Showing results for 
Search instead for 
Did you mean: 

WLC and Client Certificate Authentication

Timothy Ventry

We are trying to implement certs for clients to use when connecting to the Enterprise Wireless Infrastructure with the WLC.  We use a MS Domain and use ACS.  What is the best way to implement this to a gain security posture and avoid evil twin issues, and ensure trusted clients are connected and authenticated.  Management wants to implement certificates for the clients connecting to the Wireless Controllers and AP's.

There is a request to use real certificates and not self-signed certs, for PEAP Auth.

Thank you




Hi Tim did you find any documentation around this? I'm trying to do the same thing.

user machine authenticate with a certificate onto wireless then then the user authenticates with AD.


Certificates are another way to provide the identity of a machine or user instead of a "password". The world of certificates and network authentication (dot1x) can be overwhelming, so I will try to explain the important concepts in this reply.

There are two common authentication methods being used in today's wireless deployments:
1. PEAPv0 which is based on username and password
2. EAP-TLS which is based on a machine or user certificate but requires a PKI

The process of getting the client connected and authenticated are similar for both methods:
1. Client associates to the wireless network;
2. Client builds a protected tunnel with the authentication server. Based on the certificate used on the (RADIUS) server side the client verifies that it is talking to the correct server so it knows that it is safe to continue;
3. Client sends its credentials to the server (username/password with PEAPv0, certificate with EAP-TLS);
3a. In case of EAP-TLS the certificate will be validated and read by the server. Usually the CN or SAN attribute found in the certificate will be used for the Active Directory lookup;
4. Server validates the provided credentials by consulting Active Directory;
5. Active Directory gives feedback and provided current status and all the memberships the related object has within Active Directory. This object can be a user account or computer in case of a machine certificate.
6. Based on the policies within the authentication server certain information can be provided to the WLC (Examples are: deny, allow and a specified VLAN which should be used etc).

If you want to deploy EAP-TLS the following things should be in place:
1. A PKI, preferable Microsoft's implementation which integrates within Active Directory;
A authentication server for example Cisco ISE or Microsoft's NPS which uses a server certificate which can be actually verified by the clients (so signed by public CA or own PKI if all of the clients do have to CA cert of the PKI installed);
Active Directory infrastructure with two GPOs deployed:
3a. GPO to auto enroll certificates so clients will request a user/machine certificate;
3b. GPO to configure the client with wireless settings;
4. A RADIUS based connection between the WLC and the authentication server;
Policies on the authentication server based on certain Active Directory groups so clients can be authenticated.

Hopefully this helps to give some clarity, however if you have never have done any implementation I strongly advice to get some external help. Building a robust and secure PKI requires proper planning and a good design, so goes for the authentication services.

Please rate useful posts... :-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: