Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12399
Views
71
Helpful
3
Replies

WLC and Client Certificate Authentication

Timothy Ventry
Level 1
Level 1

‎05-09-2016 10:29 AM - edited ‎07-05-2021 05:01 AM

We are trying to implement certs for clients to use when connecting to the Enterprise Wireless Infrastructure with the WLC.  We use a MS Domain and use ACS.  What is the best way to implement this to a gain security posture and avoid evil twin issues, and ensure trusted clients are connected and authenticated.  Management wants to implement certificates for the clients connecting to the Wireless Controllers and AP's.

There is a request to use real certificates and not self-signed certs, for PEAP Auth.

Thank you

Tim

Labels:
0 Helpful
3 Replies 3

mickyq
Level 1
Level 1

‎11-11-2016 07:05 AM

Hi Tim did you find any documentation around this? I'm trying to do the same thing.

user machine authenticate with a certificate onto wireless then then the user authenticates with AD.

Thanks

0 Helpful

Freerk Terpstra
Level 7
Level 7
In response to mickyq

‎11-12-2016 03:44 PM

Certificates are another way to provide the identity of a machine or user instead of a "password". The world of certificates and network authentication (dot1x) can be overwhelming, so I will try to explain the important concepts in this reply.

There are two common authentication methods being used in today's wireless deployments:
1. PEAPv0 which is based on username and password
2. EAP-TLS which is based on a machine or user certificate but requires a PKI

The process of getting the client connected and authenticated are similar for both methods:
1. Client associates to the wireless network;
2. Client builds a protected tunnel with the authentication server. Based on the certificate used on the (RADIUS) server side the client verifies that it is talking to the correct server so it knows that it is safe to continue;
3. Client sends its credentials to the server (username/password with PEAPv0, certificate with EAP-TLS);
3a. In case of EAP-TLS the certificate will be validated and read by the server. Usually the CN or SAN attribute found in the certificate will be used for the Active Directory lookup;
4. Server validates the provided credentials by consulting Active Directory;
5. Active Directory gives feedback and provided current status and all the memberships the related object has within Active Directory. This object can be a user account or computer in case of a machine certificate.
6. Based on the policies within the authentication server certain information can be provided to the WLC (Examples are: deny, allow and a specified VLAN which should be used etc).

If you want to deploy EAP-TLS the following things should be in place:
1. A PKI, preferable Microsoft's implementation which integrates within Active Directory;
2. A authentication server for example Cisco ISE or Microsoft's NPS which uses a server certificate which can be actually verified by the clients (so signed by public CA or own PKI if all of the clients do have to CA cert of the PKI installed);
3. Active Directory infrastructure with two GPOs deployed:
3a. GPO to auto enroll certificates so clients will request a user/machine certificate;
3b. GPO to configure the client with wireless settings;
4. A RADIUS based connection between the WLC and the authentication server;
5. Policies on the authentication server based on certain Active Directory groups so clients can be authenticated.

Hopefully this helps to give some clarity, however if you have never have done any implementation I strongly advice to get some external help. Building a robust and secure PKI requires proper planning and a good design, so goes for the authentication services.

Please rate useful posts... :-)

Rahul Pawar
Level 1
Level 1
In response to Freerk Terpstra

‎04-24-2023 12:33 AM

Hi,

Wanted your guidance on the below. 

One of my customer is trying to achieve Certificate based auth when the users are connecting on the wireless network. But he is trying to achieve that with having a NAC/RADIUS solution in place. But he does have a AD server in place. Is this achievable. And if yes then how is that. Do we require any additional component to add to the solution along with the AD server

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card