03-07-2012 08:22 AM - edited 07-03-2021 09:44 PM
I'm trying to figure out the best way to set up authentication on my WLAN for my internal users. I want to use certificates but I'm not exactly sure what layer 2, layer 3 and AAA settings I need to configure for certificates. If I do certificate authentication is that enough or do I also need to use something like RADIUS authentication?
Anyone got any good docs or recommendations on how to configure my WLAN for certificate authentication? Also, I'm curious what methods other people are using to secure their internal WLANs.
Thanks.
Solved! Go to Solution.
03-07-2012 08:27 AM
If you're looking for WLAN authentication, I would recommend PEAP. It requires all users to use their AD credentials and synchronizes with your AD infrastructure via RADIUS. You can use your own RADIUS server or ACS / AD for authentication.
I've used it in the past and it is very good.
The first link gives you some detail on PEAP.
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa.html
The second link is a configuration guide.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml
Ven
03-07-2012 08:25 AM
In order to do certificate authentication either using EAP-TLS or PEAP, 802.1x requires the use of a radius server. The radius would look at your active directory for user or device authentication. You would also need to have a pki infrastructure if doing EAP-TLS. If you do not have a radius server, then pre shared key is your best bet.
03-07-2012 08:28 AM
So basically I need to set up a RADIUS server and configure all of my APs as RADIUS clients, select "WPA+WPA2+802.1x" as the layer 2 security method, configure the AAA server tab to use my RADIUS server and then check "Local-EAP". Then set up a Local EAP profile that uses EAP-TLS. Am I correct that I will also need to change the settings on my client's wireless network config to pass EAP-TLS?
Thanks.
03-07-2012 08:31 AM
If your AP's are autonomous, then yes. If you have a WLC, then only the WLC(S) are entered as your AAA client. No need to select local eap when pointing to a radius server, You do want to select WPA+WPA@, but really only enable WPA2 & AES with 802.1x.
03-07-2012 08:48 AM
I am using WLC.
Thanks guys for the replies. I'm going to check out the two docs that Ven also recommended and I'll see if I have any other questions.
03-07-2012 08:27 AM
If you're looking for WLAN authentication, I would recommend PEAP. It requires all users to use their AD credentials and synchronizes with your AD infrastructure via RADIUS. You can use your own RADIUS server or ACS / AD for authentication.
I've used it in the past and it is very good.
The first link gives you some detail on PEAP.
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa.html
The second link is a configuration guide.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml
Ven
03-07-2012 02:27 PM
Ok I looked at the docs and configured my settings. I set up RADIUS on Windows 2008 R2 NPS. Initially I had the WLC configured as a RADIUS client and I was seeing messages that a RADIUS message was received from the invalid RADIUS client IP address 1.2.3.4. The address 1.2.3.4 corresponds to the IP address on the interface for the WLAN. So I switched the IP address on the RADIUS client on NPS to match the IP address 1.2.3.4 and tried accessing the WLAN. Now I'm getting an EAP error:
Explicit EAP failure received (0x50005)
EAP Error Code: 0x40420110
Network authentication failed due to a problem with the user account
I looked on the NPS server logs and don't see any messages there. Account isn't locked out, certificate is valid.
Any other ideas?
Thanks.
03-09-2012 06:54 AM
Success!!! I was able to get past this message and get connected to my internal WLAN. Thanks for all of the help guys.
05-20-2014 04:02 AM
I have this problem too.
Explicit EAP failure received (0x50005)
Can you help me please?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide