This document describes the configuration example on “How to configure WLC with ACS 5.1 with EAP-FAST authentication”. EAP-FAST is used for 802.1x authentication with Auto/manual PAC provisioning. Wireless Client used in the example is ADU on windows machine.
Configuration ACS 5.1
We need to add WLC under Network Devices as a AAA client. Go to Network Resources-->Network Devices and AAA clients-->create.
Note: -The settings for Network Device Groups are default which can be adjusted per user’s requirement.
2. Configure Access Policies --> Access Services
Note: - Select Default Network Access as Service with EAP-FAST.
In the below example we have selected “Internal Users” stores, It can be changed to AD or other available external Database.
Click on User and Identity Stores-->Internal Identity Stores-->Users. Click on Create button to create a new user account.
Add the Name, Description, Identity Group, password and select the status (enable/disable). After adding the required field click on submit.
Now the User “Test User” has been created and status is Active.
Configure Service Selection Rules
Go to Access Policies-->Access Services-->Service Selection Rules. In this example we have selected the default Service Selection Rules. The Access Service has to be adjusted as per requirement.
Requirement: Basic configuration is already done on WLC so that SSID with WPA-PSK work for this example configuration.
Configure AAA server on WLC
Security-->AAA-->Radius-->Authentication-->Add new AAA server-->save configuration.
“TEST” WLAN is created with SSID as TEST. The status check box has been checked in order to enable the WLAN. Security policy and other settings can be selected as per requirement. Click on apply in order to save the configuration.
Encryption can be selected which support your Wireless Client. In this example we have selected WPA+WPA2 as L2 security. Click on apply to save the settings.
WLAN-->Security-->AAA serveràselect the AAA server from the drop down list. Also please verify if Radius is selected on top under “Authentication priority order used for authentication”.
Wireless Client Configuration
Under profile Management --> Security --> selecting the same configuration as done on WLC. EAP type will be EAP-FAST.
EAP-FAST Authentication Method will be MSCHAPv2. Check the box for Allow Automatic PAC provisioning.
Enter User Name and password in order to connect to the SSID “TEST”.
After entering the User credential, the EAP-FAST authentication process will start.
Once the Authentication is passed, it will wait for the ip address.
Configuring Manual PAC provisioning in ACS
System Administration-->configuration-->Global system options-->EAP-FAST->Settings.
In order to generate the PAC for User “Test User”, please select the name, PAC time to live and password of the user. Go to System Administration-->Configuration-->Global System Options-->EAP-FAST-->Generate PAC.
The User will be prompted to save the PAC file on the local machine.
Video - Wireless Client Connectivity with ACS 5.x and Wireless LAN Controller (WLC)
Varun Ajmani is a Wireless Expert in Cisco TAC. In this Video, Varun has shown How to configure the Wireless LAN controller (WLC) for Extensible Authentication Protocol (EAP) authentication with the use of an external RADIUS server such as Access Control Server (ACS) 5.2.
The configuration includes wireless LAN Controller, Cisco ACS 5.2 and wireless client. In this video, we have shown the EAP type as EAP-FAST. This video also includes how to check the Debugs when the authentication passes or fails.
Buenas tardes Tenemos unos dispositivos WAP150 conectados a un enlace de 200 mb, realizando la prueba de conexión el WAP150 nos muestra como resultado de la prueba de velocidad de 9 mb. Se reiniciaron los dispositivos a valores de fábrica y no se obt...
Hi Guys,i read a lot of discussions about this issue (same problem a new 2802 doesnt work, but old 2702 works fine). Not sure about country domain (its B now), 2702 has Asee log below: CAPWAP State: Init[*02/19/2020 17:14:28.1597][*02/19/2020 1...
Hello all!We just had a discussion in our team and we are concerned about our security posture with wifi design.To resume,We have Cisco access points streaming “corporate” SSID around the offices.This is an open wifi network with radius authentication whi...
Please clarify: I have multiple access points (BLR) location and two wlc's in Singapore wlc.One is the foreign wlc and the other is the Anchor wlc for the guest ssid.The access points registered with the wlc-01 in singapore over internet(throug...
I went through Meraki documentation on how to create a NetworkAccessPolicy for 802.1x through API and I could not find the API. I could only find the GET API. I can create though dashboard - but I am looking for the REST API format for POST for this. Plea...