around for years,  it was difficult to answer the following questions:

  • Which PKI solution should I use?

  • Which AAA solution should I use?

  • How to setup the PKI solution?

  • Does the PKI server need to be part of AD?

  • What if the clients are not in AD e.g. Wireless Tablets?

  • How do I issue certificates for devices?

  • How to configure the devices (wired and wireless)?

  • What AAA server do I use?

  • How do configure the rules and policies and identify clients?


What are the answers?

I am going to kick off a series here at that tries to address the question above; I have limited time but hopefully I can invest some over the coming weekends and share my thoughts with you.

  • Which PKI solution should I use?

  • Which AAA solution should I use?

These two question were pretty frustrating and I cannot say I am fully satisfied with the answer I have at the moment. Here are some brief thoughts:

For PKI solution I found it really difficult to identify any enterprise type products. Realistically I could only find Microsoft Certificate Authority. There are a few popular opensource solutions which personally I find quite interesting but it would be a hard sell for many enterprise customers. The other option is to use a external managed solution but again a very hard sell into the enterprise.

For AAA (RADIUS) there are a few:

  • Cisco ACS,

  • Cisco ISE (new kid on the block)

  • Juniper Steel Belted RADIUS

  • Microsoft IAS (lol)

  • FreeRADIUS

IAS and Free RADIUS are out off the bat, IAS because it is appalling, FreeRADIUS as its opensource and the mangeability is going to be tough for some of the less skill support desk staff that would inevatibilty have to support it.

Juniper Steel Belted - what I can tell from Juniper, it runs on Windows 2003 32bit, Sun Solaris or Redhat 4, all of these seem pretty long in the tooth and many enterprises are already running programmes to update these legacy systems so not really interesting in deploying legacy computing.


Cisco Alternatives - Cisco run on a Linux variant but it is fully hidden from the customer and is not a concern as any update will be within the maintenance cycle of the Cisco product and not with the OS vendor. This leave Cisco ACS or Cisco ISE. ISE appear to be is a coming together of various product based on ACS and NAC Profiler, one signification point is that there is no TACACS in the version 1 is the ISE product. I would expect at some future release to see TACACS be introduced into ISE and for ACS to grow old gracefully as there is total over lap on the RADIUS ability of both product.


ISE and Microsoft

So with that said putting cost aside ISE and Microsoft PKI is where I am going to take this series.


If you need a subnet calculator for you android devices then give this a try




  1. Having read this I believed it was rather informative. I appreciate you taking the time and effort to put this information together. I once again find myself spending a lot of time both reading and commenting. But so what, it was still worth it! hotmail email sign in

  2. I am very thankful to you for sharing this excellent knowledge. This information is helpful for everyone. So please always share this kind of information. Thanks. Alert Logic Charlotte


Post a comment

Popular posts from this blog

Break the Network Emulators out of the Cloud

Cisco IOU and JunoSphere Recently both Cisco and Juniper have announced the availability of online resources to provide hands on training over the internet. They have built software emulators in the cloud that can be accessed remotely for a cost. These solutions are based purely around the certification programs and therefore are pretty rigid in the topology that are provided, not to mention the re-occurring cost. Rack Rentals There are training providers such as Internetwork Expert ( and IPexpert ( who provide rack rentals based on their training materials. These guy cannot possibly compete going forward. To keep these sustainable they will need to reduce the overhead of building physical racks, providing power and space for the racks. Using e

Dell Latitude D830 SSD Upgrade

Slow Laptop Syndrome I have a LATITUDE D830 : INTEL CORE 2 DUO T7500 4GB Ram from 2008, I did get a fairly high specification at the time, so it has always had pretty decent performance. However I haven't been using it for a while and when I did it seemed slow compared to my Core 5i desktop computer. (I use Windows 7 ultimate with the latest updates) Laptop for Work Now I might be doing a fair bit of travelling to customer sites in the near future and the last thing I want is a poorly performing Laptop, so I decide to ditch all the crap I had on it like iTunes, movies, miscellaneous software and cut back to a basic "work" PC. After all I do have iPhone, iPad and new kindle (soon) for all my multi media needs. I purchased a "Corsair 120GB Force 3 SSD 2.5" SATA-III 6Gb/s Read = 550MB/s, Write = 510MB/s" from Now I am guessing that SATA-II rather that SATA-III on the system board, but the price difference between SATA-II and SATA-III wa

ASR1006 Dual Route Processors Password Recovery - Tip

I recently ran into an issue when trying to perform dual route processors password recovery on a Cisco  ASR1006 Problem After breaking into rommon mode and using confreg to ignore the startup configuration, during the rest the ASR1006 loaded the startup configuration!!!!!!!! Solution So quick and simple, I pulled one of the RP and preformed password recovery running on a single RP. All went according to the Cisco documentation   After the system running on a single RP was recovered and fully booted I waiting for 5 minutes just to be sure; then I inserted the second RP and allowed everything to sync up.   All was well again :) phew   Note: The system was previously fully functioning with dual RPs; a configuration error was made during Tacacs+ configuration which resulted in lockout.   Summary I hit an issue recovering and ASR with dual RPs, so rather that spending hour researching, I decided ve