{"id":1021,"date":"2016-03-06T20:45:00","date_gmt":"2016-03-06T20:45:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=1021"},"modified":"2024-11-17T20:54:16","modified_gmt":"2024-11-17T20:54:16","slug":"cisco-wireless-central-authentication-using-eap-tls-with-vwlc-as-the-aaa-server","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/cisco-wireless-central-authentication-using-eap-tls-with-vwlc-as-the-aaa-server\/","title":{"rendered":"Cisco Wireless \u2013 Central Authentication using EAP-TLS with vWLC as the AAA Server"},"content":{"rendered":"

EAP-TLS can be deployed a number of ways in\u00a0\u00a0\u201cDeploying EAP-TLS Wireless Solution in an Enterprise Environment\u201d<\/a>\u00a0we demonstrated RADIUS authentication using a Microsoft Server 2012 R2 as a AAA server. In this example we will use the WLC to perform the authentication centrally\u00a0instead of forwarding the requests. Although it is better and more secure to use a AAA server like NPS in terms of being able to define policies and configure additional security options, the WLC is more than capable of performing the authentication itself and in no way does it reduce\u00a0the security from the EAP-TLS side of things as certificates are still used on both the client and server side. In this example we will use the following:<\/p>\n

Windows Server 2012 R2:<\/strong>\u00a0This will act as the Domain Controller as well as the Certification Authority to issue and manage our certificates. We will be using user certificates, the users will be able to request a certificate directly from the CA. We will create AD users to control access to the network but we will not\u00a0deploy Group Policy settings from our DC to push out auto enrollment for our user certificates, and our SSID profiles, we will configure these steps manually to demonstrate the difference.<\/p>\n

Cisco vWLC:\u00a0<\/strong>The WLC will act as the AAA Radius Server as well as the Controller to manage the WLAN.\u00a0<\/strong>We will create a CSR to sign, create and install the EAP Vendor certificate, we will also download the CA certificate to the controller. \u00a0From the security settings we will\u00a0create the local EAP profile and set-up central authentication, then finally set-up the WLAN profiles to\u00a0manage the SSID.<\/p>\n

Windows 7 client:\u00a0<\/strong>This client\u00a0<\/strong>machine will be domain bound, primarily we will use this device to request a user certificate and create the network profile locally. Then we will connect to the wireless infrastructure and validate our configuration.<\/p>\n

Please note: In order to carry out this lab you must have a functioning domain with ADDS, DNS, DHCP and networking, you will also need the additional roles installed mentioned above on the relevant servers.<\/p>\n

Anchor\u00a0links<\/p>\n

Prepare the CA and Vendor Certificates required by the WLC<\/strong><\/a><\/p>\n

Download the Vendor and CA certificate to the WLC<\/strong><\/a><\/p>\n

Create the WLAN and Specify EAP-TLS Parameters<\/strong><\/a><\/p>\n

Create an AD user<\/strong><\/a><\/p>\n

Client configuration, Certificate request and SSID Set-up<\/strong><\/a><\/p>\n

Testing and Validation<\/strong><\/a><\/p>\n

 <\/p>\n

Lets get started!<\/p>\n

Prepare the CA and Vendor Certificates required by the WLC<\/strong><\/p>\n

For EAP-TLS local authentication to take place on the WLC, we need to create the vendor certificate and then download both the vendor and CA certificate to the WLC. The vendor certificate will serve as the public key to be used by the WLC to present and identify itself to the clients during association, this certificate will be used by the clients to encrypt data back to the WLC. The CA certificate will remain on the WLC for it to compare the client certificate against the trusted CA. Unfortunately Cisco WLC\u2019s does not support .cert files and the certificate signing request (CSR) therefore we will need to use a third party tool to generate the CSR and then use a windows CA to sign and issue a\u00a0certificate. We will merge the private key with the issued certificate then convert the .cert to a .pem file to download to\u00a0the Controller.<\/p>\n

 <\/p>\n

1.<\/strong>\u00a0Download OpenSSL for Windows<\/p>\n

\"1\"<\/p>\n

 <\/p>\n

\"2\"<\/p>\n

2.<\/strong>\u00a0Launch the Installation, by double clicking the .exe file. Click\u00a0\u201cNext\u201d<\/p>\n

