Eap- TLS is a sort of EAP method to authenticate client with the certificate without use of usern-ame an password.
Below example is to use EAP-TLS with controller
EAP-TLS requires digitally signed certificate to authenticate clients.
Certificate required on controller.
1. Device Certificate issue to WLC.
To generate the device certificate.
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
And download it to the controller it is vendor device certificate using command line or GUI.In GUI select the download vendor device certificate option
(TACLAB)transfer download mode tftp
(TACLAB) >transfer download datatype eapdevcert
(TACLAB) >transfer download path .
(TACLAB) >transfer download filename final.pem
(TACLAB) >transfer download certpassword check123
(TACLAB) >transfer download serverip 192.168.178.52
(TACLAB) >transfer download start
2. Root Certificate of a CA.
If you have root ca certificate on device ,you can export it using the Firefox.
Path- browser>>Advance>>Encryption>>view certificate>>Export.>>>save it as x.509 file type certificate.
E.g-test.crt
And download it the controller.It is ca certificate.In GUI select the
(TACLAB)transfer download mode tftp
(TACLAB) >transfer download datatype eapdevcert
(TACLAB) >transfer download path .
(TACLAB) >transfer download filename final.pem
(TACLAB) >transfer download certpassword check123
(TACLAB) >transfer download serverip 192.168.178.52
(TACLAB) >transfer download start
.
Root-CA certificate should be installed on controller as well as clients.
Now configure a profile with EAP-TLS on controller and inherit it to the SSID under advanced section
To configure local eap profile below is the document.
https://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/.