cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
232
Views
10
Helpful
7
Replies
Highlighted
Beginner

Very High level explanation of this WLC/ISE security setup?

I'm not sure how to even ask the right question here but if anyone has some pointers on how I can understand the configuration below or any simple concepts or explanations I would really appreciate it, many thanks.

 

As a novice, the settings below just say to me our system uses WPA2 security, 802.1x, PEAP MSCHAPV2 security, EAP-FAST, but how do all the various methods fit together? I doubt there is an simple explanation but anything would help.

 

WLC:

WLC.JPG

 

ISE:

ISE.JPG

7 REPLIES 7
Highlighted
Hall of Fame Master

So on the wireless controller, the configuration is just to say, “use 802.1x”.
One the radius server, you are basically saying what types of 802.1x variations you want to accept. One the ISE rules, you can specify exact EAP method to allow.
On the client device is really how you define what type of 802.1x method to use.
-Scott
*** Please rate helpful posts ***
Highlighted

Many thanks for getting back to me. What is WPA2 there for if 802.1x is being used? This is probably a really stupid question but I am brand new to all this so apologies.

Highlighted

https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA_terminology

WPA2 with pre-shared key known as WPA-Personal and WPA2 with 802.1x known as WPA-Enterprise.

The encryption layer is WPA2.  The encryption keys are derived from PSK or 802.1x protocol.

Highlighted

Thanks for that. I have a lot of reading up to do!

Highlighted
Hall of Fame Master

I would suggest you look at some blogs out there on setting up WPA2 PSK along with 802.1x EAP-TLS and EAP-PEAP. That should give you an idea of what is configured when and why. These three are the most popular types, WPA-TKIP is no longer used or a good idea, WAP2-AES is the encryption you should use with PSK or 802.1x. WPA3 is new and not every device supports that. At the end, devices that will be connecting to the wireless need to support what you define.
-Scott
*** Please rate helpful posts ***
Highlighted

WPA2 is a standard that can be used for PSK or dot1x, this is why we select it on the WLC. If your environment uses EAP-TLS as an example, on ISE side you don't need to enable any allowed protocols but EAP-TLS. However, if you use EAP-PEAP, then you only need EAP-PEAP to be enabled, and depending on what inner protocol you will be using with EAP-PEAP, whether MSCHAPv2 or EAP-TLS, you enable that accordingly. In other words, it all depends on your deployment, if you want to be very specific, which is good practice, then you just enable what you need along the whole authentication patch.

Highlighted
Frequent Contributor
Frequent Contributor

As Aref mentioned, keep in mind that inner protocol because that defines how your deployment would be since that EAP-TLS is certificate based and MSCHAPV2 uses Active Directory Credentials. The EAP-TLS Certificate can be signed by a public certificate authority or using your own PKI Infrastructure. 

Content for Community-Ad