WLC 5508 Web Auth and EAP / PEAP

   Morning all, I'm looking for some clarification.
Current setup:
I work in a school, a few years age I installed a 4400 WLC and several APs as a proof of concept exercise to see whether wireless technology would be of benefit to teaching and learning. It was deemed to be so.
This summer I installed 2 x 5508 WLCs and increased AP coverage to 50 - copied over the configs from the old controller - all works fine.
Currently only the staff can access the WLANs with the exception of a public WLAN in the canteen area.
Because there are a limited number of devices, WPA2 in conjunction with MAC filtering was used. However the school wants to open the wireless network to all of the students - potentially this means up to 1000 devices that will no doubt change on a regular basis so MAC filtering is out.
In line with child protection policies I need an 'auditable' trail when students access wireless resources.
Planned setup:
I have setup a test WLAN that uses Web Auth - the WLC is configured to pass authentication requests  ( through an ASA ) onto a RADIUS server which is tied into AD. I have a CA setup as well as a NAP server.
There is no layer 2 security set on the test WLAN and layer 3 is just web authentication. From any mobile device I can authenticate against AD and gain access to the Internet.
Clarification:
With no layer 2 security the WLAN is exposed so I need to introduce some form of end to end encryption - so I am looking at deploying EAP / PEAP.
Would the introduction of EAP / PEAP keep the network as secure as if I was using WPA2 ?
Many thanks.

If you are web authentication you cannot use dot1x as L2 security , so EAP is not an option.
But you can use preshared security , like WPA2 AES with web auth to insure that the traffic is encrypted.
or you can define a wlan profile with dot1x security on l2 and nothing on l3 , by doing so you would definetely hit the utmost security poossible.
Check the following link which contain couple of EAP config examples:
http://www.cisco.com/en/US/partner/tech/tk722/tk809/tech_configuration_examples_list.html
Please make sure to rate correct answers

Similar Messages

  • WLC 5508 Web Auth Splash Page: Is it possible to place a download?

    Hi,
    I know it is possible to create custom web auth splash pages on the WLC 5508. Is it also possible to embedd a small document (less than 1MB) that users can download directly from the controller? I need this for providing the terms of use for the Guest WLAN.
    Thanks
    Michael

    It could be done, but you will want to stay within the limits of the WebAuth bundle size (~ <10MB I believe).  This shouldn't be a problem considering a .doc size, but I have to ask the same question.   Why would you want to do this as opposed to just putting your terms of use inline to the page as just text/html?  Maybe there is a good reason, but I can't really think of any scenario.  Feel free to elaborate.

  • WLC2112 with Guest / Web-Auth and vlan

    Hi
    I'm trying to configure my WLC with guest SSID and vlan 10.
    The security is only set to Web-auth, and it is all working if the guest network is set to nativ vlan (1) But it seems that the http(s)://1.1.1.1/login.html is not reacheble from the guest SSID/VLAN??
    Please help.
    Management IP Address 192.168.14.252
    Software Version 6.0.182.0
    Emergency Image Version
    I have tried with ver. 5.2 also -

    I think that 1.1.1.1 is only reachable from a wireless client during webauth. They should not be able to reach that address once they have passed through the web auth page.
    Don't know if that helps, or not.

  • EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

    We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
    Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
    For example:
    Policy 1: allowed-certificate-OID --> corporate
    Policy 2: allowed-certificate-OID --> private
    Client authenticates with EKU corporate --> success
    Client authenticates with EKU private --> reject
    My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
    Has anyone a simmilar setup or can help to figure out what is going wrong?
    We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
    regards
    Fabian

    The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
    This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
    The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
    The certificate does include this OID but not the custom EKU.

  • WLC Custom Web Auth Bundle sample .tar file is not on WCS

    The WLC documentation would make it appear (or maybe previously) you should download a sample web auth bundle code from the WCS Templates. I was never able to find a sample .tar file on the WCS 7.0.172.0 templates.
    However I found on Cisco.com under Support > Downloads > Products >Wireless> Wireless LAN Controller Standalone Controllers> Cisco 5500 Series Wireless Controllers > Cisco 5508 Wireless Controller > Wireless Lan Controller Web Authentication Bundle-1.0.2  > webauth_bundle-1.0.2.zip
    It was updated in June 2011, some pretty good sample html code.
    The readme.html in the sample webauth_bundle-1.0.2.zip file has been very helpful , almost as good as the suppport community web page on custom web auth.
    https://supportforums.cisco.com/docs/DOC-13954

    WCS config guide 7.0.172 is correct
    http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/temp.html#wp1129979
    The bundle in WCS is downloaded through :
    configure->controller
    "select a command"-> download customized webauth bundle.
    Just tested it and it was there.
    The one on cisco.com is better though

  • EAP TLS for machine and EAP PEAP for user

    Hi forum
    I am doing a design to use ISE to enforece dot1x for corporate machinese on both wired and wireless.
    Due to the particular environment, we will need to use EAP-TLS for machines auth and on top of that use EAP-PEAP for user auth with windows credential and posture for full access.
    Just wondering if anyone has done this before:
    1. Will this work?
    2. Any gottas?
    3. what is the user experience like?
    All machines are win7 based.
    Thanks

