topic Re: WPA2 Enterprise EAP-TLS authentication in Network Security

WPA2 Enterprise EAP-TLS authentication

170232D14065 — Sun, 25 Oct 2020 17:43:16 GMT

I need to connect my IoT embedded devices to a CISCO-ISE managed enterprise wireless network using WPA2E and EAP-TLS protocol for authentication. When I go through the cisco compatibility documentation for client devices there was nothing about the embedded devices. So my question is, what are the compatibility concerns when it comes to connecting an embedded device which simply consists of an MCU and some peripherals through certificate-based authentication? There were documents only regarding connection of mainstream devices like Pc, laptop, smartphone but none about MCU.

thank you

Re: WPA2 Enterprise EAP-TLS authentication

Aref Alsouqi — Sun, 25 Oct 2020 16:05:20 GMT

If the IoT device uses standard RADIUS protocol attributes then I think you can just add it as a normal network device to ISE, that should work. However, if it uses customized RADIUS attributes, then you need to create a network device profile with those customized attributes, and then when you add it as a network device, you need to associate the profile you created to that device from the Device Profile menu.

Re: WPA2 Enterprise EAP-TLS authentication

170232D14065 — Sun, 25 Oct 2020 17:47:41 GMT

Thank you for reaching out.

How can I connect an MCU to ISE? In the official documentation, there were only windows, macOS, android, and ios. but how do I connect an embedded device?

Re: WPA2 Enterprise EAP-TLS authentication

Aref Alsouqi — Sun, 25 Oct 2020 18:09:15 GMT

Is the MCU connected to the network and can reach ISE through the network?

Re: WPA2 Enterprise EAP-TLS authentication

170232D14065 — Mon, 26 Oct 2020 03:25:42 GMT

it's in the wifi authentication phase. I think the ISE acts as the radius server for the access point. so it's about authenticating the device (wifi chip) to the network.

Re: WPA2 Enterprise EAP-TLS authentication

Aref Alsouqi — Mon, 26 Oct 2020 03:52:52 GMT

If the MCU connects to the access point, then the access point should be added to ISE as a network device, since the access point will be the RADIUS authenticator and the MCU will be the supplicant. The SSID on the access point should be configured for dot1x as well.

Re: WPA2 Enterprise EAP-TLS authentication

170232D14065 — Mon, 26 Oct 2020 05:05:25 GMT

So it seems it is all good if the device supports standard RADIUS protocol attributes.

Can you direct me to some resources describing the implementation of EAP-TLS on a microcontroller?

So far I didn't find any guidance docs. The only thing having is a secure connection to a web server through certificate-based authentication, but nothing about WiFi authentication using ca.

Thank you so much for clarifying things.

Re: WPA2 Enterprise EAP-TLS authentication

Aref Alsouqi — Mon, 26 Oct 2020 18:28:01 GMT

I am really sorry, but did not come across those MCU in practice.