\"3\"<\/p>\n

3.<\/strong>\u00a0Select\u00a0\u201cI accept the agreement\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"4\"<\/p>\n

4.<\/strong>\u00a0Change the destination\u00a0folder location to\u00a0\u201cC:\\openssl\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"5\"<\/p>\n

5.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"6\"<\/p>\n

6.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"7\"<\/p>\n

7.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"8\"<\/p>\n

8.<\/strong>\u00a0Click\u00a0\u201cInstall\u201d<\/p>\n

\"9\"<\/p>\n

\"10\"<\/p>\n

9.<\/strong>\u00a0Click\u00a0\u201cFinish\u201d<\/p>\n

\"11\"<\/p>\n

10.<\/strong>\u00a0Click\u00a0\u201cStart\u201d\u00a0and launch\u00a0\u201cCMD\u201d. type\u00a0\u201ccd c:\\openssl\\bin\u201d\u00a0and press enter. This will change the directory of where we want to run our commands from for the program. type\u00a0\u201copenssl\u201d\u00a0and hit enter. the\u00a0\u201cOpenSSL>\u201d\u00a0prompt indicates the program is ready to accept commands.<\/p>\n

\"1\"<\/p>\n

11.<\/strong>\u00a0Generate pair and request signing key, type \u201creq -config \u201cC:\\openssl\\share\\openssl.cnf\u201d -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem\u201d\u00a0here we are telling openssl that we want to generate a new private key with a certificate signing request for the public key at the length of 1024.\u00a0\u201cmykey.pem\u201d\u00a0is the private key,\u00a0\u201cmyreq.pem\u201d\u00a0is the CSR. The results below indicate that the command was successful, we are now prompted to enter a set of commands for the program to create the signing request.<\/p>\n

\"2\"<\/p>\n

12.<\/strong>\u00a0Enter the following information requested by the program and hit enter after each,<\/p>\n

Country Name (2 letter code) [AU]:GB
\nState or Province Name (full name) [Some-State]:England
\nLocality Name (eg, city) []:London
\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:LNS
\nOrganizational Unit Name (eg, section) []:IT
\nCommon Name (eg, YOUR name) []:Jay
\nEmail Address []:admin@jay-miah.co.uk<\/p>\n

Please enter the following \u2018extra\u2019 attributes
\nto be sent with your certificate request
\nA challenge password []:
\nAn optional company name []:<\/p>\n

At the\u00a0\u201cextra\u00a0attributes\u201d\u00a0for a challenge password, I didn\u2019t enter anything and simply left it blank, the software version \u201c09.8h-l\u201d has a bug which causes the set of commands to fail. its not essential to enter something here.<\/p>\n

\"3\"<\/p>\n

13.<\/strong>\u00a0Navigate to the newly generated private key and CSR in the following location\u00a0\u201cC:\\openssl\\bin\u201d<\/p>\n

\"4\"<\/p>\n

14.<\/strong>\u00a0Right click\u00a0\u201cmyreq.pem\u201d\u00a0and select\u00a0\u201cOpen with\u201d\u00a0select\u00a0\u201cNotepad\u201d<\/p>\n

\"5\"<\/p>\n

\"6\"<\/p>\n

15.<\/strong>\u00a0Select all the text, right click and select\u00a0\u201cCopy\u201d<\/p>\n

\"12\"<\/p>\n

16.<\/strong>\u00a0Launch a web browser and navigate the CA servers certificate request URL. If on the local machine \u2013\u00a0\u201chttps:\/\/localhost\/certsrv\u201d\u00a0or\u00a0\u201chttps:\/\/192.168.10.23\/Certsrv\u201d<\/p>\n

Click\u00a0\u201cRequest a certificate\u201d<\/p>\n

\"8\"<\/p>\n

17.<\/strong>\u00a0Click\u00a0\u201cadvanced certificate request\u201d<\/p>\n

\"9\"<\/p>\n

18.<\/strong>\u00a0Click\u00a0\u201cSubmit a certificate by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file\u201d<\/p>\n

