Wlc local EAP Help

Hi guys,
i need to set ip my wlc as a local eap authenticator.
I create a new Wlan(test1) ad associated yo a dynamic interface.
layer 2 security--->wpa+wpa2+auth(802.1x)
aa server-->local eap
I created a local-eap profile where i checked PEAP
I create a local-database user
My wireless-pc card pc was not able to work.
did i miss any step?
thx..
Ale.

Follow the steps in order to configure the devices for EAP authentication :
1. Configure the WLC for basic operation and register the Lightweight APs to the controller.
2. Configure the WLC for RADIUS authentication through an external RADIUS server.
3. Configure the WLAN parameters.
4. Configure Cisco Secure ACS as the external RADIUS server and create a user database for authenticating clients.
For the further details for configuration follow the URL It will help you :
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

Similar Messages

  • WLC Local EAP-TLS auth, certificate ACL feature?

    Hi All,
    I implemented local EAP-TLS authentication according to http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml. All is working fine, clients - Wi-Fi bar code scanners, WLC -2x4402, SV - 7.0.116.0 Certificates generated by Enterprise CA.
    Afterwards, I discovered that certificates cannot be filtered by cname, or user name on WLC. It means that ANY certificate issued by CA will be authenticated against my WLAN. CA issues a whole lot of certificates (RRAS VPNs, WEB clients, etc. ) I want to filter access for my wireless clients using local EAP solution (WLC are at remote location). Can I accomplish it without external RADIUS server? Something like IOS certificate ACL?
    Thanks in advance.

    Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
    It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

  • Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

    Hi All,
    I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
    Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
    For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
    I confront PEAP and Eap-TLS for now:
    1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
    2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
    so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
    If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
    I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
    I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
    can you help me to know if I understood everything good ? I would be please to exchange experience on that
    thanks ;)
    bye

    I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
    Setup a Microsoft Certificate server as my
    CA. You can use same machine wih your ACS and CA.
    Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
    On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
    At that poit you should be able to connect you r wireless client using EAP-TLS.

  • Wlc 2100 with local eap auth

    Hello
    I have set up an wlc 2125 with local eap auth which I think is working fine for now.
    But I dont want it come up a certificate warning when user log in.
    Can I stop this from happening without bying a certificate?
    Can I turn of https all together?
    Trond

    Thank you Trond,
    So here we are talking about web authentication, which does not use local EAP, so not sure whether the local EAP profile is really being triggered for that.
    Clients are being prompted with a WLC's self-signed certificate, more or less in the same way as they would be if they tried to login to the WLC via HTTPS.
    Similarly, the fastest way would be to install this certificate on the user's machine, so that it can trust it from that moment on.
    Or you can generate a certificate signing request for the WLC, submit it to a root CA/buy a root CA signed server certificate (with the root CA trusted by the clients) and then install this certificate on the WLC:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
    For web authentication, there is no way to switch to HTTP for the WLC's certificate validation.
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • WLC 526 - 5.2.157.0 local eap

    hi all,
    For customer solution, I tried use WLC 526 with 5.2.157.0 (in release notes, local eap mentioned as new funkcionality, but when I configured it by WLC release 5.0 configuration guide - it doesnt work.
    from sh wlan <ID> command i always see that,
    Local EAP Authentication......................... Disabled
    and CLI command (config wlan local-auth enable profile_name wlan_id) cannot be used and on GUI for that WLAN, enabling local eap is missing...
    I also tried fw: 5.2.178.0 with same result
    Any advice ??? Maybe BUG (not find)???
    Thanks
    LUKAS

    Ensure you have created the correct profile. Use this document to Configure Local EAP on the WLC.
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml#wlc

  • Local EAP with PEAP

    Hi my name is Ivan
    I have a question:
    How can i configuring local eap in cisco wireless lan controller  with active directory and using PEAP MSCHAPv2 to authenticate the users in the wlan? Do you have any documents to do it?.
    thanks for your answers
    Regards.
    Ivan.

