cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2729
Views
0
Helpful
8
Replies

Autonomous AP to authenticate with ISE EAP-TLS

mohmmad.imran
Level 1
Level 1

Hi,

I am stuck with situation, where I need to get the autonomous AP to just authenticate with ISE EAP-TLS, is it possible?

so far I am not able to get it working, and ISE authenticate logs says that EAP method is not allowed in allowed-protocol, at the same time WLC has no issues in getting user authenticated with EAP-TLS.

any suggestion, would be appreciated.

Thanks

8 Replies 8

Scott Fella
Hall of Fame
Hall of Fame

Have you tried to test using PEAP? Just trying to eliminate variables. The setting on the AP would be the same for all EAP types.

Here is a guide that shows what is needed on the AP.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml#config-ap

Make sure the client is setup properly also which can show the same error.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

It works with ACS and I think it works also with ISE, it's the same principle.

Just for information, you can import a certificate with this commands :

crypto pki trustpoint MY-TRUSTPOINT

revocation-check none

enrollment terminal

exit

crypto pki imort MY-TRUSTPOINT pem terminal PASSPHRASE

Then copy / paste the CA certificate, the private key with the PASSPHRASE and the certificate.

NOTA BENE : all this certificates must be hashed with sha1 (sha256 is not supported).

 

filipe.gaspar
Level 1
Level 1

There is few documentation about EAP-TLS on EAP-TLS.

 

I'm looking for that.

 

Filipe

Abhishek Abhishek
Cisco Employee
Cisco Employee

EAP-TLS authentication protocol is not supported for autonomous AP to authenticate with ISE. YOu can try with PEAP.

It works with ACS and I think it works also with ISE, it's the same principle.

Just for information, you can import a certificate with this commands :

crypto pki trustpoint MY-TRUSTPOINT

revocation-check none

enrollment terminal

exit

crypto pki imort MY-TRUSTPOINT pem terminal PASSPHRASE

Then copy / paste the CA certificate, the private key with the PASSPHRASE and the certificate.

NOTA BENE : all this certificates must be hashed with sha1 (sha256 is not supported).

For me it's the same thing but I don't test with ISE. Does anyone has tested this use case ?

gohussai
Level 4
Level 4

As mentioned earlier.

EAP-TLS is not supported in Autonomous you can use PEAP or use ACS as an alternative.

Jurgens L
Level 3
Level 3

Just for anyone who still have this question,

 

I've tested EAP-TLS authentication with a 1700 series autonomous AP and ISE version 2.2 successfully. In addition features like dynamic VLAN and ACL's also worked.

It seems that all the features the ACS supported for autonomous AP's are supported in ISE.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: