cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1745
Views
25
Helpful
4
Replies

How to configure WLC 2500 with authentication 802.1x EAP TTLS

Tarjeet Singh
Level 1
Level 1

Please help.

My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. Can you please confirm if CISCO WLC 2500 support EAP TTLS, if yes then how to configure.

So far I have added Radius TTLS server into my WLC.  Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.

But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.

My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLC

My android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.

4 Replies 4

Amjad Abdullah
VIP Alumni
VIP Alumni

It should work if both supplicant (user device) and the AAA server both support EAP-TTLS. The WLC should work with whatever EAP method that is supported by both supplicant and AAA server.

You may use debug client on the WLC to troubleshoot further if you still have no hits on the AAA server.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Hoggins
Level 1
Level 1

I believe that's because WLC simply doesn't support EAP-TTLS. I'm looking for this too instead of EAP-TLS, and it doesn't seem to offer this feature:

Capture d’écran de 2022-03-06 15-33-00.png

Should I get a more recent version of WLC software? Mine is 8.2.100.0.

I must correct my answer/question above: WLC doesn't seem to support EAP-TTLS for local EAP. As @Amjad Abdullah stated, EAP-TTLS will work if you're not involving WLC directly, ie. directly between RADIUS and a WPA supplicant.

ammahend
VIP Alumni
VIP Alumni

Agree, If you don’t want worry about client certificates then use PEAP/MsCHAPV2, in any method you will still have to provision client devices (supplicant) for most part and your radius server. 
Moreover their are client restrictions
iOS clients won’t support TTLS with PAP unless you manually (via a computer) install a profile.

Windows clients won’t support TTLS out-of-box for most part
Android support almost all combinations of EAP.

 

-hope this helps-
Review Cisco Networking for a $25 gift card