Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
1418
Views
6
Helpful
4
Replies
raymng
Beginner
Beginner
‎03-05-2012 05:49 PM
‎03-05-2012 05:49 PM

WLAN using EAP-TLS

Currently we have WLC 4402 and wide range of AP. We use WAP2 with EAP-PEAP-MSCHAP for the WLAN security setup.  We use MS IAS as radius server.

Recently, we want to find a way to control what type of wireless devices that can join to our WLAN.  One idea is deploying client certificate and use EAP-TLS for authentication.  Does this sound a reasonable approach?  Or there is a better way to achieve the objective than using EAP-TLS?  I have not done EAP-TLS before and I am not sure if I am opening up a big "can of worm" in this direction.

Furthermore, does EAP-TLS only works with WEP encryption?  Is TKIP or AES not supported?

Thanks.

p.s.

if there are any good documents around EAP-TLS with wireless deployment, please let me know. thx.

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Scott Fella
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
‎03-05-2012 05:52 PM
‎03-05-2012 05:52 PM

Well the WLC configuration is the same... No change. It's on the IAS you would specify EAP-TLS. It is a good option as long as all your devices support EAP-TLS.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
4 REPLIES 4
Scott Fella
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
‎03-05-2012 05:52 PM
‎03-05-2012 05:52 PM

Well the WLC configuration is the same... No change. It's on the IAS you would specify EAP-TLS. It is a good option as long as all your devices support EAP-TLS.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
raymng
Beginner
Beginner
In response to Scott Fella
‎03-06-2012 04:14 PM
‎03-06-2012 04:14 PM

Under EAP-TLS, does the wireless login process involved user authentication beside client certificate?  One of the primary trigger for us to look into this option is to get a two-factor authentication setup for the wireless network.

Thanks.

0 Helpful
8jwilliams
Beginner
Beginner
In response to raymng
‎03-09-2012 04:25 PM
‎03-09-2012 04:25 PM

No, there is no password transmitted during EAP-TLS authentication.  EAP-TLS relies upon the authenticating client having a valid certificate with a name that matches an account on the authentication server. 

If you require two-factor authentication you will need to use a RADIUS server that supports it or can proxy to something that does.

George Stefanick
Advisor
Advisor
‎03-11-2012 10:10 AM
‎03-11-2012 10:10 AM

A PKI is a large undertaking for larger enterprises. Not something you just throw up over night. I would read up and test before committing to EAP-TLS.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Latest Contents
Cisco IOS-XE 17.5.1 for the Catalyst 9800 Wireless Controlle...
Created by anandg on 04-02-2021 11:02 AM
5
15
5
15
  It’s been about two and half years, since the launch of next generation Cisco Catalyst 9800 Wireless LAN Controllers that has the most deployment flexibility and runs the modular, scalable, highly reliable, open and programmable operating system, I... view more
Wi-Fi 6 and Embeded Wireless Controller (EWC) Demo
Created by eugenelee28 on 03-21-2021 01:48 AM
3
5
3
5
Hi All, I have made this video for Cisco Pitch the Future Contest in Malaysia which talks about Wi-Fi 6 and EWC Demo. Please feel free to view the video below and please support me for this contest by giving the video a like as the Contest will end o... view more
Cisco Wants your Feedback on the Cat9800-80!
Created by caiharve on 03-09-2021 03:43 PM
0
5
0
5
Review the Cisco Catalyst 9800-80 Wireless Controller on TrustRadius and receive a $25 gift card!   
EEM Scripts to Enable/Disable the RLAN Ports on APs Connecte...
Created by justloo on 03-07-2021 10:43 AM
0
10
0
10
Overview On the Cisco Catalyst 9800 Series WLC, enabling/disabling the remote LAN (RLAN) ports on APs requires going into the configuration for each AP and manually enabling/disabling the ports. However, as the number of APs that need to have their RLAN... view more
An End of an Era for Cisco AireOS Controllers
Created by byronm19 on 03-05-2021 12:30 PM
2
5
2
5
It’s been a long road for our AireOS wireless controllers. In fact these products have been around Cisco in some form since 2005. As you may have heard, Cisco made the decision to End-of-Sale (EOS) these products last month. That means that these AireOS ... view more
Content for Community-Ad