\"10\"<\/p>\n

19.<\/strong>\u00a0If prompted with a warning that the website is attempting digital certificate operation click\u00a0\u201cYes\u201d<\/p>\n

\"11\"<\/p>\n

20.<\/strong>\u00a0inside the\u00a0\u201cSaved Request\u201d\u00a0field paste the copied text from the\u00a0\u201cmyreq\u201d\u00a0CSR. select\u00a0\u201cWeb Server\u201d\u00a0as the certificate template and click\u00a0\u201cSubmit\u201d<\/p>\n

\"13\"<\/p>\n

21.<\/strong>\u00a0Select\u00a0\u201cBase 64 encoded\u201d\u00a0and click\u00a0\u201cDownload certificate\u201d<\/p>\n

\"14\"<\/p>\n

22.<\/strong>\u00a0Click\u00a0\u201cSave\u201d\u00a0Navigate to the installation folder of\u00a0\u201cOpenSSL\u201d \u2013\u00a0\u201cC:\\openssl\\bin\u201d\u00a0give the file a name and click\u00a0\u201cSave\u201d<\/p>\n

\"15\"<\/p>\n

23.<\/strong>\u00a0\u00a0Enter the following command \u2013\u00a0\u201cpkcs12 -export -in WLC.cer -inkey mykey.pem -out finalWLCcert.p12 -clcerts -passin pass:cisco -passout pass:cisco\u201d\u00a0\u2013 Here we are telling openssl to merge the new signed certificate \u201cWLC.cer\u201d with the private key \u201cmykey.pem\u201d and generate one file \u201cfinalWLCcert.p12\u201d, and use the password of \u201ccisco\u201d to protect the certificate keys.<\/p>\n

\"16\"<\/p>\n

24.<\/strong>\u00a0Now that we have the keys merged we need to convert the\u00a0\u201cfinalWLCcert.p12\u201d\u00a0to a\u00a0\u201c.pem\u201d\u00a0file as the WLC will not recognise the format. Enter\u00a0\u201cpkcs12 -in finalWLCcert.p12 -out mywlc.pem -passin pass:cisco -passout pass:cisco\u201d<\/p>\n

\"17\"<\/p>\n

If we navigate to\u00a0\u201cC:\\openssl\\bin\u201d\u00a0we can see the new certificate file has been merged with the .PEM extension<\/p>\n

\"18\"<\/p>\n

25.<\/strong>\u00a0We have the vendor certificate, now we need to download and convert the CA certificate to a .PEM file. there is a neat trick that can be used to achieve this very easily using the \u201cFirefox\u201d browser. Launch\u00a0\u201cFirefox\u201d, this can be done from any machine. navigate to the URL of the CA server \u2013\u00a0\u201chttps:\/\/192.168.10.23\/certsrv\u201d\u00a0and login as the administrator or any valid domain user.<\/p>\n

\"19\"<\/p>\n

26<\/strong>. Click\u00a0\u201cDownload a CA certificate, certificate chain, or CRL\u201d<\/p>\n

\"21\"<\/p>\n

27.<\/strong>\u00a0Click\u00a0\u201cInstall CA certificate\u201d<\/p>\n

\"22\"<\/p>\n

28.<\/strong>\u00a0Tick all three tick boxes and click\u00a0\u201cOK\u201d\u00a0to install the CA certificate on the local machine.<\/p>\n

\"24\"<\/p>\n

29.<\/strong>\u00a0From the menu select\u00a0\u201cOptions\u201d<\/p>\n

\"25\"<\/p>\n

30.<\/strong>\u00a0Select\u00a0\u201cAdvanced\u201d\u00a0and\u00a0\u201cView Certificates\u201d<\/p>\n

\"26\"<\/p>\n

31.<\/strong>\u00a0Scroll down and find the CA certificate that was just installed, in this case its the\u00a0\u201cLNS-LNS-DC-01-CA-1\u201d\u00a0Click the certificate and select\u00a0\u201cExport\u201d<\/p>\n

\"27\"<\/p>\n

32.<\/strong>\u00a0From the\u00a0\u201cSave as type\u201d\u00a0dropdown box, select\u00a0\u201cX.509 Certificate (PEM)(*crt,*pem)\u201d\u00a0click\u00a0\u201cSave\u201d<\/p>\n

