02-05-2014 06:16 PM - edited 07-05-2021 12:06 AM
Hi,
I am stuck with situation, where I need to get the autonomous AP to just authenticate with ISE EAP-TLS, is it possible?
so far I am not able to get it working, and ISE authenticate logs says that EAP method is not allowed in allowed-protocol, at the same time WLC has no issues in getting user authenticated with EAP-TLS.
any suggestion, would be appreciated.
Thanks
02-05-2014 06:46 PM
Have you tried to test using PEAP? Just trying to eliminate variables. The setting on the AP would be the same for all EAP types.
Here is a guide that shows what is needed on the AP.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml#config-ap
Make sure the client is setup properly also which can show the same error.
Sent from Cisco Technical Support iPhone App
02-17-2015 01:50 AM
It works with ACS and I think it works also with ISE, it's the same principle.
Just for information, you can import a certificate with this commands :
crypto pki trustpoint MY-TRUSTPOINT
revocation-check none
enrollment terminal
exit
crypto pki imort MY-TRUSTPOINT pem terminal PASSPHRASE
Then copy / paste the CA certificate, the private key with the PASSPHRASE and the certificate.
NOTA BENE : all this certificates must be hashed with sha1 (sha256 is not supported).
02-03-2015 08:40 AM
There is few documentation about EAP-TLS on EAP-TLS.
I'm looking for that.
Filipe
02-16-2015 07:11 PM
EAP-TLS authentication protocol is not supported for autonomous AP to authenticate with ISE. YOu can try with PEAP.
02-17-2015 01:52 AM
It works with ACS and I think it works also with ISE, it's the same principle.
Just for information, you can import a certificate with this commands :
crypto pki trustpoint MY-TRUSTPOINT
revocation-check none
enrollment terminal
exit
crypto pki imort MY-TRUSTPOINT pem terminal PASSPHRASE
Then copy / paste the CA certificate, the private key with the PASSPHRASE and the certificate.
NOTA BENE : all this certificates must be hashed with sha1 (sha256 is not supported).
03-02-2015 12:29 AM
For me it's the same thing but I don't test with ISE. Does anyone has tested this use case ?
02-27-2015 10:31 AM
As mentioned earlier.
EAP-TLS is not supported in Autonomous you can use PEAP or use ACS as an alternative.
10-23-2017 12:41 AM
Just for anyone who still have this question,
I've tested EAP-TLS authentication with a 1700 series autonomous AP and ISE version 2.2 successfully. In addition features like dynamic VLAN and ACL's also worked.
It seems that all the features the ACS supported for autonomous AP's are supported in ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide