Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
1
Helpful
4
Replies

Authenticating SSID with Certificates

Bledian
Level 1
Level 1

‎09-28-2024 02:21 AM

Hello community,

Devices:

Virtual WLC 9800

Windows Internal CA

Active Directory

I want to Integrate virtual WLC 9800 with Windows Internal CA and AD, so I can authenticate SSID using Certificates from Internal CA, using the users from AD with LDAP.

So the idea is to generate CSR from virtual WLC 9800, get signed by the internal windows CA, and get it back to virtual WLC, and than users have to download the certificate from internal CA so they can connect to SSID.

P.s I dont want to use ISE or any other Radius Server.

Is there any guide for this configuration, especially from internal windows CA perspective.

Thanks.

Labels:
0 Helpful
4 Replies 4

Flavio Miranda
VIP
VIP

‎09-28-2024 04:44 AM

@Bledian 

 I dont believe this is possible. EAP-TLS requires a radius server  as far as I know. What you can do is use the windows as CA and as Radius.

 You can follow this guide

https://howiwifi.com/2020/04/08/cisco-9800-802-1x-eap-tls-using-windows-server-ca-and-nps/

 

0 Helpful

Bledian
Level 1
Level 1
In response to Flavio Miranda

‎09-28-2024 09:15 AM

@Flavio Miranda thank you for the response.

So this means using LDAP won't do the job?

0 Helpful

Flavio Miranda
VIP
VIP
In response to Bledian

‎09-29-2024 04:31 AM

802.1x plus EAP-TLS have a specific structure and one piece of it is the Radius server.

 

FlavioMiranda_0-1727609359562.png

The server figure on the picture above must speak 802.1x (Radius protocol) and LDAP is not meant for that. LDAP is a good resouce to validade a user/pass against a data base but not for radius authentication.

You need a radius server for it.

0 Helpful

ammahend
VIP
VIP

‎09-28-2024 08:40 PM - edited ‎09-29-2024 03:38 PM

your requirement is to have a certificate based authentication, where the endpoint certificate common name can be validated against AD user database, I don't think you can do this without Radius server (Preferably ISE)

If you just want to do username/Password based authentication using LDAP integration with Controller without involving Radius server, then you can do that.

here is the guide  : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216744-configuring-catalyst-9800-wlc-with-ldap.html

if you want to get creative with authorization then Radius server is recommended, any particular reason you don't want to use ISE ?

-hope this helps-
Customers Also Viewed These Support Documents