topic Re: CAPWAP AP 802.1x supplicant with EAP-TLS in Wireless

CAPWAP AP 802.1x supplicant with EAP-TLS

Murinos — Mon, 05 Jul 2021 18:36:47 GMT

Hello Community!

We have a highly secure environment with NAC on switchports. We need APs to use pre-provisioned(during staging) LSC certificates (same for DTLS encryption and AP Auth on the WLC) during 802.1x EAP-TLS authentication on the NAC switchports. We had already chained WLC with root CA and provisioned LSC certs to all APs as "802.1x + CAPWAP-DTLS". APs are using LSC certs for both CAPWAP Data and Control DTLS encryption. NAC is not enabled on the switch ports to which APs are connected yet.

The issue is when we try enable "802.1x Authentication" in "802.1x Supplicant Credentials" as EAP-TLS in Access Points Global configuration in GUI, the WLC asking for username and password. (The picture is from the configuration guide).

That's confusing, since we intend to use EAP-TLS which require certificate instead of credentials. Configuration guides referred to this feature says: "Also configure user name and password."

What will those username/password be?

Thanks!

Re: CAPWAP AP 802.1x supplicant with EAP-TLS

Haydn Andrews — Tue, 28 Jan 2020 21:59:24 GMT

Depending on what WLC version you are running the only 802.1x auth for the AP to the network is EAP-FAST.

From

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_802_1x_eap_supplicant_on_cos_ap.html

Prior to rel 8.7, AP port 802.1x only supported EAP-FAST, in rel 8.7 the AP supplicant will also support EAP-TLS / EAP-PEAP

Re: CAPWAP AP 802.1x supplicant with EAP-TLS

Murinos — Wed, 29 Jan 2020 08:48:14 GMT

Thanks for you reply!

It's 8.10.105, so this feature is supported, and we have an option to choose EAP-TLS as authentication method. We just still being asked for a username and password when we choose it.

Re: CAPWAP AP 802.1x supplicant with EAP-TLS

Murinos — Mon, 03 Feb 2020 17:34:36 GMT

Any ideas?

When I try to enable 802.1x Authentication:

I get this error:

What's Global 802.1x Username? I want to use EAP-TLS...

Thanks!

Re: CAPWAP AP 802.1x supplicant with EAP-TLS

aleopoldie — Fri, 06 Nov 2020 22:51:38 GMT

Hello Murinos,

Did you figure out how to solve this ? If you configure EAP-TLS without any username/password set, is it working ?

Re: CAPWAP AP 802.1x supplicant with EAP-TLS

Murinos — Sun, 08 Nov 2020 10:23:43 GMT

Hello aleopoldie,

No, we bumped to another problem. The ISE we use as AAA server for NAC can't trust the Root CA we use for SCEP on WLC. So, it will not accept certificates we issue for APs for EAP-TLS.

We are bound with EAP-FAST (login/pass) and mac check.

Re: CAPWAP AP 802.1x supplicant with EAP-TLS

Thomas Obbekaer Thomsen — Fri, 14 Jan 2022 10:39:48 GMT

Bump ? - Any news on this , we are all holding our collective breaths in anticipation 🙂🙂

/Thomas

Re: CAPWAP AP 802.1x supplicant with EAP-TLS

Murinos — Thu, 10 Feb 2022 12:39:02 GMT

Unfortunately, no.

We were not allowed to power on 'main' root CA which is used for all production networking infrastructure. The 'additional' root CA which is used for SCEP on WLC and APs cant' be made trusted on ISE. ISE can trust only single root CA (2 years ago). So it could not auntheticate AP's certificates issued by 'additional' root CA on NAC port.

The task is done and we left the site, so it's final.

If only ISE could support several root CA's that time, then it could be possible to meke everything right.

Re: CAPWAP AP 802.1x supplicant with EAP-TLS

Arne Bier — Tue, 22 Nov 2022 23:46:15 GMT

Hello @Murinos

I am looking at deploying EAP-TLS to a bunch of AireOS WAPs and I came across this thread. What do you mean by "ISE can only trust single root CA" ?

ISE can have many different Trusted CA certs installed, for the purpose of checking the CLIENT certificate.

What you are alluding to, is the fact that ISE only supports one EAP System certificate. This is still a limitation. But it's not a problem for clients who don't check the Authenticating Server's (RADIUS server's) certificate. e.g. In Windows supplicants you can turn that validation off.

Anyway. Back to Cisco WAPs and EAP-TLS. Your ISE PSN's should have their EAP System cert issued by the corporate PKI. But as far as the clients is concerned, they can have their certs issued by multiple different CA - as long as ISE has those CA certs installed under Trusted Certs, and the usage is ticked for "Client authentication".

Are you 100% sure that the Cisco WAP expects to always see the ISE EAP cert signed by the same cert that signed the WAP cert? That would be weird.

I am still trying to figure out how to get PKI certs onto a Cisco AireOS WAP without using SCEP. I just want to install the cert manually.