topic WLC EAP-TLS in Wireless

WLC EAP-TLS

nibinrodrigues — Sun, 04 Jul 2021 06:23:12 GMT

Hi,

My Wireless network consists of 8 WLC and 2 Cisco ACS 1113 with 4.2. I need to implement certificate authentication for Cisco Wireless Phone SSID. I tried PEAP along with certificate generated by Microsoft Cert Server, but the issue is the client can ignore the certificate and I believe only way to force is via Active Directory group policy.

So as my Cisco IP Phones are not joined to Active Directory I think the only option is to use EAP-TLS. For this I have the following Queries.

•1. What will be the SSID security setting. ( I tried Layer 2 802.X with WEP 104bit encryption)
•2. Do I need to install any certificate on WLC if yes which Certificate (Ex root, Client)
•3. What Certificate should be installed on Client.
•4. What should be the client PC security setting for EAP-TLS

I had gone through the following Docs for reference.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml

https://supportforums.cisco.com/docs/DOC-24723

Thanks

Nibin

WLC EAP-TLS

Philip Vilhelmsson — Tue, 12 Feb 2013 15:20:00 GMT

1. Layer 2: WPA+WPA2, WPA2 Policy check, WPA2 Encryption checked, Authenticatin Key management: 802.1X.

2. You only need intermediate CA cert and device cert for WLC. You probably don't need root cert since your clients will have this, but it won't hurt to have it.

3. A device/machine certificate and the root cert.

4. Make a wlan-profile that with the setting to use certificate.

Regards,

Philip

WLC EAP-TLS

nibinrodrigues — Wed, 13 Feb 2013 06:16:22 GMT

Dear Philip,

Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.

Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.

AUTH 02/10/2013 13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate A

AUTH 02/10/2013 13:29:58 I 2009 1756 0xb EAP: EAP-TLS: Handshake failed

AUTH 02/10/2013 13:29:58 E 2255 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL recv alert fatal:bad certificate

AUTH 02/10/2013 13:29:58 E 2258 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL ext error reason: 412 (Ext error code = 0)

AUTH 02/10/2013 13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2198

AUTH 02/10/2013 13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code Unknown EAP code

AUTH 02/10/2013 13:29:58 I 0366 1756 0xb EAP: EAP state: action = send

AUTH 02/10/2013 13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned -2198

AUTH 02/10/2013 13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7, seq_id=7)

AUTH 02/10/2013 13:29:58 I 5501 1756 0xb Done UDB_SEND_RESPONSE, client 50, status UDB_EAP_TLS_INVALID_CERTIFICATE

Thanks

Nibin Rodrigues

Re: WLC EAP-TLS

Scott Fella — Wed, 13 Feb 2013 08:18:23 GMT

Have you gone through the 7925 configuration doc?

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/administration/guide/7925cfgu.html#wp1376129

Sent from Cisco Technical Support iPhone App

WLC EAP-TLS

nibinrodrigues — Mon, 04 Mar 2013 11:46:25 GMT

Hi,

EAP-TLS worked but IP Phone disconnecting while roaming. Any advicesss

Thanks

Nibin