    Hi,
    You cannot directly integrate AD into the WLC< we need the RADIUS in between.. so we need Either IAS or the ACS server in the middle.
    The only other way is to use WLC + LDAP and here is the link..
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
    Or PEAP using Microsoft IAS..
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml
    Lemme know if this helps and please dont for get to rate the usefull posts!!
    Regards
    Surendra

  • Local eap-tls drawbacks

    Planning on implementing EAP-TLS for wireless security and tryingto wrap my brain around what will be lost if I use local eap-tls vs an external radius server for authentication of the certificates. I thought I saw in some older posts (3+ years) that there is no CRL available when using the controller as built-in radius. I am running on a 3650 as the integrated wlc. If I can tidy up the wireless solution so I dont have to utilize an external radius server (this would be the first necessity to have an external radius server for this org) than it would be nice to keep it simple. I am planning on doing "computer only" auth for some clients and the ability to invalidate their cert would likely push me to the external radius server - I just don't know if there are any other trade-offs by using the built-in radius.
        I also saw that you cant specify a radius server for anything else on the switch or the local built-in radius wont work, but then saw copnflictying info " You can disable RADIUS authentication for a given WLAN by using “config wlan radius_server auth disable wlan_id” CLI command." at this great page http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/
    but dont know if this is true or not either. I would like to know if I am locking myself into never having an external  radius server If i go down the local eap-tls path.
    Thanks,
    Brian

    Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
    It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

  • Is local EAP + Web Authentication possible in Auto Anchor Configuration

    Hi,
    I have a wireless network setup in an auto-anchor configuration with the foreign and anchor controllers. Due to the foreign controller being owned and managed by another company, I have an interesting authentication scenerio I would like to acheive. We can't implement full EAP-TLS as we would have to allow authentications from the foreign controller which is owned and managed by another company.
    Currently Web Authentication is working correctly for the Wireless Network. As another layer of security, I want to know if its possible for the wireless clients to trust a certificate installed on the foreign controller?  If so, are you able to point me in the direction of a user guide to implement.
    I found the following document which describes local EAP configuration . Would this work with Web Authentication?
    Thanks

    so, kinda but no.  EAP is a layer 2 authentication that uses encryption as well.
    WebAuth is a layer3 authentication only.
    Now the kinda....you can create guest/network users on the WLC local database, and if someone logins to the webauth portal with those credentials they will be able to get on.
    I'm not really sure what you are looking to do based on your post.
    Personally, if I had users that were going to roam to this controller, I'd work with that companies IT and get it linked to my AAA server and keep the EAP-TLS that I had working already going. Just because that WLC would be able to communicate to your AAA doesn't mean their users would be able to get on, as they wouldn't have the machine or client certificate nor the Root CA cert on their machines.
    HTH,
    Steve

  • Local EAP + stand-alone HREAP ?

    What version of WLC software supports local EAP in stand-alone HREAP mode? Does 4.2M support it? I can't seem to find anything om 5.x/6.x release notes, and can't currently upgrade to test.

    nevermind, I found my answer, I need 5.0 to support that
    Controller software release 5.0.148.0 contains two new hybrid-REAP group features:
    Backup RADIUS server-You can configure the controller to allow a hybrid-REAP access point in standalone mode to perform full 802.1X authentication to a backup RADIUS server. You can configure a primary RADIUS server or both a primary and secondary RADIUS server.
    Local authentication-You can configure the controller to allow a hybrid-REAP access point in standalone mode to perform LEAP or EAP-FAST authentication for up to 20 statically configured users. The controller sends the static list of usernames and passwords to each hybrid-REAP access point when it joins the controller. Each access point in the group authenticates only its own associated clients. This feature is ideal for customers who migrate from an autonomous access point network to an LWAPP hybrid-REAP access point network and do not need to maintain a large user database nor add another hardware device to replace the RADIUS server functionality available in the autonomous access point.

