Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1677
Views
0
Helpful
4
Replies

Configure certificate based access, via radius? 802.1x

Go to solution
Alex Willoughby
Level 1
Level 1

‎01-23-2013 07:51 AM - edited ‎07-03-2021 11:24 PM

Hi all,

Im new to wireless security and have been tasked with researching and testing getting users authenticated against our wireless ap's (1130ags im testing on) using certificates (802.1x)

So im basically looking at where do i start and how do i do it. I havent found many useful guides nor a definitive config or setps yet. My inital starts are below :-

Ive looked into ACS but i dont think its needed is it?

Do I need to get the root CA on the AP? if yes how do i do it?

Do I need a device certificate installing on it too, how do i create a csr for it?

Ive seen some configs/guides on using radius and i created a radius connection from the AP to my svr 2008 NPS server

ive created a network policy for the APs IP to use Microsoft smart card or other certificate or Microsoft protected eap PEAP, will this policy work?

I had the wifi access configured authentication to open eap and network-eap as ive read about that somewhere too.

My first effort when connected/ing to the AP i got some dot11-7 messages authentication failed for my wireless mac address (i didnt think it would work though)

How do i get this configured and in what order do i need to do these things?

Thanks guys

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎01-23-2013 08:33 AM

Alex,

Is EAP-TLS what you want to do? The reason I ask is because you would need to have a PKI infrastructure (CA Server). If your devices are all Windows and joined to the domain, you can push a GPO. There are a lot of docs and YouTube videos that can help but not an all in one doc. You would have to research each part. For example:

How to setup a Microsoft PKI CA Server
Microsoft EAP-TLS for Windows 7
Microsoft NPS EAP-TLS configuration example
Cisco autonomous AP EAP-TLS configuration
Cisco autonomous AP radius configuration example

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎01-23-2013 07:59 AM

I'll try to ansewer these as best as I can

Ive looked into ACS but i dont think its needed is it?

-You need some sort of radius server.  If its not ACS you can also use Microsoft IAS or NPS.  There are other free radius out there also, but not familiar with those.

Do I need to get the root CA on the AP? if yes how do i do it?

-No... the certificate you will use for 802.1x PEAP is installed on the radius server.

Do I need a device certificate installing on it too, how do i create a csr for it?

-I don't know what you mean by this... you need a certificate on the radius server.  Depending on what radius sver you use, there are docs that explain how to install a certificate.

Ive seen some configs/guides on using radius and i created a radius connection from the AP to my svr 2008 NPS server

ive created a network policy for the APs IP to use Microsoft smart card or other certificate or Microsoft protected eap PEAP, will this policy work?

-Yes... those are good guides... you just have to decide if your using EAP-TLS or PEAP.  EAP-TLS requires cetificates also on the client devices, PEAP does not.

I had the wifi access configured authentication to open eap and network-eap as ive read about that somewhere too.

My first effort when connected/ing to the AP i got some dot11-7 messages authentication failed for my wireless mac address (i didnt think it would work though)

-No it didn't work... you need to setup your environment first before you can test.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Alex Willoughby
Level 1
Level 1
In response to Scott Fella

‎01-23-2013 08:26 AM

Thank you for the swift and imformative response!

I meant did i need a device certificate installing on the AP like you do in a firewall setup, but youve answered my question y mentioning i only need configure radius

From what you have said i want to aim for a eap-tls setup so all the clients need certificates

Do you know of any good guides / references on how to configure the raduis and/or the AP i can start from?

Thanks again

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎01-23-2013 08:33 AM

Alex,

Is EAP-TLS what you want to do? The reason I ask is because you would need to have a PKI infrastructure (CA Server). If your devices are all Windows and joined to the domain, you can push a GPO. There are a lot of docs and YouTube videos that can help but not an all in one doc. You would have to research each part. For example:

How to setup a Microsoft PKI CA Server
Microsoft EAP-TLS for Windows 7
Microsoft NPS EAP-TLS configuration example
Cisco autonomous AP EAP-TLS configuration
Cisco autonomous AP radius configuration example

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Alex Willoughby
Level 1
Level 1
In response to Scott Fella

‎01-23-2013 09:24 AM

yeah we have a server 2008 CA in place here that we run cert based RAVPN off (i set that up) so hopefully ill be able to transfer some knowledge there.

ill get searching for those configs now and see how i go!

thanks for your help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card