cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
846
Views
0
Helpful
5
Replies
Murinos
Beginner

CAPWAP AP 802.1x supplicant with EAP-TLS

Hello Community!

 

We have a highly secure environment with NAC on switchports. We need APs to use pre-provisioned(during staging) LSC certificates (same for DTLS encryption and AP Auth on the WLC) during 802.1x EAP-TLS authentication on the NAC switchports. We had already chained WLC with root CA and provisioned LSC certs to all APs as "802.1x + CAPWAP-DTLS". APs are using LSC certs for both CAPWAP Data and Control DTLS encryption. NAC is not enabled on the switch ports to which APs are connected yet.

 

The issue is when we try enable "802.1x Authentication" in "802.1x Supplicant Credentials" as EAP-TLS in Access Points Global configuration in GUI, the WLC asking for username and password. (The picture is from the configuration guide).

 

That's confusing, since we intend to use EAP-TLS which require certificate instead of credentials. Configuration guides referred to this feature says: "Also configure user name and password."

What will those username/password be?

 

Thanks!

5 REPLIES 5
Haydn Andrews
Rising star

Depending on what WLC version you are running the only 802.1x auth for the AP to the network is EAP-FAST.

 

From

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_802_1x_eap_supplicant_on_cos_ap.html

Prior to rel 8.7, AP port 802.1x only supported EAP-FAST, in rel 8.7 the AP supplicant will also support EAP-TLS / EAP-PEAP

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Thanks for you reply!

 

It's 8.10.105, so this feature is supported, and we have an option to choose EAP-TLS as authentication method. We just still being asked for a username and password when we choose it. 

 

Murinos
Beginner

 

Any ideas?

When I try to enable 802.1x Authentication:

 

2.png

 

I get this error:

1.png

 

What's Global 802.1x Username? I want to use EAP-TLS...

Thanks!

Hello Murinos,

 

Did you figure out how to solve this ? If you configure EAP-TLS without any username/password set, is it working ?

 

AL

Hello aleopoldie,

 

No, we bumped to another problem. The ISE we use as AAA server for NAC can't trust the Root CA we use for SCEP on WLC. So, it will not accept certificates we issue for APs for EAP-TLS.

We are bound with EAP-FAST (login/pass) and mac check. 

 

Content for Community-Ad