Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
0
Helpful
3
Replies

9120 EWC EAP-TLS support

Engineer101
Frequent Visitor
Frequent Visitor

‎05-08-2025 09:46 AM

Hi all, 

We have 9120 running EWC 17.6 firmware version. We are trying to implement EAP-TLS on client laptops. Below is the customer setup

1) Windows server running AD and CS services

2) Windows 11 laptops / Windows 10 laptops

3) Aruba ClearPass

4) Cisco 9120 APs running EWC (no physical controller)

Now we have already testing clearpass with cisco C1000 switch and its working perfectly ok with EAP-TLS. But for some reason, the AP doesnt support EAP-TLS. When we try to attempt the EAP-PEAP from the laptop, we are able to connect successfully, but when we set the authentication mode to EAP-TLS (smart card option) in laptop, the hit that we get on the clearpass doesnt even show EAP type. Without changing any setup, when we deploy Aruba AP (505) and broadcast the same SSID, the client is able to connect on first attempt using EAP-TLS. But for some reason its not able to connect via cisco 9120 EWC. 

I just want to confirm that is there any limitation that its not supporting, anything special we need to do to enable EAP-TLS? if there any guide available that shows EAP-TLS with any NAC (ISE, FortiNAC etc), we can use that to see if we have configured EWC correctly. For reference purpose i have followed below video and like i said i am able to connect via EAP-PEAP but not EAP-TLS. 

 

https://www.youtube.com/watch?v=-RQANru0l_k

0 Helpful
3 Replies 3

Mark Elsen
Hall of Fame
Hall of Fame

‎05-08-2025 09:57 AM

 

 - @Engineer101     >....But for some reason its not able to connect via cisco 9120 EWC. 
                              Track the client when it tries to connect using : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
                               These so called RadioActive Traces can be analyzed with : Wireless Debug Analyzer

   M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎05-08-2025 12:19 PM - edited ‎05-08-2025 12:22 PM

What you need to know is that on a Cisco wireless, EWC or Controller, you just configure 802.1x, that is it.  It's defined on the radius to allow EAP-TLS and or PEAP.  As far as Windows is concerned, if configured for EAP-TLS and that fails, then users get prompt to enter credentials.  I would look at the ClearPass radius logs and see if its hitting the right policy and why its failing when using EAP-TLS.  There might be additional configuration on the ClearPass side to authenticate the Cisco Wireless.  You would need to hit up the Aruba forum for help on that.

This is similar to the video you were using: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217935-configure-9800-wlc-integration-with-arub.pdf

-Scott
*** Please rate helpful posts ***
0 Helpful

Rich R
VIP
VIP

‎05-09-2025 12:32 AM

You don't say what actual version of software you are using?  17.6 could mean anything from 17.6.1 to 17.6.8!
Either way, 17.6 is almost end of life - it has already passed the End of SW Maintenance and End of Vulnerability/Security Support dates!  So you really should be looking at updating.  Refer to the TAC recommended code link below.

Check your config using the Config Analyzer (link below) using the output from "show tech wireless".  This will highlight many common mistakes and best practices.  Also refer to the Best Practices link below.

The radioactive trace will show what response you get back from the radius server (if any).  If you're getting back a reject then that confirms it's the server rejecting the client and you need to check the server and client logs for the reason.  If you're not getting a reply then it's your connection to the radius that's the problem - either network connectivity (routing, firewalls, ACLs) or incorrect radius secret.  Be careful about using special characters in the key - try to stick to standard ASCII characters to be safe - or if the key is very long then try shortening it.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card