topic Re: Security for Internal WLAN in Wireless

Security for Internal WLAN

snowmizer — Sun, 04 Jul 2021 04:44:42 GMT

I'm trying to figure out the best way to set up authentication on my WLAN for my internal users. I want to use certificates but I'm not exactly sure what layer 2, layer 3 and AAA settings I need to configure for certificates. If I do certificate authentication is that enough or do I also need to use something like RADIUS authentication?

Anyone got any good docs or recommendations on how to configure my WLAN for certificate authentication? Also, I'm curious what methods other people are using to secure their internal WLANs.

Thanks.

Re: Security for Internal WLAN

Scott Fella — Wed, 07 Mar 2012 16:25:29 GMT

In order to do certificate authentication either using EAP-TLS or PEAP, 802.1x requires the use of a radius server. The radius would look at your active directory for user or device authentication. You would also need to have a pki infrastructure if doing EAP-TLS. If you do not have a radius server, then pre shared key is your best bet.

Security for Internal WLAN

Ven Taylor — Wed, 07 Mar 2012 16:27:34 GMT

If you're looking for WLAN authentication, I would recommend PEAP. It requires all users to use their AD credentials and synchronizes with your AD infrastructure via RADIUS. You can use your own RADIUS server or ACS / AD for authentication.

I've used it in the past and it is very good.

The first link gives you some detail on PEAP.

http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa.html

The second link is a configuration guide.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

Ven

Security for Internal WLAN

snowmizer — Wed, 07 Mar 2012 16:28:43 GMT

So basically I need to set up a RADIUS server and configure all of my APs as RADIUS clients, select "WPA+WPA2+802.1x" as the layer 2 security method, configure the AAA server tab to use my RADIUS server and then check "Local-EAP". Then set up a Local EAP profile that uses EAP-TLS. Am I correct that I will also need to change the settings on my client's wireless network config to pass EAP-TLS?

Thanks.

Security for Internal WLAN

Scott Fella — Wed, 07 Mar 2012 16:31:29 GMT

If your AP's are autonomous, then yes. If you have a WLC, then only the WLC(S) are entered as your AAA client. No need to select local eap when pointing to a radius server, You do want to select WPA+WPA@, but really only enable WPA2 & AES with 802.1x.

Re: Security for Internal WLAN

snowmizer — Wed, 07 Mar 2012 16:48:32 GMT

I am using WLC.

Thanks guys for the replies. I'm going to check out the two docs that Ven also recommended and I'll see if I have any other questions.

Re: Security for Internal WLAN

snowmizer — Wed, 07 Mar 2012 22:27:59 GMT

Ok I looked at the docs and configured my settings. I set up RADIUS on Windows 2008 R2 NPS. Initially I had the WLC configured as a RADIUS client and I was seeing messages that a RADIUS message was received from the invalid RADIUS client IP address 1.2.3.4. The address 1.2.3.4 corresponds to the IP address on the interface for the WLAN. So I switched the IP address on the RADIUS client on NPS to match the IP address 1.2.3.4 and tried accessing the WLAN. Now I'm getting an EAP error:

Explicit EAP failure received (0x50005)

EAP Error Code: 0x40420110

Network authentication failed due to a problem with the user account

I looked on the NPS server logs and don't see any messages there. Account isn't locked out, certificate is valid.

Any other ideas?

Thanks.

Re: Security for Internal WLAN

snowmizer — Fri, 09 Mar 2012 14:54:28 GMT

Success!!! I was able to get past this message and get connected to my internal WLAN. Thanks for all of the help guys.

I have this problem too

SMirlan79 — Tue, 20 May 2014 11:02:02 GMT

I have this problem too.

Explicit EAP failure received (0x50005)

Can you help me please?