Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6175
Views
0
Helpful
18
Replies

WLC 4400: EAP-TLS

Go to solution
Jaaazman777
Level 1
Level 1

‎03-16-2011 02:04 PM - edited ‎07-03-2021 07:57 PM

Good day!

I tried to set up the EAP-TLS according to

- http://cciew.wordpress.com/2010/06/10/eap-tls-on-the-wlc/

- http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

- Jeremy video about EAP-TLS

The main question is about certificates.

Tell me if I am wrong -  There are two types of certificates that we need to upload to the WLC:

1) Device certificate - this is quite clear, OpenSSL, Certificate Request and e.t.c.

2) CA Root certificate - if there is only one CA Root than clear, but if we have the following chain

Root CA -> Intermediate CA -> WLC

a) Do we need to upload the whole chain "Root CA -> Intermediate CA" to the WLC ?

b) If yes, what format is it going to be? maybe smth like this

------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA cert *
------END CERTIFICATE------

1 person had this problem
Labels:
0 Helpful
18 Replies 18

Go to solution
Jaaazman777
Level 1
Level 1
In response to Nicolas Darchis

‎11-10-2011 03:05 AM

Hello!

I'd like to return to the question about root certificates.

For example:

- we have one ROOT CA and two intermediate CA:  ca1, ca2

- we have two groups of users with certificates signed by these intermediate CAs.

Purpose - we want users from both groups to pass the authentication process.

As we can't upload two root CA to the wlc, can we upload only ROOT CA for that purpose?

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Jaaazman777

‎11-10-2011 03:13 AM

If your doing EAP-TLS, you will have a certificate installed in your Radius server and your clients would also have a certificate obtained from one if the two intermediate CA. You still have one root ca. So with any of your intermediate ca's, the root ca is the same.

You client devices will trust the root ca (if setup right) so you can validate the server certificate.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Jaaazman777
Level 1
Level 1
In response to Scott Fella

‎11-15-2011 02:57 AM

in software version 7.0.220.0 there is the OSCP feature

http://www.cisco.com/en/US/customer/docs/wireless/controller/release/notes/crn7_0_220_0.html#wp784178

It can get the revocation status of the management user's certificate, while user accesses the GUI by https

Can we use OSCP during the wireless client auth process to check the users certificate validity?

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Jaaazman777

‎11-15-2011 04:19 AM

Not for 802.1x. You would need to configure the CRL on the radius sever.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card