  • WLC 5508 - EAP-TLS - Windows 8.1 Third Party PKI

    Hello,
    Does anybody know what could prevent a Windows 8/8.1 system to connect to a WLC via EAP-TLS? Windows 7/XP do not have any problems here.The radius server accepts the request, but WIndows 8 still tries to authenticate.
    Software is updated to 7.6.120.0, I tried to setup timeout values, but no success at all.
    Did anyone have similar problems with Windows 8/81?
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Starting key exchange to mobile 0c:8b:fd:eb:16:17, data packets will be dropped
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Reusing allocated memory for  EAP Pkt for retransmission to mobile 0c:8b:fd:eb:16:17
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId =
    0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Entering Backend Auth Success state (id=6) for mobile 0c:8b:fd:eb:16:17
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Received Auth Success while in Authenticating state for mobile 0c:8b:fd:eb:16:17
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1x - moving mobile 0c:8b:fd:eb:16:17 into Authenticated state
    *osapiBsnTimer: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
    *dot1xMsgTask: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
    *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
    *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
    *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
    *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
    *osapiBsnTimer: Jun 24 12:43:16.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
    *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
    *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
    *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
    *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
    *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
    *osapiBsnTimer: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
    *dot1xMsgTask: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 Retransmit failure for EAPOL-Key M1 to mobile 0c:8b:fd:eb:16:17, retransmit count 3, mscb deauth count 0
    Any hint would be great .... Thank you...

    Hello Dino,
      thanks very much for your reply.
      The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
    Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
    EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
    I suspect the cert-setup itself, but don't get a clue where this might stuck...
    Björn

  • Local EAP - Using PEAP

    I have a question with regards to Local EAP. After you have created your Local EAP profile and applied it to an SSID a client with the appropriate certificate and local net user ID is authenticated. Once the user is authenticated does the client re-authenticate as he roams ? Are his credentials cached on the controller ?

    If the client roams across access points on the same controller, I don't think the client will have to re-authenticate as long as your client supports CCXv2 which supports CCKM (Cisco Centralized Key Management) for LEAP authentication.
    http://www.cisco.com/web/partners/pr46/pr147/program_additional_information_new_release_features.html
    You can use this command on the controller to see the pairwise-master key cache.
    show pmk-cache all

  • ISE 1.2 / WLC 5508 EAP-TLS expired certificate error, but wireless still working

    Hi I have a customer that we've deployed ISE 1.2 and WLC 5508s at.  Customer is using EAP-TLS with and everything appears to setup properly.  Users are able to login to the network and authenticate, however, frequently, I'm getting the following error in ISE authentication logs:
    12516 EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain
    OpenSSL messages are:
    SSL alert: code=Ox22D=557 : source=local ; type=fatal : message="X509
    certificate ex pi red"'
    4 727850450.3616:error.140890B2: SS L
    rOYbne s: SSL 3_  G ET _CL IE NT  _CE RT IF ICAT E:no ce rtific ate
    relurned: s3_ srvr.c: 272 0
    I'm not sure if this is cosmetic or if this is something that I should be tracking down.  System isn't in full production yet, but every client seems to be working and there is no expired cert in the chain.  Any ideas what to check?

    Hello Dino,
      thanks very much for your reply.
      The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
    Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
    EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
    I suspect the cert-setup itself, but don't get a clue where this might stuck...
    Björn

  • Cisco WLC Local Net user Authentication

    Hi,
    I have a Controller configured with local net users. Web policy with authentication has been configured for Layer 3 security. When the user tries to access the Wireless, they will be redirected to a web authentication screen, where they need to enter the pre-configured credentials to gain access.
    Now, the requirement is: users shall have to provide login credentials only upon initial access (one time) and shall not have to accept an Acceptable Use Agreement when their systems connect to the wireless network. The next time user tries, they should be provided access automatically.
    We have configured the following setting on Windows 7 client:
    1. Connect automatically when the network is in range is selected
    2. Please refer the attached screenshots for further configuration for Windows 7 Clients.
    On WLC: SSID --> Advanced Options --> We have disabled the “Enable Session Timeout” setting, but we still have "Client Exclusion" Enabled.
    When a computer is shutdown and brought back up within a few minutes the wireless credentials seem to stick, however, when the computer is shutdown for a period of overnight, the credentials are no longer cached and we have to re-authenticate to the wireless.
    Is this issue because of  "Client Exclusion" Enabled on the SSID/WLAN ?
    If not, can someone share the complete procedure to make sure that users local net user credentials will be cache.
    Thanks,
    Jagan

