topic Re: 9120 EWC EAP-TLS support in Wireless

9120 EWC EAP-TLS support

Engineer101 — Thu, 08 May 2025 16:46:59 GMT

Hi all,

We have 9120 running EWC 17.6 firmware version. We are trying to implement EAP-TLS on client laptops. Below is the customer setup

1) Windows server running AD and CS services

2) Windows 11 laptops / Windows 10 laptops

3) Aruba ClearPass

4) Cisco 9120 APs running EWC (no physical controller)

Now we have already testing clearpass with cisco C1000 switch and its working perfectly ok with EAP-TLS. But for some reason, the AP doesnt support EAP-TLS. When we try to attempt the EAP-PEAP from the laptop, we are able to connect successfully, but when we set the authentication mode to EAP-TLS (smart card option) in laptop, the hit that we get on the clearpass doesnt even show EAP type. Without changing any setup, when we deploy Aruba AP (505) and broadcast the same SSID, the client is able to connect on first attempt using EAP-TLS. But for some reason its not able to connect via cisco 9120 EWC.

I just want to confirm that is there any limitation that its not supporting, anything special we need to do to enable EAP-TLS? if there any guide available that shows EAP-TLS with any NAC (ISE, FortiNAC etc), we can use that to see if we have configured EWC correctly. For reference purpose i have followed below video and like i said i am able to connect via EAP-PEAP but not EAP-TLS.

https://www.youtube.com/watch?v=-RQANru0l_k

Re: 9120 EWC EAP-TLS support

Mark Elsen — Thu, 08 May 2025 16:57:18 GMT

- @Engineer101 >....But for some reason its not able to connect via cisco 9120 EWC.
Track the client when it tries to connect using : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
These so called RadioActive Traces can be analyzed with : Wireless Debug Analyzer

Re: 9120 EWC EAP-TLS support

Scott Fella — Thu, 08 May 2025 19:22:17 GMT

What you need to know is that on a Cisco wireless, EWC or Controller, you just configure 802.1x, that is it. It's defined on the radius to allow EAP-TLS and or PEAP. As far as Windows is concerned, if configured for EAP-TLS and that fails, then users get prompt to enter credentials. I would look at the ClearPass radius logs and see if its hitting the right policy and why its failing when using EAP-TLS. There might be additional configuration on the ClearPass side to authenticate the Cisco Wireless. You would need to hit up the Aruba forum for help on that.

Re: 9120 EWC EAP-TLS support

Rich R — Fri, 09 May 2025 07:32:46 GMT

You don't say what actual version of software you are using? 17.6 could mean anything from 17.6.1 to 17.6.8!
Either way, 17.6 is almost end of life - it has already passed the End of SW Maintenance and End of Vulnerability/Security Support dates! So you really should be looking at updating. Refer to the TAC recommended code link below.

Check your config using the Config Analyzer (link below) using the output from "show tech wireless". This will highlight many common mistakes and best practices. Also refer to the Best Practices link below.

The radioactive trace will show what response you get back from the radius server (if any). If you're getting back a reject then that confirms it's the server rejecting the client and you need to check the server and client logs for the reason. If you're not getting a reply then it's your connection to the radius that's the problem - either network connectivity (routing, firewalls, ACLs) or incorrect radius secret. Be careful about using special characters in the key - try to stick to standard ASCII characters to be safe - or if the key is very long then try shortening it.