\"28\"<\/p>\n

 <\/p>\n

Download the Vendor and CA certificate to the WLC<\/strong><\/p>\n

Using a TFTP server application, we will download both the Vendor and CA certificates to the controller and then verify the certificates have installed correctly. We will then reboot the controller for it to start using the new certificates.<\/p>\n

1.<\/strong>\u00a0Copy both .pem files into the root TFTP location of the TFTP server.<\/p>\n

\"29\"<\/p>\n

2.<\/strong>\u00a0Launch the TFTP Server, in this example I am using Solarwinds TFTP Server.<\/p>\n

\"30\"<\/p>\n

3.<\/strong>\u00a0login to the WLC and navigate to\u00a0\u201cSecurity\u201d\u00a0\u2013\u00a0\u201cVendor Certs\u201d\u00a0\u2013\u00a0\u201cCA Certificate\u201d\u00a0from the output below we can see that the WLC does not have a CA certificate installed for EAP.<\/p>\n

\"31\"<\/p>\n

4.\u00a0<\/strong>Click on\u00a0\u201cID Certificate\u201d\u00a0we can see that there is no vendor certificate installed for EAP devices.<\/p>\n

\"32\"<\/p>\n

5.<\/strong>\u00a0Click\u00a0\u201cCommands\u201d\u00a0\u2013\u00a0\u201cDownload File\u201d\u00a0from the dropdown box select\u00a0\u201cVendor CA Certificate\u201d\u00a0select\u00a0\u201cTFTP\u201d\u00a0as the transfer mode, input the IP address of the TFTP server and provide the filename of the certificate including the extension name. in this case its the CA certificate so we need to specify\u00a0\u201cLNS-LNS-DC-01-CA-1.pem\u201d\u00a0Click\u00a0\u201cDownload\u201d<\/p>\n

\"33\"<\/p>\n

From the TFTP server we can see the transfer has began and completed.<\/p>\n

\"34\"<\/p>\n

The message on the controller informs us that the Certificate was installed and that the controller needs to be rebooted, in order to start using the new certificate. We wont reboot just yet as we have the vendor certificate to install.<\/p>\n

\"35\"<\/p>\n

6.<\/strong>\u00a0From the drop down box select\u00a0\u201cVendor Device Certificate\u201d\u00a0specify the certificate password of\u00a0\u201ccisco\u201dselect\u00a0\u201cTFTP\u201d\u00a0as the transfer mode, input the IP address of the TFTP server and provide the filename of the certificate including the extension name. in this case its the device\u00a0certificate so we need to specify\u00a0\u201cmywlc.pem\u201d\u00a0Click\u00a0\u201cDownload\u201d.\u00a0Again we should see the confirmation message that the certificate was installed and the WLC needs to be rebooted.<\/p>\n

\"36\"<\/p>\n

7.<\/strong>\u00a0Still on the\u00a0\u201cCommands\u201d\u00a0menu from the left hand pane select\u00a0\u201cReboot\u201d\u00a0click\u00a0\u201cSave and Reboot\u201d. The device will save the configuration and reboot this can take a few mins to complete.<\/p>\n

\"37\"<\/p>\n

Click\u00a0\u201cOK\u201d\u00a0at the warning prompt<\/p>\n

\"38\"<\/p>\n

8.<\/strong>\u00a0Once the device has rebooted, login and navigate back to\u00a0\u201cSecurity\u201d\u00a0\u2013\u00a0\u201cVendor Certs\u201d\u00a0\u2013\u00a0\u201cCA Certificate\u201d\u00a0verify the new downloaded CA certificate is now in use.<\/p>\n

\"39\"<\/p>\n

9.<\/strong>\u00a0Click on ID Certificate and verify the device certificate is in use<\/p>\n

\"40\"<\/p>\n

 <\/p>\n

Create the WLAN and Specify EAP-TLS Parameters<\/strong><\/p>\n

In this step we will create a local EAP profile to define the requirements of the connection including security, then we will create the WLAN and SSID.<\/p>\n

