9120 EWC EAP-TLS support

Engineer101 · ‎05-08-2025

Hi all,

We have 9120 running EWC 17.6 firmware version. We are trying to implement EAP-TLS on client laptops. Below is the customer setup

1) Windows server running AD and CS services

2) Windows 11 laptops / Windows 10 laptops

3) Aruba ClearPass

4) Cisco 9120 APs running EWC (no physical controller)

Now we have already testing clearpass with cisco C1000 switch and its working perfectly ok with EAP-TLS. But for some reason, the AP doesnt support EAP-TLS. When we try to attempt the EAP-PEAP from the laptop, we are able to connect successfully, but when we set the authentication mode to EAP-TLS (smart card option) in laptop, the hit that we get on the clearpass doesnt even show EAP type. Without changing any setup, when we deploy Aruba AP (505) and broadcast the same SSID, the client is able to connect on first attempt using EAP-TLS. But for some reason its not able to connect via cisco 9120 EWC.

I just want to confirm that is there any limitation that its not supporting, anything special we need to do to enable EAP-TLS? if there any guide available that shows EAP-TLS with any NAC (ISE, FortiNAC etc), we can use that to see if we have configured EWC correctly. For reference purpose i have followed below video and like i said i am able to connect via EAP-PEAP but not EAP-TLS.

https://www.youtube.com/watch?v=-RQANru0l_k

marce1000 · ‎05-08-2025

- @Engineer101 >....But for some reason its not able to connect via cisco 9120 EWC.
Track the client when it tries to connect using : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
These so called RadioActive Traces can be analyzed with : Wireless Debug Analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Scott Fella · ‎05-08-2025

What you need to know is that on a Cisco wireless, EWC or Controller, you just configure 802.1x, that is it. It's defined on the radius to allow EAP-TLS and or PEAP. As far as Windows is concerned, if configured for EAP-TLS and that fails, then users get prompt to enter credentials. I would look at the ClearPass radius logs and see if its hitting the right policy and why its failing when using EAP-TLS. There might be additional configuration on the ClearPass side to authenticate the Cisco Wireless. You would need to hit up the Aruba forum for help on that.

This is similar to the video you were using: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217935-configure-9800-wlc-integration-with-arub.pdf

-Scott
*** Please rate helpful posts ***

Rich R · ‎05-09-2025

You don't say what actual version of software you are using? 17.6 could mean anything from 17.6.1 to 17.6.8!
Either way, 17.6 is almost end of life - it has already passed the End of SW Maintenance and End of Vulnerability/Security Support dates! So you really should be looking at updating. Refer to the TAC recommended code link below.

Check your config using the Config Analyzer (link below) using the output from "show tech wireless". This will highlight many common mistakes and best practices. Also refer to the Best Practices link below.

The radioactive trace will show what response you get back from the radius server (if any). If you're getting back a reject then that confirms it's the server rejecting the client and you need to check the server and client logs for the reason. If you're not getting a reply then it's your connection to the radius that's the problem - either network connectivity (routing, firewalls, ACLs) or incorrect radius secret. Be careful about using special characters in the key - try to stick to standard ASCII characters to be safe - or if the key is very long then try shortening it.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390