Beruflich Dokumente
Kultur Dokumente
WLC 7.0.116.0
WC S 7.0.172.0
5/2/2014
5500 DOC S
3500 DOC S
AC S DOC S
C SC -WIRELESS
Go
Search
More..
Tags
2 C OMMENTS
In this post we will see how to configure EAP-TLS on a wireless controller.It is assumed that
you have a PC which has already installed certificates(User Certifcate & Root CA Certificate).
You can learn how to do this by following youtube video from Jerome.(It is one of 7 part series
talking all about EAP TLS in clients, WLC, ACS & you should not miss these)
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
1 / 12
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
5/2/2014
2 / 12
5/2/2014
Once installation completed you can open a Command prompt (Run as Administrator) & run this
OpenSSL application. Cisco document (Doc ID#75584) describe the below process with respect
to CSR for Authentication of a WLC.
I have given my WLC name as Common Name. If you are doing this for Web Authentication you
have to give DNS name for WLC virtual IP. This will create two files in OpenSSL bin folder with
named wlc1key.pem & wlc1req.pem. You have to open wlc1req.pem on to notepad & use
that to make CSR via your Certifcate Authority.
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
3 / 12
5/2/2014
I have use Microsoft PKI as my CA installed on a windows 2008 server. You have to use
Administrator account of that server to do this & URL for accessing it is
192.168.200.1/certsrv where 192.168.200.1 is server IP. You will see a page like this.
Then You have to click on submit an Advanced Certificate Request as shown in the below.
Then you need to paste notepad output of wlc1req.pem& select the template type as Web
Server & hit the submit button as shown below.
Then you can download the file. Ensure you selected Base 64 encoded option. I have named
it as wlc1ca.cer & put it in the same bin folder where wlc1key.pem in.
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
4 / 12
5/2/2014
Now by using the following Open SSL commands you can merge these wlc1key file & wlc1ca
file. Also you have to make the final file as .pem prior to upload it onto WLC. Note that we have
given password mrncciew & you need to configure this on WLC when downloading this onto
WLC.
OpenSSL> pkcs12 -export -in w lc1ca.cer -inkey w lc1key.pem -out w lc1ca.p12 -clcerts -passin pass:mrncciew -passout pass:
Loading 'screen' into random state - done
OpenSSL> pkcs12 -in w lc1ca.p12 -out w lc1ca.pem -passin pass:mrncciew -passout pass:mrncciew
MAC verified OK
OpenSSL>
Then you can download this file wlc1ca.pem file onto WLC.
Now you need to install Root CA certificate for WLC. Since you have already installed Root CA
on your client you can export by using firefox onto your TFTP folder. Then you can download
this to your WLC. see below firefox screen captures how to do this.
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
5 / 12
5/2/2014
Now you can download this Root CA to your controller as follows. You can use WLC GUI as well.
(W LC1)
(W LC1)
(W LC1)
(W LC1)
(W LC1)
(W LC1)
mode tftp
filename mrn-W 2K8-CA.pem
datatype eapcacert
path .
serverip 192.168.178.52
start
Mode............................................. TFTP
Data Type........................................ Vendor CA Cert
TFTP Server IP................................... 192.168.178.52
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... mrn-W 2K8-CA.pem
This may take some time.
Are you sure you w ant to start? (y/N) y
TFTP EAP CA cert transfer starting.
Certificate installed.
Reboot the sw itch to use new certificate.
(W LC1) >reset system
We Will configure a SSID with authentication via WLC local EAP. Here is the Local EAP Profile
settings. Note that Certificate issuer select as Vendor.
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
6 / 12
5/2/2014
Now it is ready to test client. Here is the successful user Authentication using Local EAP profile
configured for EAP-TLS
These two video from Jerome explain how to configure this & I referred that to make this post.
1. EAP-TLS on a WLC Part 1
2. EAP-TLS on a WLC Part 2
In a future post we will see how to configure this on ACS 5.2.
RELATED POST
1.
2.
3.
4.
5.
Configuring
Configuring
Configuring
Configuring
Configuring
Tw itter
Rasika Nayanajith
S HARE THIS:
GOOGLE+
RELATED
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
7 / 12
5/2/2014
Previous post
Next post
Maksym said:
Your blog is really fantastic, Rasika! Thank you for sharing your study!
In the lab equipment there are no Open ssl soft. How w e supposed to configure certificates there?
REPLY
nayarasi said:
LEAVE A REPLY
A BOUT ME
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
8 / 12
5/2/2014
Follow
BLOG STA TS
277,248 hits
RECENT POSTS
POPULA R NOW !
FOLLOW ME ON TWITTER
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
9 / 12
5/2/2014
CA TEGORIES
3850
5760
7925G Deployment Guide
802.11ac
802.11n Parameters
AAA
AC S
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
10 / 12
5/2/2014
AP Registration
Autonomous AP C onfig
AVC
Best Practices
C APWAP Analysis
C C IE Planning
C C IE Wireless
C C IE Written
C LI
C onverged Access
C WNE
DHC P
General
Guest Wireless
Home Lab
HSRP
IOS based WLC
IP Services
IPv6
Mobility
MSE
Multicast
Netflow
Office Extend
Prime Infrastructure
QoS
Rogue Management
RRM
Spanning Tree Protocol
Video over Wireless
Voice over Wireless
WGB
Wireless Packet C apture
Wireless QoS
Wireless Troubleshooting
WLAN Secuirty
WLC
WLC Features
WLC Management
BLOGS I FOLLOW
www.ccierants.com
www.my80211.com/home/
wirelessccie.blogspot.com.au
Revolution Wi-Fi
www.simplywifi.co/blog
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
11 / 12
5/2/2014
wifigeeks.org
jenniferhuber.blogspot.com.au
NetBoyers
Tarun pahuja C C IE Wireless Version 2
No Strings Attached Show
A RCHIVES
G+
mrncciew on
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
Follow
12 / 12