Mobility Express Local EAP Certificate

jmprats · ‎09-23-2021

I want to use PEAP with ME with Local Authentication. It works but it shows to the users the internal certificate issued by Cisco Manufacturing CA. I have got in the controller a public certificate that I am using with the captive portal. How can I use my certificate with Local EAP?

Thanks

Sandeep Choudhary · ‎09-23-2021

Follow this guide to install the device certificate either signed by company CA or you can also signed it it with public certificate authority (ex: global sign)

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html

Regards

Dont forget to arte helpful posts

jmprats · ‎09-23-2021

Thank you. I will try later in a maintenance window. I don't want to take any risk of side effects changing the controller certificate.

jmprats · ‎09-30-2021

I finally installed the eap public certificate (third party certificate) with "transfer download datatype eapdevcert " command and rebooted the controller.

After the reboot, the command "show certificate eap" shows the new installed certificate but when I connect to the Wlan with PEAP with local users the AP shows me the Cisco preconfigured certificate.

How can I use my third party certificate?

Do I have to select the certificate in the WLC configuration?

Thank you

Sandeep Choudhary · ‎10-01-2021

HI,

If you already installed that you can use the vendor certificate instead of cisco, check this :

---------------------------

Configure certificate parameters per profile by entering these commands:

config local-auth eap-profile method fast local-cert {enable | disable} profile_name — Specifies whether the device certificate on the controller is required for authentication.

Note

This command applies only to EAP-FAST because device certificates are not used with LEAP and are mandatory for EAP-TLS and PEAP.
config local-auth eap-profile method fast client-cert {enable | disable} profile_name — Specifies whether wireless clients are required to send their device certificates to the controller in order to authenticate.

Note

This command applies only to EAP-FAST because client certificates are not used with LEAP or PEAP and are mandatory for EAP-TLS.
config local-auth eap-profile cert-issuer {cisco | vendor} profile_name —If you specified EAP-FAST with certificates, EAP-TLS, or PEAP, specifies whether the certificates that will be sent to the client are from Cisco or another vendor.
config local-auth eap-profile cert-verify ca-issuer {enable | disable} profile_name —If you chose EAP-FAST with certificates or EAP-TLS, specifies whether the incoming certificate from the client is to be validated against the CA certificates on the controller.
config local-auth eap-profile cert-verify cn-verify {enable | disable} profile_name —If you chose EAP-FAST with certificates or EAP-TLS, specifies whether the common name (CN) in the incoming certificate is to be validated against the CA certificates’ CN on the controller.
config local-auth eap-profile cert-verify date-valid {enable | disable} profile_name —If you chose EAP-FAST with certificates or EAP-TLS, specifies whether the controller is to verify that the incoming device certificate is still valid and has not expired.

---------------------------

Regards

Dont forget to rate helpful posts

jmprats · ‎10-01-2021

Thank you very much, very helpful information. But still not working.

With a Windows client, it doesn't show me a server certificate to accept and it doesn't connect

With an android client, it only connects if I choose not validate server certificate.

It seems there is a problem with the certificate or the ca certificate.

Which eap CA certificate do I have to upload to the controller? root CA or Intermediate CA?