    You can not use the native supplicant for this. Cisco Anyconnect NAM will allow you to use this method. It is very simple to configure and deploy.
    Tarik Admani
    *Please rate helpful posts*

  • ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

    Hi,
    We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
    Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
    When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
    Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
    Thanks
    Pranav

    Hi Tarikh,
    I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
    Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
    What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
    Thanks
    Pranav

  • WLC 4402 web auth Internal login page

    Hi,
    We recently upgraded our code on our wlc and now our internal web auth page has a nice teal colored L shaped bar in the right upper part of the screen.
    Is there a way to edit the internal web auth page other than just uploaded a new bundle to the box?
    When I view the source of the preview page I can see the exact coding that is causing the issue.
    Thanks for any ideas.
    Code 4.1.185.0
    Craig

    The only way is to customized the code and then upload it to the wlc as a tar file. Of course, you will have to set the wlc to custom webauth and not internal webauth.

  • WLC Customized Web Auth

    can i have a customized web auth portal loaded into the WLC? or i need to have an external server and load the customized web auth.                  

    Here is a link
    http://www.cisco.com/cisco/software/release.html?mdfid=282600534&flowid=7012&softwareid=282791507&release=1.0.2&relind=AVAILABLE&rellifecycle=&reltype=latest

  • EAP-TLS and EAP-PEAP Clients

    Hi guys
    I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
    Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
    The endpoints are configured with a username and password. The credentials are created in ISE server.
    I create a second policy for wired dot.1x with EAP - PEAP enabled
    The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
    When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
    Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
    Thanks in advance.
    Sent from Cisco Technical Support iPad App

    Hi,
    There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
    You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
    The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • WLCs 5508, HA enabled and Internal DHCP

    Hi:
    Designing a new project for a customer in which a pair of WLC-5508 and a bunch of AP-3602I will be deployed.
    Controllers running 7.4 image, and I'd also like to use them as internal DHCP servers for clients in different WLANs
    As for the redundancy mechanism I'd go for activating HA (AP-SSO) but I know HA and internal DHCP server can't coexist.
    So, my question is: does anyone know if Cisco is thinking of implementing both features in any new version to come? The goal would be the Active controller handing over all leases database in case of active to standby switchover.
    Thx!
    Juan.

    As you already know that HA and DHCP both cannot coexist on WLC. Till now there is no plan of cisco to implement this.

  • WLC 4400/Web Authentication and proxy autodiscovery

    We have a guest-SSID where people authenticate via the build in web authentication and RADIUS.
    We use proxy autodiscovery (WPAD, DHCP option 252) in our network and this works on the guest-SSID, but only after the authenticated user closes and opens Internet Explorer. It seems that restarting Internet Explorer triggers the WPAD discovery process.
    My question is if there is a smarter way to push proxy settings to guest users without user invention? How did you solve this?
    Regards,
    Rutger

    The reason you need to restart IE is because the WLC will be blocking the initial discovery messages from IE to Proxy because the user won't have authenticated yet. When the user authenticates, closing / opening IE triggers the discovery messages thruogh, which are now allowed to pass to the proxy.
    The most fool-proof way I've come across is to use Transparent URL Redicection. This is something you can setup on a PIX / ASA, but requires a compatible WebProxy / WebFilter - I've used WebSense, but I believe other products should work too.
    Lots of documentation about how to achieve this via CCO.
    Regards,
    Richard

  • Big problem with Nokia E60 and EAP-PEAP connection

    At our University we have Wlan now.
    The Lan based on the standart 802.11 b/g with 54 Mbit/s
    The Authentifikation based on the standart 802.1x (Peap) with the connection WPA/TKIP.
    My Firmware:
    V3.0633.09.04
    20-11-06
    RM-49
    Nokia E60
    My Configuration:
    Connection Name: FH-Hof
    Data Bearer:Wireless LAN
    WLAN netw.Name: FHHof
    Network status: Hidden
    WLAN netw.mode: Infrastructure
    WLAN security Mode: WPA/WPA2
    WLAN security settings:
    WPA mode: EAP
    TKIP-Security: allowed
    EAP plugin settings:EAP-PEAP
    User Cert: not defined
    CA Cert: CA-FH-Hof
    username in use: User configured
    username: aschmidt
    real in use: user configured
    realm: FH-Hof
    Allow PEAPv0: yes
    Yes for v1 and v2
    EAP: EAP-mschapv2
    Username: aschmidt
    prompt password: Yes
    password: entered my password
    Extended Settings:
    IPv4-Settings: No Changes
    IPv6-Settings: No Changes
    Proxserver-Address: proxy.fh-hof.de
    Prxy-Port-Number: 3128
    If I started to try the connection I have to enter my Username and my password. After that the handy asked me about my username and password again after a time.
    Now it takes circa one minute and the connection failed.
    The Error-Message ist: No Connection! WPA authentification failed.
    My´account is not blocked.
    Have I to enter any Ciphers?
    Thanks for every help and sorry for my bad English!
    EDIT: Removed non english linkMessage Edited by sailer_one on 27-Apr-200710:07 AM
    Message Edited by sailer_one on 27-Apr-200710:07 AM
    Message Edited by sailer_one on 27-Apr-200710:12 AM
    Message Edited by ajak on 27-Apr-2007 10:21 AM

