cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1558
Views
6
Helpful
4
Replies

WLAN using EAP-TLS

raymng
Beginner
Beginner

Currently we have WLC 4402 and wide range of AP. We use WAP2 with EAP-PEAP-MSCHAP for the WLAN security setup.  We use MS IAS as radius server.

Recently, we want to find a way to control what type of wireless devices that can join to our WLAN.  One idea is deploying client certificate and use EAP-TLS for authentication.  Does this sound a reasonable approach?  Or there is a better way to achieve the objective than using EAP-TLS?  I have not done EAP-TLS before and I am not sure if I am opening up a big "can of worm" in this direction.

Furthermore, does EAP-TLS only works with WEP encryption?  Is TKIP or AES not supported?

Thanks.

p.s.

if there are any good documents around EAP-TLS with wireless deployment, please let me know. thx.

1 Accepted Solution

Accepted Solutions

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Well the WLC configuration is the same... No change. It's on the IAS you would specify EAP-TLS. It is a good option as long as all your devices support EAP-TLS.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

View solution in original post

4 Replies 4

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Well the WLC configuration is the same... No change. It's on the IAS you would specify EAP-TLS. It is a good option as long as all your devices support EAP-TLS.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Under EAP-TLS, does the wireless login process involved user authentication beside client certificate?  One of the primary trigger for us to look into this option is to get a two-factor authentication setup for the wireless network.

Thanks.

No, there is no password transmitted during EAP-TLS authentication.  EAP-TLS relies upon the authenticating client having a valid certificate with a name that matches an account on the authentication server. 

If you require two-factor authentication you will need to use a RADIUS server that supports it or can proxy to something that does.

A PKI is a large undertaking for larger enterprises. Not something you just throw up over night. I would read up and test before committing to EAP-TLS.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers