cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
175
Views
1
Helpful
2
Replies

WLC5520 - Radius login without Certificate acceptance

Edward B
Level 1
Level 1

Hello, thank you for reading.

  I want to have my users log into WiFi using AD credentials. WITHOUT having to download or accept a certificate manually.

-Cisco WLC 5520

Details:

1. Radius PEAP-EAP-MSCHAP V2 Setup

2. When connecting to WLAN it prompts users to trust a Godaddy Cert manually.

     (I dont want users to have to do this, its more complicated on android because they have to enter the domain)

3. If I try to set the WLAN up for authentication through webauth, I have no option to use radius.

 

Extra details:

1. I have setup a godaddy cert on my Radius server with a trusted chain.

2. I have uploaded this cert to my WLC under webauth.

 

Did I mess up the cert installation somehow or is there a way to do this without making them accept the cert??

Thank you for taking the time to read this and to anyone who replies.

 

 

 

1 Accepted Solution

Accepted Solutions

@Edward B 

You need to read this

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

 

"PEAP Phase One: TLS-Encrypted Channel

The wireless client associates with the AP. An IEEE 802.11-based association provides an open system or shared key authentication before a secure association is created between the client and the access point. After the IEEE 802.11-based association is successfully established between the client and the access point, the TLS session is negotiated with the AP. After authentication is successfully completed between the wireless client and NPS, the TLS session is negotiated between the client and NPS. The key that is derived within this negotiation is used to encrypt all subsequent communication."

You need to provision the client with the certificate in order to the phase 1 to be completed. 

Webauth is totally different from PEAP.

View solution in original post

2 Replies 2

@Edward B 

You need to read this

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

 

"PEAP Phase One: TLS-Encrypted Channel

The wireless client associates with the AP. An IEEE 802.11-based association provides an open system or shared key authentication before a secure association is created between the client and the access point. After the IEEE 802.11-based association is successfully established between the client and the access point, the TLS session is negotiated with the AP. After authentication is successfully completed between the wireless client and NPS, the TLS session is negotiated between the client and NPS. The key that is derived within this negotiation is used to encrypt all subsequent communication."

You need to provision the client with the certificate in order to the phase 1 to be completed. 

Webauth is totally different from PEAP.

The users need a root certificate that has signed the certificate being used for the auth on the Radius server. Even though its EAP-PEAP

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card