    Well you only can keep it connected for an x number of minutes. You will not be able to set it longer than a day. This means, I can't configure the WLC/Client to cache the credentials permanently? And everyday, they have to enter the credentials to access SSID?You can extend it up to 30 days, but you have to run v7.5.  After that, they will have to login again.Change the idle timer to about 2-4 hours and that should keep the client on the WLC DB. This will allow the client to go away for the number set and come back without having to login again. As you said, if I configure the WLC Idle Time for 2-4 hours, do the client have to provide credentials the next day when they access Wireless?Yes.  See my previous answerIs there any other way via which this can be achieved? (The limitation is : client should be authenticated only with the WLC.)If you are looking for clients to login once and then never again, the answer is no.  You have two choices, you can use the new v7.5 and use the sleeping client feature which gives you max of 720 hours (30 days), or you use th eidle timer and after the idle timer expires, the user will have to login.Thanks,Jagan
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Cisco WLC local net user - guest account

    Hello,
    We have a 2504 Cisco WLC.  I am creating Local Net Users for one of the WLANs that uses Web Auth and the Local Database.
    My one question is, what does a "guest account" do differently than a non guest account besides the ability to create the lifetime of the account?  I mean, it seems both give access to the WLAN so I am failing to see the difference between the two.
    Any help is greatly appreciated.

    A guest acct can only login to a webauth WLAN. A normal netuser can login to any WLAN that you allow or all. Including 802.1x if that WLAN is allowed to chek the local db
    Steve
    Sent from Cisco Technical Support iPhone App

  • Problem installing oracle 8.1.5 as local database, Help me!

    Hello, my friends!
    I've been having problems with the connection to oracle 8.1.5 via ODBC. Does Exist any way to install a protocol that no requieres a net like TCP, SPX. I have a pc in my house and I'm not in a networking, so when i configure a tnsnames it requieres a protocol, and it shows: TCP, SPX, IPC, named pipes, which of them are for a Local PC, because i configured a tnsnames with TCP protocol and the connection via ODBC shows the message: 'Server rejected the connection'. My application and the database are in the same PC, so i'm accesing via ODBC to the database locally.
    so, i'd appreciate any help, please, any comments send me an email to : [email protected]
    Aldemar cuartas
    Colombia

    hi,
    Please confirm that your media(oracle 8.1) is for Intel Solaris or for Sun Sparc (RISC).
    bye
    [email protected]

Maybe you are looking for

  • Ipod classic does not show in itunes or my computer. Can anyone help?

    I'm hoping someone can help me out. I've had my Ipod classic 80GB for about 5 years. Yesterday for the first time, I encountered a major problem. My Ipod does not appear in either Itunes or My computer when connected by USB to my laptop. The I pod ju

  • Twitter has been hacked

    Hi, my twitter account has been hacked. Hacker changed my email and password, so i can't restore it. But i still have an access to my account from Twitter app for Mac and Tweetbot for iPhone. What i have to do to delete my account? And i know an emai

  • Checkboxes not displaying in webaccess of maximizer (program)

    When I open the webaccess of the program maximizer in IE it works perfectly but when I use any version of Firefox newer than version 3.0 the checkboxes will not display. How can I make checkboxes available in Firefox 5. Is there a plugin? I'm running

  • Materials of requisition 14009209 item 00010 alr. ordered in full

    Dear SAP Experts, We have created one Services PR has one line item 10, for line item 10 we have 5 services. Against this services PR we created one Services PO for half quantity of services. For rest of quantity of services , we are creating 2nd ser

  • Item import interface

    Dear All, I need Item Import open interface code, can any body help me? Regards, Hanimi.