cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Mobility Express Local EAP Certificate

jmprats
Enthusiast
Enthusiast

I want to use PEAP with ME with Local Authentication. It works but it shows to the users the internal certificate issued by Cisco Manufacturing CA. I have got in the controller a public certificate that I am using with the captive portal. How can I use my certificate with Local EAP?

Thanks

5 REPLIES 5

Sandeep Choudhary
VIP Mentor VIP Mentor
VIP Mentor

Follow this guide to install the device certificate either signed by company CA or you can also signed it it with public certificate authority (ex: global sign)

 

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html

 

Regards

Dont forget to arte helpful posts

Thank you. I will try later in a maintenance window. I don't want to take any risk of side effects changing the controller certificate.

I finally installed the eap public certificate (third party certificate) with "transfer download datatype eapdevcert " command and rebooted the controller.

After the reboot, the command "show certificate eap" shows the new installed certificate but when I connect to the Wlan with PEAP with local users the AP shows me the Cisco preconfigured certificate.

How can I use my third party certificate?

Do I have to select the certificate in the WLC configuration?

Thank you

HI,

 

If you already installed that you can use the vendor certificate instead of cisco, check this :

---------------------------

Configure certificate parameters per profile by entering these commands:

  • config local-auth eap-profile method fast local-cert {enable | disable} profile_name —
Specifies whether the device certificate on the controller is required for authentication.
    Note 

    This command applies only to EAP-FAST because device certificates are not used with LEAP and are mandatory for EAP-TLS and PEAP.

  • config local-auth eap-profile method fast client-cert {enable | disable} profile_name —
Specifies whether wireless clients are required to send their device certificates to the controller in order to authenticate.
    Note 

    This command applies only to EAP-FAST because client certificates are not used with LEAP or PEAP and are mandatory for EAP-TLS.

  • config local-auth eap-profile cert-issuer {cisco | vendor} profile_name —If you specified EAP-FAST with certificates, EAP-TLS, or PEAP, specifies whether the certificates that will be sent to the client are from Cisco or another vendor.
  • config local-auth eap-profile cert-verify ca-issuer {enable | disable} profile_name —If you chose EAP-FAST with certificates or EAP-TLS, specifies whether the incoming certificate from the client is to be validated against the CA certificates on the controller.
  • config local-auth eap-profile cert-verify cn-verify {enable | disable} profile_name —If you chose EAP-FAST with certificates or EAP-TLS, specifies whether the common name (CN) in the incoming certificate is to be validated against the CA certificates’ CN on the controller.
  • config local-auth eap-profile cert-verify date-valid {enable | disable} profile_name —If you chose EAP-FAST with certificates or EAP-TLS, specifies whether the controller is to verify that the incoming device certificate is still valid and has not expired.

---------------------------

 

Regards

Dont forget to rate helpful posts

Thank you very much, very helpful information. But still not working.

With a Windows client, it doesn't show me a server certificate to accept and it doesn't connect

With an android client, it only connects if I choose not validate server certificate.

It seems there is a problem with the certificate or the ca certificate.

Which eap CA certificate do I have to upload to the controller? root CA or  Intermediate CA?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: