cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2800
Views
10
Helpful
6
Replies

WLAN 802.1x certificate based client authentication

fuhrersk8
Level 3
Level 3

Hi Guys,

We want implement a WLAN with 802.1x certificate based client authentication. I am following the document Understand and Configure EAP-TLS with a WLC and ISE , but is there a way to automatically install the certificate on the client machines without having to go manually to each? Like for example, the clients downloading the certificate form the ISE. 

Thanks for your support.

Regards,

6 Replies 6

Haydn Andrews
VIP Alumni
VIP Alumni

What Arshad said. Other options look at securew2.com if you need a managed PKI environment to do this

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

fuhrersk8
Level 3
Level 3

Ok. Thanks for the suggestion.

With respect to the already installed certificates on the ISE from factory, will these work for 802.1x client authentication?

Thanks again.

Regards,

I think you need to at least have domain services and pki in your environment to successfully do this.  The client along with the radius has to trust the certty chain.  You can always try and use whatever cert you are using on ISE for EAP, but you will have to then upload the chain to the device cert store, manually setup the profile etc.  Then you will have to figure out the policy to get all that to work.

You didnt provide if you have a domain you are using, is GPO possible, do you have a CA, what is your radius server and are you currently doing PEAP?

-Scott
*** Please rate helpful posts ***

Yes, we do have a domain and a CA. But first we are setting a PoC before implementation.

For your PoC, you should validate that certificates (user or computer) are pushed to each domain joined machine.  Then your ISE should have a certificate installed from your CA (device, intermediates, and root) and make sure that cert is imported and used for EAP.  This helps with the two way trust.  Then you would push out a wireless profile via GPO for your test SSID and configure the policies in ISEe to authenticate the user/device cert.

Take a look at some guides and blogs on ISE using EAP-TLS and that will help with the steps you need to perform for your PoC.

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card