cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
155
Views
0
Helpful
4
Replies

Can we use only certificate based authentication for user authentication using Cisco WLC with external Radius server

I have a cisco WLC 3504 and Ubuntu Radius Server  which works as the external Radius server.

I want the wireless clients to be authenticated using certificates and what will be SSID security settings for this?? Is there any documentation link for this??

1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

Re: Can we use only certificate based authentication for user authentication using Cisco WLC with external Radius server

Effectively the you need to do following:

 

Add the RADIUS server to the WLC

Configure the WLAN for WPA2 Enterprise 802.1x authentication AS per the WLC parts of this document:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html

 

Where it goes through ISE configurations you need to configure your RADIUS server to EAP-TLS

Here is how FreeRADIUS does it:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Freeradius%3A_Configure_freeradius_to_work_with_EAP-TLS_authentication

 

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
4 REPLIES 4

Re: Can we use only certificate based authentication for user authentication using Cisco WLC with external Radius server

Hi Afroza,

 

Please refer this Configure-802-1x-PEAP-with-FreeRadius

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
Rising star

Re: Can we use only certificate based authentication for user authentication using Cisco WLC with external Radius server

Effectively the you need to do following:

 

Add the RADIUS server to the WLC

Configure the WLAN for WPA2 Enterprise 802.1x authentication AS per the WLC parts of this document:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html

 

Where it goes through ISE configurations you need to configure your RADIUS server to EAP-TLS

Here is how FreeRADIUS does it:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Freeradius%3A_Configure_freeradius_to_work_with_EAP-TLS_authentication

 

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Re: Can we use only certificate based authentication for user authentication using Cisco WLC with external Radius server

Hello  Haydn,

The solution has worked thanks for your help.

I have another query, the radius server expert says that they need 60s to verify the certificate and asked me  is there any option in WLC where I have to put timer for this 60s certificate validation.

Rising star

Re: Can we use only certificate based authentication for user authentication using Cisco WLC with external Radius server

Glad i could help, make sure you help others out by marking solutions as accepted solutions.

Around timeouts, 60 seconds is a very long time, from a client prospective it it takes 60 seconds to authenticate i'm giving up or logging a ticket. Normally if the RADIUS server is in the same network segment as the WLC then for TLS I have never seen requirement to go past 5 seconds.

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01010.html

 

there are also some best practices for EAP style authentications here:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
CreatePlease to create content