03-13-2023 02:52 AM
Dear All,
In a test environment, I'm setting up EAP-TLS client authentication and authorization using DACL.
Authentication works. Although I haven't configured DTLS yet to secure the Radius protocol communication between the WLC and ISE. My first question is:
Does WLC 8.2 version support ECC encrypted certificates?
During the authorization phase, the DACL is not downloaded on the WLC, and ISE while successfully authenticating the client does not increment the counter of active clients.
Second question:
Could this be caused by the fact that on the WLC I haven't yet configured the radius attributes like 6 , 8 and 25? If yes, how can I do it?
Bye,
JF.
Solved! Go to Solution.
03-13-2023 09:24 AM
- Check this info : https://community.cisco.com/t5/wireless/wireless-authentication-and-dacls/m-p/3851304#M18913
M.
03-13-2023 04:46 AM
>...Does WLC 8.2 version support ECC encrypted certificates?
For starters , testing and or all use cases consider that both 5508 and 8.2.x is old , use
https://software.cisco.com/download/home/282600534/type/280926587/release/8.5.182.0 , ( https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html )
Depending on outcome and business requirements you may want to migrate to the new 9800 controller platform(s)
You may for instance deploy virtual 9800 for testing
M.
03-13-2023 06:39 AM
HI Marce,
Thank you for your reply.
Yes I know I am working on old WLC and release. We had planned to change it two years ago.
But the pandemic events has changed our plans. Anyway I have alredy ordered two new wlc 9840, in the meantime I need to try to work with the old stuff.
I have implemented a double head 2 tier CA, one head works with the ECC certificates and the other with the RSA, if the 5508 doesn't support the ECC I can try to use the RSA.
Now the authentication is working, but the Authorization is not working the DACL is not downloaded on the WLC, do you have any idea about this issue?
Bye,
JF.
03-13-2023 09:24 AM
- Check this info : https://community.cisco.com/t5/wireless/wireless-authentication-and-dacls/m-p/3851304#M18913
M.
03-13-2023 05:06 PM
1. Do NOT use 8.5.182.0 if you decide to upgrade - it will leave your IOS APs in an endless boot loop as per field notice below. If you decide to upgrade then use 8.5.182.7 (link below too)
2. As ECC certs are quite new I doubt that 8.2 will support them. I see no mention in the docs.
3. See https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/compatibility_doc/b_ise_sdt_30.html#ciscowlcs
Note |
Cisco Wireless LAN Controllers (WLCs) and Wireless Service Modules (WiSMs) do not support downloadable ACLs (dACLs), but support named ACLs. |
So you can configure the named ACL on the WLC and then send the ACL name from ISE but you can't send the ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide