WLC 526 - 5.2.157.0 local eap

Similar Messages

• Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

  Hi All,
  I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
  Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
  For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
  I confront PEAP and Eap-TLS for now:
  1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
  2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
  so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
  If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
  I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
  I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
  can you help me to know if I understood everything good ? I would be please to exchange experience on that
  thanks ;)
  bye

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• WLC Local EAP-TLS auth, certificate ACL feature?

  Hi All,
  I implemented local EAP-TLS authentication according to http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml. All is working fine, clients - Wi-Fi bar code scanners, WLC -2x4402, SV - 7.0.116.0 Certificates generated by Enterprise CA.
  Afterwards, I discovered that certificates cannot be filtered by cname, or user name on WLC. It means that ANY certificate issued by CA will be authenticated against my WLAN. CA issues a whole lot of certificates (RRAS VPNs, WEB clients, etc. ) I want to filter access for my wireless clients using local EAP solution (WLC are at remote location). Can I accomplish it without external RADIUS server? Something like IOS certificate ACL?
  Thanks in advance.

  Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
  It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

• Wlc local EAP Help

  Hi guys,
  i need to set ip my wlc as a local eap authenticator.
  I create a new Wlan(test1) ad associated yo a dynamic interface.
  layer 2 security--->wpa+wpa2+auth(802.1x)
  aa server-->local eap
  I created a local-eap profile where i checked PEAP
  I create a local-database user
  My wireless-pc card pc was not able to work.
  did i miss any step?
  thx..
  Ale.

  Follow the steps in order to configure the devices for EAP authentication :
  1. Configure the WLC for basic operation and register the Lightweight APs to the controller.
  2. Configure the WLC for RADIUS authentication through an external RADIUS server.
  3. Configure the WLAN parameters.
  4. Configure Cisco Secure ACS as the external RADIUS server and create a user database for authenticating clients.
  For the further details for configuration follow the URL It will help you :
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

• Wlc 2100 with local eap auth

  Hello
  I have set up an wlc 2125 with local eap auth which I think is working fine for now.
  But I dont want it come up a certificate warning when user log in.
  Can I stop this from happening without bying a certificate?
  Can I turn of https all together?
  Trond

  Thank you Trond,
  So here we are talking about web authentication, which does not use local EAP, so not sure whether the local EAP profile is really being triggered for that.
  Clients are being prompted with a WLC's self-signed certificate, more or less in the same way as they would be if they tried to login to the WLC via HTTPS.
  Similarly, the fastest way would be to install this certificate on the user's machine, so that it can trust it from that moment on.
  Or you can generate a certificate signing request for the WLC, submit it to a root CA/buy a root CA signed server certificate (with the root CA trusted by the clients) and then install this certificate on the WLC:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  For web authentication, there is no way to switch to HTTP for the WLC's certificate validation.
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Local eap-tls drawbacks

  Planning on implementing EAP-TLS for wireless security and tryingto wrap my brain around what will be lost if I use local eap-tls vs an external radius server for authentication of the certificates. I thought I saw in some older posts (3+ years) that there is no CRL available when using the controller as built-in radius. I am running on a 3650 as the integrated wlc. If I can tidy up the wireless solution so I dont have to utilize an external radius server (this would be the first necessity to have an external radius server for this org) than it would be nice to keep it simple. I am planning on doing "computer only" auth for some clients and the ability to invalidate their cert would likely push me to the external radius server - I just don't know if there are any other trade-offs by using the built-in radius.
      I also saw that you cant specify a radius server for anything else on the switch or the local built-in radius wont work, but then saw copnflictying info " You can disable RADIUS authentication for a given WLAN by using “config wlan radius_server auth disable wlan_id” CLI command." at this great page http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/
  but dont know if this is true or not either. I would like to know if I am locking myself into never having an external  radius server If i go down the local eap-tls path.
  Thanks,
  Brian

  Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
  It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

• Local EAP with PEAP

  Hi my name is Ivan
  I have a question:
  How can i configuring local eap in cisco wireless lan controller  with active directory and using PEAP MSCHAPv2 to authenticate the users in the wlan? Do you have any documents to do it?.
  thanks for your answers
  Regards.
  Ivan.

