Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2125
Views
10
Helpful
4
Replies

WLC 5520 and 802.1x authentication with certificate

tanner.zaitt
Level 3
Level 3

‎11-09-2020 11:37 AM - edited ‎07-05-2021 12:46 PM

Hello all.

Could you tell me more details about troubleshooting 802.1x authentication with a certificate?

My topology is:
Microsoft Windows Server with Radius Server <------> WLC 5520 Controller  <------> AP access point <------>Client laptop.

The goal is to be able to authenticate the Client laptop with a certificate using 802.1x standard

But the problem is with GPO in Microsoft Server to force accept 802.1x authentication with a certificate only one client laptop machine.
But something is wrong.

From where I can start to troubleshoot?

I suspect WPA2 enterprise with domain user name and password is work 802.1x authentication but how can I be sure in that the certificate is used too?

The behavior now is to accept all machines in the domain with domain user name and password.

Someone with experience with this?

I will be happy to receive your comments and advices.

Thanks.

Best regards!



Labels:
0 Helpful
4 Replies 4

Grendizer
Cisco Employee
Cisco Employee

‎11-11-2020 06:30 AM

You don’t check that from the WLC, instead, check the NPS logs.

it seems you need to do dual auth (machine cert + user name/pass) this is not supported by NPS, this is supported by using Cisco ISE as the radius server and AnyConnect NAM as client (NAM supported only on Windows PCs) then if you have that you can use EAP-chaining and ISE will auth the clients based on those two factors.

 

Arne Bier
VIP
VIP

‎11-11-2020 12:24 PM

How is your Windows supplicant configured? Do you have User Auth, Machine Auth, or User/Machine Auth?

 

I am pretty sure you can get EAP-TLS working in NPS - the approach would be to first do it manually (not using GPO) and when you have the client device (supplicant) configuration correct, then translate that logic into GPO and push out.

Do you want to perform any additional lookups in AD on the NPS server (e.g. check if the user is a member of an AD Group), or just use the cert for authentication?

I am not an NPS guy (more of an ISE/Clearpass guy). You don't need EAP chaining to make this work - standard Windows supplicant is enough.

NPS is quite hard to troubleshoot - in my experience I had to go to the CLI, run some debug command to enable logging and then find some obscure log file with the output. The Windows Server Event Viewer only shows limited information.

Grendizer
Cisco Employee
Cisco Employee
In response to Arne Bier

‎11-12-2020 06:30 AM

Hi Arne, Is there a (Working scenario) to check both machine cert and any other check from AD by not using ISE EAP chaining or MAR? I really doubt. If I’m wrong, please let me know…

0 Helpful

tanner.zaitt
Level 3
Level 3

‎11-12-2020 12:47 AM - edited ‎11-12-2020 12:48 AM

Hello all, thank you for joining in the discussion.
I  find this guide for Microsoft Server 2008:
https://networklessons.com/uncategorized/peap-and-eap-tls-on-server-2008-and-cisco-wlc/Could you confirm that the logic is the same and in the new WLC controllers and new MS Servers as in old WLC controllers and MS Servers?
In the guide, the EAP+TLS is implemented manually.
I don't know how to automatize the certificate enrolment on the client-side.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card