1.<\/strong>\u00a0Navigate to\u00a0\u201cSecurity\u201d\u00a0Click\u00a0\u201cLocal EAP\u201d\u00a0\u2013\u00a0\u201cProfiles\u201d\u00a0\u2013\u00a0\u201cNew\u201d<\/p>\n

<\/p>\n

2.<\/strong>\u00a0Give the profile a name<\/p>\n

\"42\"<\/p>\n

3.\u00a0<\/strong>Tick\u00a0\u201cEAP-TLS\u201d,\u00a0\u201cLocal Certificate Required\u201d,\u00a0\u201cClient Certificate Required\u201d, Change Certificate Issuer from Cisco to\u00a0\u201cVendor\u201d\u00a0and tick\u00a0\u201cCheck\u00a0against\u00a0CA certificates,\u00a0\u201cCheck\u00a0Certificate Date Validity\u201d<\/p>\n

\"43\"<\/p>\n

4.<\/strong>\u00a0Navigate to\u00a0\u201cWLANs\u201d\u00a0\u2013\u00a0\u201cCreate New\u201d\u00a0click\u00a0\u201cGo\u201d<\/p>\n

\"44\"<\/p>\n

5.<\/strong>\u00a0Give the profile and SSID a name, these do not have to match. Click\u00a0\u201cApply\u201d<\/p>\n

\"45\"<\/p>\n

6.<\/strong>\u00a0Under the\u00a0\u201cGeneral\u201d\u00a0tab tick\u00a0\u201cEnabled\u201d, select the radio policy and the interface group to use with the WLAN.<\/p>\n

\"46\"<\/p>\n

7.<\/strong>\u00a0Click the\u00a0\u201cSecurity\u201d\u00a0tab,\u00a0\u201cLayer 2\u201d\u00a0and select\u00a0\u201c802.1x\u201d\u00a0from the drop down list.<\/p>\n

\"47\"<\/p>\n

8.<\/strong>\u00a0Click\u00a0\u201cAAA Servers\u201d\u00a0make sure all the boxes are un-ticked under\u00a0\u201cRADIUS Servers\u201d<\/p>\n

\"48\"<\/p>\n

Scroll down and tick\u00a0\u201cEnabled\u201d\u00a0in the\u00a0\u201cLocal EAP Authentication\u201d\u00a0tick box<\/p>\n

\"49\"<\/p>\n

 <\/p>\n

Create an AD user<\/strong><\/p>\n

We have all the background configuration ready now we need to create our users that will be requesting certificates and connecting to the WLAN. In this example we will create a single user \u201cTLSSuser\u201d<\/p>\n

1.<\/strong>\u00a0On the DC login, Click\u00a0\u201cStart\u201d\u00a0and type\u00a0\u201cActive Directory Users and Computers\u201d<\/p>\n

\"50\"<\/p>\n

2.<\/strong>\u00a0Click the\u00a0\u201cUsers\u201d\u00a0container and from the\u00a0\u201cActions\u201d menu select\u00a0\u201cNew\u201d\u00a0\u2013\u00a0\u201cUser\u201d<\/p>\n

\"51\"<\/p>\n

3. \u00a0<\/strong>Give the user a name, click\u00a0\u201cNext\u201d<\/p>\n

\"52\"<\/p>\n

4.<\/strong>\u00a0Create a password and tick\u00a0\u201cPassword never expires\u201d, click\u00a0\u201cNext\u201d<\/p>\n

\"53\"<\/p>\n

5.<\/strong>\u00a0Click\u00a0\u201cFinish\u201d<\/p>\n

\"54\"<\/p>\n

 <\/p>\n

Client configuration, Certificate request and SSID Set-up<\/strong><\/p>\n

In this client configuration, we will manually login and request a user certificate then we will set-up the SSID on the local machine. Although all this can be achieved via group policy which has been demonstrated in\u00a0\u201cDeploying EAP-TLS Wireless Solution in an Enterprise Environment\u201d<\/a>\u00a0In this example we will see\u00a0how these tasks can also be done manually.<\/p>\n

