Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1778
Views
0
Helpful
4
Replies

WLC EAP-TLS

nibinrodrigues
Level 1
Level 1

‎01-21-2013 12:41 PM - edited ‎07-03-2021 11:23 PM

Hi,

My Wireless network consists of 8 WLC and 2 Cisco ACS 1113 with 4.2. I need to implement certificate authentication for Cisco Wireless Phone SSID. I tried PEAP along with certificate generated by Microsoft Cert Server, but the issue is the client can ignore the certificate and I believe only way to force is via Active Directory group policy.

So as my Cisco IP Phones are not joined to Active Directory I think the only option is to use EAP-TLS. For this I have the following Queries.

  • •1.     What will be the SSID security setting. ( I tried Layer 2 802.X with WEP 104bit encryption)
  • •2.     Do I need to install any certificate on WLC if yes which Certificate (Ex root, Client)
  • •3.     What Certificate should be installed on Client.
  • •4.     What should be the client PC security setting for EAP-TLS

I had gone through the following Docs for reference.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml

https://supportforums.cisco.com/docs/DOC-24723

Thanks

Nibin

Labels:
0 Helpful
4 Replies 4

Philip Vilhelmsson
Level 1
Level 1

‎02-12-2013 07:20 AM

1. Layer 2: WPA+WPA2, WPA2 Policy check, WPA2 Encryption checked, Authenticatin Key management: 802.1X.

2. You only need intermediate CA cert and device cert for WLC. You probably don't need root cert since your clients will have this, but it won't hurt to have it.

3. A device/machine certificate and the root cert.

4. Make a wlan-profile that with the setting to use certificate.

Regards,

Philip

0 Helpful

nibinrodrigues
Level 1
Level 1
In response to Philip Vilhelmsson

‎02-12-2013 10:16 PM

Dear Philip,

Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.

Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.

AUTH 02/10/2013  13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS  data: SSL state=SSLv3 read  client certificate A

AUTH 02/10/2013  13:29:58 I 2009 1756 0xb EAP: EAP-TLS:  Handshake failed

AUTH 02/10/2013  13:29:58 E 2255 1756 0xb EAP: EAP-TLS:  ProcessResponse: SSL recv alert fatal:bad certificate

AUTH 02/10/2013  13:29:58 E 2258 1756 0xb EAP: EAP-TLS:  ProcessResponse: SSL ext error reason: 412 (Ext error code =  0)

AUTH 02/10/2013  13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519):  mapped SSL error code (3) to -2198

AUTH 02/10/2013  13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code  Unknown EAP code

AUTH 02/10/2013  13:29:58 I 0366 1756 0xb EAP: EAP state: action = send

AUTH 02/10/2013  13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned  -2198

AUTH 02/10/2013  13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7,  seq_id=7)

AUTH 02/10/2013  13:29:58 I 5501 1756 0xb Done  UDB_SEND_RESPONSE, client 50, status  UDB_EAP_TLS_INVALID_CERTIFICATE

Thanks

Nibin Rodrigues

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎02-13-2013 12:18 AM

Have you gone through the 7925 configuration doc?

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/administration/guide/7925cfgu.html#wp1376129

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

nibinrodrigues
Level 1
Level 1
In response to Scott Fella

‎03-04-2013 03:46 AM

Hi,

EAP-TLS worked but IP Phone disconnecting while roaming. Any advicesss

Thanks

Nibin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card