Skip to content
EAP-PEAP

Groups & self-service

EAP-PEAP is organised around groups, one per audience. Each group carries the network policy its members receive and can be handed to that audience’s own lead to run, so day-to-day account management does not fall on central IT.

A PEAP group represents one audience — employees, a contractor firm, a vendor team, an event cohort. Each group has:

  • An Attribute Profile that defines the network policy returned on a successful authentication, such as a VLAN (tunnel attributes) or a Cisco security group tag.
  • A roster of members, managed centrally or delegated to the group’s administrator.
  • A group name and lifecycle controls, so a group can be renamed or retired when the audience changes.

Attribute Profiles are defined once and reused across groups; they present the attribute as a standard value or a vendor-specific pair (for example a Cisco security group tag) and are covered in the administration model.

A PEAP group can issue each member an individual set of credentials — a personal account — rather than sharing one set. Members manage their own password through the Self-Service Portal, which keeps credentials individual and revocable without disturbing the rest of the group.

Two mechanisms reduce the central administration load:

  • Self-service enrollment can be enabled so that a new user is assigned into the group automatically on first sign-in to the Self-Service Portal, rather than being added by hand. Users can also be added and assigned manually where tighter control is wanted.
  • Delegated administration lets the audience’s lead act as a group administrator in the Self-Service Portal, managing their own members while the organization administrator retains overall control of the context. The roles are described in Roles and Administration Levels.

Through the Self-Service Portal, a member can set up the connection using the group’s SSID and their credentials, monitor their connected devices in real time (status, IP and MAC address, last seen), and manage their password. The portal provides the connection guidance so members can get on the network without an IT ticket.

Group creation and configuration changes are recorded in the configuration audit log with the actor, the action, and before-and-after values, and every authentication attempt is recorded in the authentication log.

Next