  Hi,
  You cannot directly integrate AD into the WLC< we need the RADIUS in between.. so we need Either IAS or the ACS server in the middle.
  The only other way is to use WLC + LDAP and here is the link..
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
  Or PEAP using Microsoft IAS..
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml
  Lemme know if this helps and please dont for get to rate the usefull posts!!
  Regards
  Surendra

• Is local EAP + Web Authentication possible in Auto Anchor Configuration

  Hi,
  I have a wireless network setup in an auto-anchor configuration with the foreign and anchor controllers. Due to the foreign controller being owned and managed by another company, I have an interesting authentication scenerio I would like to acheive. We can't implement full EAP-TLS as we would have to allow authentications from the foreign controller which is owned and managed by another company.
  Currently Web Authentication is working correctly for the Wireless Network. As another layer of security, I want to know if its possible for the wireless clients to trust a certificate installed on the foreign controller?  If so, are you able to point me in the direction of a user guide to implement.
  I found the following document which describes local EAP configuration . Would this work with Web Authentication?
  Thanks

  so, kinda but no.  EAP is a layer 2 authentication that uses encryption as well.
  WebAuth is a layer3 authentication only.
  Now the kinda....you can create guest/network users on the WLC local database, and if someone logins to the webauth portal with those credentials they will be able to get on.
  I'm not really sure what you are looking to do based on your post.
  Personally, if I had users that were going to roam to this controller, I'd work with that companies IT and get it linked to my AAA server and keep the EAP-TLS that I had working already going. Just because that WLC would be able to communicate to your AAA doesn't mean their users would be able to get on, as they wouldn't have the machine or client certificate nor the Root CA cert on their machines.
  HTH,
  Steve

• Local EAP + stand-alone HREAP ?

  What version of WLC software supports local EAP in stand-alone HREAP mode? Does 4.2M support it? I can't seem to find anything om 5.x/6.x release notes, and can't currently upgrade to test.

  nevermind, I found my answer, I need 5.0 to support that
  Controller software release 5.0.148.0 contains two new hybrid-REAP group features:
  Backup RADIUS server-You can configure the controller to allow a hybrid-REAP access point in standalone mode to perform full 802.1X authentication to a backup RADIUS server. You can configure a primary RADIUS server or both a primary and secondary RADIUS server.
  Local authentication-You can configure the controller to allow a hybrid-REAP access point in standalone mode to perform LEAP or EAP-FAST authentication for up to 20 statically configured users. The controller sends the static list of usernames and passwords to each hybrid-REAP access point when it joins the controller. Each access point in the group authenticates only its own associated clients. This feature is ideal for customers who migrate from an autonomous access point network to an LWAPP hybrid-REAP access point network and do not need to maintain a large user database nor add another hardware device to replace the RADIUS server functionality available in the autonomous access point.

• WLC 526 Corrupted image

  Hi;
  I searched the portal but could not find the solution about my problem which is WLC 526's corrupted image. Available commands :
  rub> help
  blocklist FILE boot
  bootp [--with-configfile] cat FILE
  chainloader [--force] FILE color NORMAL [HIGHLIGHT]
  configfile FILE dhcp
  displayapm displaymem
  find FILENAME geometry DRIVE [CYLINDER HEAD SECTOR [
  halt [--no-apm] help [--all] [PATTERN ...]
  hide PARTITION ifconfig [--address=IP] [--gateway=IP]
  initrd FILE [ARG ...] kernel [--no-mem-option] [--type=TYPE]
  makeactive map TO_DRIVE FROM_DRIVE
  md5crypt module FILE [ARG ...]
  modulenounzip FILE [ARG ...] pager [FLAG]
  partnew PART TYPE START LEN parttype PART TYPE
  rarp reboot
  root [DEVICE [HDBIAS]] rootnoverify [DEVICE [HDBIAS]]
  serial [--unit=UNIT] [--port=PORT] [-- setkey [TO_KEY FROM_KEY]
  setup [--prefix=DIR] [--stage2=STAGE2_ terminal [--dumb] [--no-echo] [--no-ed
  terminfo [--name=NAME --cursor-address testvbe MODE
  tftpserver IPADDR unhide PARTITION
  uppermem KBYTES vbeprobe [MODE]
  grub> initrd FILE
  Error 19: Linux kernel must be loaded before initrd
  grub>
  How can I recover WLC' s image?
  Thanks

