https://community.cisco.com/t5/wireless/wlc-and-client-certificate-authentication/m-p/2893351#M5884 <P>Certificates are another way to provide the identity of a machine or user instead of a "password". The world of certificates and network authentication (dot1x) can be overwhelming, so I will try to explain the important concepts in this reply.<BR /><BR />There are two common authentication methods being used in today's wireless deployments:<BR /><STRONG>1.</STRONG> PEAPv0 which is based on username and password<BR /><STRONG>2.</STRONG> EAP-TLS which is based on a machine or user certificate but requires a PKI<BR /><BR />The process of getting the client connected and authenticated are similar for both methods:<BR /><STRONG>1.</STRONG> Client associates to the wireless network;<BR /><STRONG>2</STRONG>. Client builds a protected tunnel with the authentication server. Based on the certificate used on the (RADIUS) <STRONG>server side</STRONG> the client verifies that it is talking to the correct server so it knows that it is safe to continue;<BR /><STRONG>3.</STRONG> Client sends its credentials to the server (username/password with PEAPv0, certificate with EAP-TLS);<BR /><STRONG>3a.</STRONG> In case of EAP-TLS the certificate will be validated and read by the server. Usually the CN or SAN attribute found in the certificate will be used for the Active Directory lookup;<BR /><STRONG>4. </STRONG>Server validates the provided credentials by consulting Active Directory;<BR /><STRONG>5. </STRONG>Active Directory gives feedback and provided current status and all the memberships the related object has within Active Directory. This object can be a user account or computer in case of a machine certificate. <BR /><STRONG>6. </STRONG>Based on the policies within the authentication server certain information can be provided to the WLC (Examples are: deny, allow and a specified VLAN which should be used etc).<BR /><BR />If you want to deploy EAP-TLS the following things should be in place:<BR /><STRONG>1. </STRONG>A PKI<STRONG>, </STRONG>preferable Microsoft's implementation which integrates within Active Directory<STRONG>;<BR />2. </STRONG>A authentication server for example Cisco ISE or Microsoft's NPS which uses a server certificate which can be actually verified by the clients <EM>(so signed by public CA or own PKI if all of the clients do have to CA cert of the PKI installed)</EM><STRONG>;<BR />3.</STRONG> Active Directory infrastructure with two GPOs deployed:<BR /><STRONG>3a.</STRONG> GPO to auto enroll certificates so clients will request a user/machine certificate;<BR /><STRONG>3b. </STRONG>GPO to configure the client with wireless settings;<BR /><STRONG>4. </STRONG>A RADIUS based connection between the WLC and the authentication server<STRONG>;<BR />5. </STRONG>Policies on the authentication server based on certain Active Directory groups so clients can be authenticated.<BR /><BR />Hopefully this helps to give some clarity, however if you have never have done any implementation I strongly advice to get some external help. Building a robust and secure PKI requires proper planning and a good design, so goes for the authentication services.<BR /><BR /><EM>Please rate useful posts... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></EM></P> Sat, 12 Nov 2016 23:44:24 GMT Freerk Terpstra 2016-11-12T23:44:24Z https://community.cisco.com/t5/wireless/wlc-and-client-certificate-authentication/m-p/2893349#M5882 <P>We are trying to implement certs for clients to use when connecting to the Enterprise Wireless Infrastructure with the WLC.&nbsp; We use a MS Domain and use ACS.&nbsp; What is the best way to implement this to a gain security posture and avoid evil twin issues, and ensure trusted clients are connected and authenticated.&nbsp; Management wants to implement certificates for the clients connecting to the Wireless Controllers and AP's.</P> <P></P> <P>There is a request to use real certificates and not self-signed certs, for PEAP Auth.</P> <P></P> <P>Thank you</P> <P></P> <P>Tim</P> Mon, 05 Jul 2021 12:01:16 GMT https://community.cisco.com/t5/wireless/wlc-and-client-certificate-authentication/m-p/2893349#M5882 Timothy Ventry 2021-07-05T12:01:16Z https://community.cisco.com/t5/wireless/wlc-and-client-certificate-authentication/m-p/2893350#M5883 <P>Hi Tim did you find any documentation around this? I'm trying to do the same thing.