Q: What is the difference between Transparent 802.1X and Internal 802.1X authentication on the BSC?

A: Transparent 802.1X

-Supports the following EAP types.

     -EAP-TLS

     -TTLS

     -PEAP

     -Cisco-LEAP

     -MD5

-Supports machine authentication.

-Required to apply group policy, run login scripts, and allow logins by non-cached domain users.

-Access points send RADIUS requests to RADIUS server. -Requires certificate installed on RADIUS server.

Internal 802.1X

-Supports the following EAP types.

     -TTLS

     -PEAP

     -FAST

-Does NOT support machine authentication.

-Can't apply group policy, run login scripts and non-cached domain users will not be able to login.

-Access points send RADIUS requests to BSC. BSC is the RADIUS server and terminates EAP.

-BSC can authenticate user against local user database.

-Proxy inner method (i.e. PAP, CHAP, MSCHAP, MSCHAPv2) to external RADIUS server.

-*Authenticate user directly against LDAP server if LDAP server has readable attribute containing the MD4 hash of the user's password.

*Microsoft Active Directory does NOT have a readable attribute containing the MD4 hash of the users password and therefore authenticating directly against MS AD is NOT supported. Use IAS or NPS with MS AD.

-Leverages certificate already installed on BSC.

-Allows you to support 802.1X authentication without deploying a RADIUS server(Local User DB/LDAP) or with a RADIUS server that doesn't support EAP.