Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
255
Views
0
Helpful
2
Replies

WLC config for eap-tls wifi

jesse.garcia11
Level 1
Level 1

‎03-18-2024 10:21 AM - edited ‎03-18-2024 11:05 AM

HI all, we are deploying a wireless eap-tls machine authenticated network. We have a PKI using Windows CA services with one offline root CA and one intermediate issuing CA. For our RADIUS server, I started with a windows NPS server and then changed it to ISE and keep going back and forth as I am troubleshooting. I know our ISE radius server is configured in the WLC properly as we have a guest network that is functional and it uses ISE. The issuing CA has properly sent out the certificate based on the "Radius Server Client Template" and the "Computer" certificate. This is from my client "personal" certificates snap in

jessegarcia11_3-1710782192960.png

jessegarcia11_4-1710782252183.png

I followed the cisco white paper for configuring but am having no luck. I just keep getting

EAP Root cause String: Network authentication failed due to a problem with the user account

EAP Error: 0x40420110

on the client. I am getting no logs on our radius server, which has been ISE as well as a Windows NPS server(Not both at the same time, only one will be used but I tried both thinking maybe it was the Radius server.) So that tells me it is not even hitting the RADIKUS servers. When using ISE, I did import the CA and Intermediate CA as trusted CAs. As well as signed the eap cert signed by Issuing CA. I have a ticket open with ISE TAC and they confirmed that the cert was ok. 

So I have decided to break it up for troubleshooting and will start with the wlan and AP settings for the network. I have configured the WLAN to have the following 

jessegarcia11_0-1710781740949.png

and the radius server 

jessegarcia11_1-1710781769548.png

. I have tried with the following setting unchecked and checked in the Policy that the Policy tag maps the wlan profile too because in the white paper I did see this setting needed to be checked. 

jessegarcia11_2-1710781865529.png

I have researched this issue on Microsoft and some have given some examples but they still do not work. So to start, I would just like to make sure my WLC configurations are correct? Any guidance or input is greatly appreciated. Thanks

 

 

Labels:
0 Helpful
2 Replies 2

marce1000
VIP
VIP

‎03-18-2024 10:54 AM

 

  - FYI : https://community.cisco.com/t5/network-access-control/definitive-answer-on-eap-cert-versus-windows-ad-pki-machine/m-p/4946903#M584820

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

jesse.garcia11
Level 1
Level 1
In response to marce1000

‎03-18-2024 11:03 AM - edited ‎03-18-2024 11:04 AM

Thank you. I did see that and comment asking a question on there as well. I am only using an AD Root CA cert. When using ISE, I did import that CA and INtermediate CA as trusted CAs. As well as signed the eap cert with the Issuing CA.  IS this saying There cannot be a hierarchy? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card