</P> <P>user machine authenticate with a certificate onto wireless then then the user authenticates with AD.</P> <P></P> <P>Thanks</P> <P></P> Fri, 11 Nov 2016 15:05:36 GMT https://community.cisco.com/t5/wireless/wlc-and-client-certificate-authentication/m-p/2893350#M5883 mickyq 2016-11-11T15:05:36Z https://community.cisco.com/t5/wireless/wlc-and-client-certificate-authentication/m-p/2893351#M5884 <P>Certificates are another way to provide the identity of a machine or user instead of a "password". The world of certificates and network authentication (dot1x) can be overwhelming, so I will try to explain the important concepts in this reply.<BR /><BR />There are two common authentication methods being used in today's wireless deployments:<BR /><STRONG>1.</STRONG> PEAPv0 which is based on username and password<BR /><STRONG>2.</STRONG> EAP-TLS which is based on a machine or user certificate but requires a PKI<BR /><BR />The process of getting the client connected and authenticated are similar for both methods:<BR /><STRONG>1.</STRONG> Client associates to the wireless network;<BR /><STRONG>2</STRONG>. Client builds a protected tunnel with the authentication server. Based on the certificate used on the (RADIUS) <STRONG>server side</STRONG> the client verifies that it is talking to the correct server so it knows that it is safe to continue;<BR /><STRONG>3.</STRONG> Client sends its credentials to the server (username/password with PEAPv0, certificate with EAP-TLS);<BR /><STRONG>3a.</STRONG> In case of EAP-TLS the certificate will be validated and read by the server. Usually the CN or SAN attribute found in the certificate will be used for the Active Directory lookup;<BR /><STRONG>4. </STRONG>Server validates the provided credentials by consulting Active Directory;<BR /><STRONG>5. </STRONG>Active Directory gives feedback and provided current status and all the memberships the related object has within Active Directory. This object can be a user account or computer in case of a machine certificate. <BR /><STRONG>6. </STRONG>Based on the policies within the authentication server certain information can be provided to the WLC (Examples are: deny, allow and a specified VLAN which should be used etc).<BR /><BR />If you want to deploy EAP-TLS the following things should be in place:<BR /><STRONG>1. </STRONG>A PKI<STRONG>, </STRONG>preferable Microsoft's implementation which integrates within Active Directory<STRONG>;<BR />2. </STRONG>A authentication server for example Cisco ISE or Microsoft's NPS which uses a server certificate which can be actually verified by the clients <EM>(so signed by public CA or own PKI if all of the clients do have to CA cert of the PKI installed)</EM><STRONG>;<BR />3.</STRONG> Active Directory infrastructure with two GPOs deployed:<BR /><STRONG>3a.</STRONG> GPO to auto enroll certificates so clients will request a user/machine certificate;<BR /><STRONG>3b. </STRONG>GPO to configure the client with wireless settings;<BR /><STRONG>4. </STRONG>A RADIUS based connection between the WLC and the authentication server<STRONG>;<BR />5. </STRONG>Policies on the authentication server based on certain Active Directory groups so clients can be authenticated.<BR /><BR />Hopefully this helps to give some clarity, however if you have never have done any implementation I strongly advice to get some external help. Building a robust and secure PKI requires proper planning and a good design, so goes for the authentication services.<BR /><BR /><EM>Please rate useful posts... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></EM></P> Sat, 12 Nov 2016 23:44:24 GMT https://community.cisco.com/t5/wireless/wlc-and-client-certificate-authentication/m-p/2893351#M5884 Freerk Terpstra 2016-11-12T23:44:24Z https://community.cisco.com/t5/wireless/wlc-and-client-certificate-authentication/m-p/4820059#M254915 <P>Hi,</P> <P>Wanted your guidance on the below.&nbsp;</P> <P>One of my customer is trying to achieve Certificate based auth when the users are connecting on the wireless network. But he is trying to achieve that with having a NAC/RADIUS solution in place. But he does have a AD server in place. Is this achievable. And if yes then how is that. Do we require any additional component to add to the solution along with the AD server</P> Mon, 24 Apr 2023 07:33:49 GMT https://community.cisco.com/t5/wireless/wlc-and-client-certificate-authentication/m-p/4820059#M254915 Rahul Pawar 2023-04-24T07:33:49Z