We have a highly secure environment with NAC on switchports. We need APs to use pre-provisioned(during staging) LSC certificates (same for DTLS encryption and AP Auth on the WLC) during 802.1x EAP-TLS authentication on the NAC switchports. We had already chained WLC with root CA and provisioned LSC certs to all APs as "802.1x + CAPWAP-DTLS". APs are using LSC certs for both CAPWAP Data and Control DTLS encryption. NAC is not enabled on the switch ports to which APs are connected yet.
The issue is when we try enable "802.1x Authentication" in "802.1x Supplicant Credentials" as EAP-TLS in Access Points Global configuration in GUI, the WLC asking for username and password. (The picture is from the configuration guide).
That's confusing, since we intend to use EAP-TLS which require certificate instead of credentials. Configuration guides referred to this feature says: "Also configure user name and password."
What will those username/password be?
Depending on what WLC version you are running the only 802.1x auth for the AP to the network is EAP-FAST.
Prior to rel 8.7, AP port 802.1x only supported EAP-FAST, in rel 8.7 the AP supplicant will also support EAP-TLS / EAP-PEAP
We were not allowed to power on 'main' root CA which is used for all production networking infrastructure. The 'additional' root CA which is used for SCEP on WLC and APs cant' be made trusted on ISE. ISE can trust only single root CA (2 years ago). So it could not auntheticate AP's certificates issued by 'additional' root CA on NAC port.
The task is done and we left the site, so it's final.
If only ISE could support several root CA's that time, then it could be possible to meke everything right.