1.<\/strong>\u00a0Logon to the client machine using the user account created earlier, in this case its \u201cTLSUser\u201d. As the client will not have a valid wireless connection to the domain we will need to plug directly on to the network so that: \u00a01. we can login and 2. we are able to request a user certificate. Launch a browser and navigate to the URL of the CA, i.e\u00a0\u201chttps:\/\/192.168.10.23\/certsrv\u201d\u00a0At the Logon prompt Login as the\u00a0\u201cDomain User\u201d<\/strong><\/p>\n

\"1.2\"<\/p>\n

2.<\/strong>\u00a0Click\u00a0\u201cRequest a certificate\u201d<\/p>\n

\"1.3\"<\/p>\n

3.<\/strong>\u00a0Click\u00a0\u201cadvanced certificate request\u201d<\/p>\n

<\/p>\n

4.<\/strong>\u00a0Select\u00a0\u201cCreate and submit a request to this CA\u201d<\/p>\n

\"1.5\"<\/p>\n

5.<\/strong>\u00a0From the request options, select\u00a0\u201cUser\u201d,\u00a0\u201c1024\u201d\u00a0as the key size and\u00a0\u201cCMC\u201d\u00a0as the request format. Click\u00a0\u201cSubmit\u201d<\/p>\n

\"1.6\"<\/p>\n

6.<\/strong>\u00a0Click\u00a0\u201cInstall this Certificate\u201d<\/p>\n

\"1.8\"<\/p>\n

The confirmation message will display that the user certificate has now been installed.<\/p>\n

\"1.9\"<\/p>\n

As this is a domain machine, the CA certificate has already been installed as part of the domain join process. however for any reason if you dont have the CA certificate installed on the local machine. you will get a prompt at the install \u201cThis CA is not trusted\u201d click \u201cInstall this CA certificate\u201d this CA certificate can also be installed by Clicking \u201cHome\u201d and select \u201cDownload CA certificate, certificate chain or CRL\u201d<\/p>\n

<\/p>\n

 <\/p>\n

7.<\/strong>\u00a0Still on the client machine click\u00a0\u201cStart\u201d\u00a0and launch\u00a0\u201cMMC\u201d<\/p>\n

\"1.10.1\"<\/p>\n

8.<\/strong>\u00a0Click\u00a0\u201cFile\u201d\u00a0\u2013\u00a0\u201cAdd\/Remove Snap-in\u201d<\/p>\n

\"1.10.2\"<\/p>\n

9.<\/strong>\u00a0Click\u00a0\u201cCertificates\u201d, click\u00a0\u201cAdd\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n

\"1.10.3\"<\/p>\n

10.<\/strong>\u00a0Expand\u00a0\u201cCertificates\u201d\u00a0\u2013\u00a0\u201cPersonal\u201d\u00a0\u2013\u00a0\u201cCertificates\u201d\u00a0and verify the user certificate is installed, click and open the issued certificate to view the properties.<\/p>\n

\"1.11\"<\/p>\n

11.<\/strong>\u00a0Now that our certificates is installed we can configure the SSID locally.\u00a0Navigate to\u00a0\u201cControl Panel\u201d\u00a0\u2013\u00a0\u201cNetwork and Internet\u201d\u00a0\u2013\u00a0\u201cNetwork and Sharing Center\u201d\u00a0click\u00a0\u201cSetup a new connection or network\u201d<\/p>\n

\"1.12\"<\/p>\n

12.<\/strong>\u00a0Click\u00a0\u201cManually connect to a wireless network\u201d\u00a0click\u00a0\u201cNext\u201d<\/p>\n

\"1.13\"<\/p>\n

13.\u00a0<\/strong>Specify the network name that we will be connecting to, this SSID was setup on the WLC earlier. In this case it\u00a0\u201cLoacl-EAP-TLS\u201d\u00a0Specify\u00a0\u201c802.1x\u201d\u00a0as the security type as we are using\u00a0\u201cRADIUS\u201d. Click\u00a0\u201cNext\u201d<\/p>\n

\"1.14\"<\/p>\n

14.<\/strong>\u00a0Click\u00a0\u201cChange connection settings\u201d<\/p>\n

\"1.15\"<\/p>\n

15.<\/strong>\u00a0Select the\u00a0\u201cSecurity tab\u201d\u00a0and select\u00a0\u201cMicrosoft: Smart Card or other Certificate\u201d\u00a0and click\u00a0\u201cSettings\u201d<\/p>\n

