Showing results for 
Search instead for 
Did you mean: 

Anchored EAP-TLS: foreign terminates TLS

Level 1
Level 1

Hi all,


In one of our clients there is a wlan service for corporate devices with EAP-TLS and anchored since they require Internet access only.


As stated on Cisco’s Enterprise Mobility 7.3 Design Guide, the wlan’s security parameters are configured exactly the same on both the foreign and the anchors, including the authentication and accounting servers (acct+auth are active on both foreign and anchors, with the same radius servers - the ISE PSNs).


The issue is that the TLS termination and user authentication is done on the foreign and, for security proposes, it would be best to have these intelligent functions on the anchor (being the intranet foreign just a bridge).


One possible solution might be to disable authentication on the foreign but: first, I don't know if this will break the anchoring at some point; second, because I don't want to diverge from the design guides on a productive environment.


WLCs running 7.6.130.


Any thoughts on this one?


Thanks in advance.

1 Reply 1

Level 1
Level 1

Update: tested disabling acct+auth on the foreign and this doesn't work

Review Cisco Networking for a $25 gift card