    also try change "WLAN security Mode" from WPA to 802.1x
    I think Nokia referrs to WPA as WPA-PSK, but when you say TKIP then it also could be 802.1x as TKIP is the encryption used.
    So infact your wireless domain might be a 802.1x/EAP-PEAP/MS-CHAPv2 network.Message Edited by mbil on 30-Apr-200702:58 PM

  • Integration between WLC WEb auth and NGS

    Im trying to integrate WLC and NGS and getting this error message:
    Preauthentication ACL needs to be configured/selected for external webauth to work.
    Where do I need to configure ACL?
    Thanks

    Hi Surendra,
    Thanks for the links.
    Even though im using the 5500 WLC I still need to add the ACL!
    Looking at the attachment , if I permit ANY source and dest, then I can connect to the internet, but it didint go through the login page and ask for the username and password, I could access the Internet without any authentication. If I set the rules as shown in the attachment, it get me to the logon page (which is good) but I could not logon, here's the radius log:
    rad_recv: Status-Server packet from host 127.0.0.1 port 43507, id=90, length=38
            Message-Authenticator = 0xf7233fc3f00a133f273b87e9c2359199
    Sending Access-Accept of id 90 to 127.0.0.1 port 43507
    Finished request 111.
    Cleaning up request 111 ID 90 with timestamp +5120
    Going to the next request
    Ready to process requests.
    rad_recv: Access-Request packet from host x.x.x.164 port 32770, id=65, length=169
            User-Name = ""
            CHAP-Challenge =
            CHAP-Password =
            Service-Type = Login-User
            NAS-IP-Address = x.x.x.164
            NAS-Port = 1
            NAS-Identifier = ""
            NAS-Port-Type = Wireless-802.11
            Airespace-Wlan-Id = 10
            Calling-Station-Id = "x.x.x.x"
            Called-Station-Id = "x.x.x.164"
            Message-Authenticator =
    +- entering group authorize {...}
    [radius-user-auth]      expand: %{User-Name} ->
    [radius-user-auth]      expand: %{User-Password} ->
    [radius-user-auth]      expand: %{NAS-IP-Address} -> x.x.x.164
    [radius-user-auth]      expand: %{Calling-Station-Id} ->
    Exec-Program output:
    Exec-Program: returned: 1
    ++[radius-user-auth] returns reject
    Delaying reject of request 112 for 1 seconds
    Going to the next request
    Waking up in 0.7 seconds.
    Sending delayed reject for request 112
    Sending Access-Reject of id 65 to x.x.x.164 port 32770
    Waking up in 4.9 seconds.
    Cleaning up request 112 ID 65 with timestamp +5144
    Ready to process requests.
    What is this message mean "++[radius-user-auth] returns reject"?
    Thanks for your time.

  • PALM with WLC 4400 (Web Auth Portal)

    We cannot get the Web Portal splash page to display on wireless Palm units....the site simply hangs. Is there any fixes out there for this problem. Thanks for all replies!!

    Has anyone else seen this Palm/WebAuth issue or found a fix? I am seeing this on our Palm devices too. Running 4.x code with internal guest auth, laptops work just fine with the https://1.1.1.1 redirect, but the Palm just hangs. Could it be the certificate is not valid and the Palm has no way to prompt for that message like a laptop. Any ideas?

Maybe you are looking for

  • Hyperlink - bug

    Hi All, I've inserted a site URL in the page footer in the form of static text. Also I have a page title. When I preview the PDF the text in the footer turns to a hyperlink, which is fine, but at the same time it appends the page title to the URL. Fo

  • Songs are greyed out on Ipod Touch Gen 4

    The songs listed on my iPod touch won't play. The songs are all greyed out and there's a red circle with a square in the circle next the song. How do I resolve this issue? Thanks.

  • Email 1 of Multiple Options??

    I have a drop down list of 9 people. I am wanting to be able to submit by email and the form be mailed as a .pdf to the person that was chosen in the drop down list. Is there any way to put a script or something on the submit by email button that wil

  • Online Number BRASIL - PARANÁ

    Hello, Have any prediction for online number with area code (44) (Maringa)? Thank for your time.

  • How to install oracle 10g 10.2.0.1.0 to centOS

    Dear sir/madam I am trying to install oracle 10g 10.2.0.1.0 to centOS. After configuring Linux (centOS), I try to run ./runInstaller it give me am error as following 正在檢查安裝程式需求... 檢查作業系統版本: 必須是 redhat-3, SuSE-9, redhat-4, UnitedLinux-1.0, asianux-1 o