cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
356
Views
0
Helpful
1
Replies

Anchored EAP-TLS: foreign terminates TLS

tjoliveira
Level 1
Level 1

Hi all,

 

In one of our clients there is a wlan service for corporate devices with EAP-TLS and anchored since they require Internet access only.

 

As stated on Cisco’s Enterprise Mobility 7.3 Design Guide, the wlan’s security parameters are configured exactly the same on both the foreign and the anchors, including the authentication and accounting servers (acct+auth are active on both foreign and anchors, with the same radius servers - the ISE PSNs).

 

The issue is that the TLS termination and user authentication is done on the foreign and, for security proposes, it would be best to have these intelligent functions on the anchor (being the intranet foreign just a bridge).

 

One possible solution might be to disable authentication on the foreign but: first, I don't know if this will break the anchoring at some point; second, because I don't want to diverge from the design guides on a productive environment.

 

WLCs running 7.6.130.

 

Any thoughts on this one?

 

Thanks in advance.

1 Reply 1

tjoliveira
Level 1
Level 1

Update: tested disabling acct+auth on the foreign and this doesn't work

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card