  Thanks for the response. It seems you can not boot from back-up image in WLC 526
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809bcf7e.shtml.
  I sent my product to Cisco.
  Thanks

• Local EAP - Using PEAP

  I have a question with regards to Local EAP. After you have created your Local EAP profile and applied it to an SSID a client with the appropriate certificate and local net user ID is authenticated. Once the user is authenticated does the client re-authenticate as he roams ? Are his credentials cached on the controller ?

  If the client roams across access points on the same controller, I don't think the client will have to re-authenticate as long as your client supports CCXv2 which supports CCKM (Cisco Centralized Key Management) for LEAP authentication.
  http://www.cisco.com/web/partners/pr46/pr147/program_additional_information_new_release_features.html
  You can use this command on the controller to see the pairwise-master key cache.
  show pmk-cache all

• 5508 WLC - 7.0.98.218 - Local users password reset

  We are required to change passwords every so often at my job. I am trying to change the password  for one of the local user accounts on a  5508 WLC running 7.0.98.218 -  How can I accomplish this task? The option  I get is to remove the users. Any help would be much appriciated.
  Thanks,
  marramix01

  Hi,
  I think ur speaking about LOCAL NET USERs list on the WLC..
  I am able to change that on my WLC..
  its .. WLC GUI >> SECURITY >> LOCAL NET USERS >> Client on the local user >> Edit it >> Apply.
  Clisk on the name which is under USERNAME and u wil be able to edit it!!
  Lemme know if this helps and please dont forget to rate the usefull posts!!
  Regards
  Surendra

• WLC 2100 guest access with local web authentification

  Hello I tried to create a guest acces with local web authentification.
  My Laptop is connected to the Wlan but My Browser don't ask my login and password

  Please refer to the following links:
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

• PEAP with Local EAP - Possible to export Controller certificate to client?

  Hi
  Looking at deploying 7925G's using 802.1x PEAP authentication. The phones will be authenticated by the wireless LAN controllers.
  I'd like to enable the "Validate Server Certificate" option on the phones, that requires me to download the certificate from the authentication server (the WLC) I just want to use the built in cert in the controller.
  Is it possible to export the cert from the controller to the phone? If so - how?
  TIA

  AFAIK it isn't possiable to import server certificate from the controller.

• WLC 5508 Local Authentication- need guidance

  Hi formers'
  i have the combo of WLC 5508 (ver 7.0) and AP1041n, just want to ask how i can do local authentication.
  The environment don't have ACS, no directory services ( AD or LDAP).
  Requirement:
  say, i have one WLAN name "admin". Where-ever if user want to connect to this SSID, they need to prompt username/password,
  user's entry is store at WLC.
  i create the user at local net user, and map it to appropirate WLAN.
  at the WLAN, i enable local EAP and select the profile that i create.
  PROBLEM STATEMENT:
  The moment i test, it always prompt to input  EAP-TTLS domain\usename. password (token)
  Question
  a. any goes wrong with my setting? how really local authentication work with no ACS and directory services running at the back?
  b. can please post any useful document URL or any supportive info, it will be very helpful
  Thanks
  Noel

  Surendra's document may refer to local authentication with ldap database but you could follow it without doing the LDAP part and the users will be stored in the local net users of the WLC.
  You could also follow the WLC config guide in the "Local eap" chapter.
  The concerning part in your description is that your laptop prompts for EAP-TTLS. That means that you configured your laptop for that method. The WLC is only with peap/eap-fast