\"1.16\"<\/p>\n

16.<\/strong>\u00a0Under \u201cWhen connecting\u201d select\u00a0\u201cUse a certificate on this computer\u201d\u00a0tick\u00a0\u201cUse a simple certificate selection (Recommended)\u201d\u00a0and tick\u00a0\u201cVerify the servers identity by validating the certificate\u201d<\/p>\n

From the\u00a0\u201cTrusted Root Certification Authorities\u201d\u00a0select the root certificate of your root CA, this is the certificate that is issued to the CA server by the CA.<\/p>\n

Finally tick\u00a0\u201cuse a different username for the connection\u201d\u00a0and click\u00a0\u201cOK\u201d\u00a0and close all the windows<\/p>\n

 <\/p>\n

\"1.17\"<\/p>\n

17.<\/strong>\u00a0Click the wireless icon on the desktop and verify the SSID is visible, click\u00a0\u201cConnect\u201d<\/p>\n

\"1.18\"<\/p>\n

18.<\/strong>\u00a0A window will pop up displaying the username which is on the user certificate, the connection username will also\u00a0be the\u00a0same. This prompt is asking the user to select the certificate in which they would like to use to connect. In a domain environment the logged on user will only be able to see their own certificate. Click\u00a0\u201cView Certificate\u201d\u00a0to see the details of the cert, then\u00a0click\u00a0\u201cOK\u201d\u00a0to connect. \u00a0The prompt only appears the first and only time the user connects, subsequent connections take place automatically in the background.<\/p>\n

\"1.19\"<\/p>\n

\"1.20\"<\/p>\n

\"1.21\"<\/p>\n

 <\/p>\n

Testing and Validation<\/strong><\/p>\n

Lets validate the configuration and test our deployment.<\/p>\n

1.<\/strong>\u00a0Once the network is connected, Launch\u00a0\u201cCMD\u201d\u00a0type\u00a0\u201cIPconfig\u201dand verify DHCP has issued a correct IP address within the VLAN specified in the WLC. In this case we have an IP from VLAN20 which is on the 192.168.20.0 network.<\/p>\n

\"1.22\"<\/p>\n

2.\u00a0<\/strong>Ping the default gateway and verify connectivity<\/p>\n

\"1.23\"<\/p>\n

3.<\/strong>\u00a0On the WLC click\u00a0\u201cMonitor\u201d\u00a0\u2013\u00a0\u201cClients\u201d\u00a0Verify the client is visible on the list as a connected client. Click the MAC address of the client for more detail.<\/p>\n

\"1\"<\/p>\n

4.<\/strong>\u00a0\u00a0From the client properties we can see that the WLAN profile and SSID the client is using is\u00a0\u201cLocal-EAP-TLS\u201d\u00a0the authentication is \u201cCentral\u201d which is our Cisco WLC. The username is\u00a0\u201ctlsuser@LNS.Internal\u201d\u00a0and the VLAN id is\u00a0\u201c20\u201d<\/p>\n

\"2\"<\/p>\n

5.\u00a0<\/strong>\u00a0If we scroll down to the\u00a0\u201cSecurity Information\u201d\u00a0We can verify that we are using\u00a0\u201c802.1X\u201d\u00a0and the EAP Type is\u00a0\u201cEAP-TLS\u201d<\/p>\n

\"3\"<\/p>\n","protected":false},"excerpt":{"rendered":"

EAP-TLS can be deployed a number of ways in\u00a0\u00a0\u201cDeploying EAP-TLS Wireless Solution in an Enterprise Environment\u201d\u00a0we demonstrated RADIUS authentication using a Microsoft Server 2012 R2<\/p>\n","protected":false},"author":1,"featured_media":1048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,17],"tags":[106,104,107,109,105,108],"class_list":["post-1021","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-wireless","tag-aaa","tag-authentication","tag-central-authentication","tag-certificates","tag-eap-tls-local","tag-wlc"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1021","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=1021"}],"version-history":[{"count":1,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1021\/revisions"}],"predecessor-version":[{"id":1112,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1021\/revisions\/1112"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/1048"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=1021"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=1021"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=1021"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}