{"id":2081,"date":"2015-12-23T12:23:00","date_gmt":"2015-12-23T12:23:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=2081"},"modified":"2024-11-18T12:47:55","modified_gmt":"2024-11-18T12:47:55","slug":"cisco-wireless-central-authentication-using-eap-fast-with-vwlc-as-the-aaa-server","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/cisco-wireless-central-authentication-using-eap-fast-with-vwlc-as-the-aaa-server\/","title":{"rendered":"Cisco Wireless \u2013 Central Authentication using EAP-FAST with vWLC as the AAA Server"},"content":{"rendered":"\n

<\/p>\n\n\n

EAP-FAST \u2013 Flexible Authentication via Secure Tunnelling\u00a0is a proprietary 802.11X authentication method from Cisco. FAST does not require certificates, the protocol creates a tunnel between the user and AAA server and uses PAC \u2013 Protected Access Credentials as part of the algorithm, clients must support this in order to be compatible. Not all clients will be able to use FAST by default, in apple devices you can use the \u201cApple Configurator\u201d to setup FAST and deploy to clients. In Windows the you will need to update the network driver and download the necessary Cisco module\/plugin to use FAST, these can be downloaded from the manufactures website of the network adapter. Intel provide support for most of their \u201cPROSet\u201d adapters<\/p>\n

In this Step-by-Step guide we will set-up central authentication on the vWLC using EAP-FAST, the WLC will act as the AAA Server, we will create a local EAP profile, and finally use a windows 10 client device to connect and centrally authenticate the local user.<\/p>\n

Configure the networking<\/strong><\/p>\n

Make sure all the networking in the background is working, the vWLC management interface and the AP must be connected to a trunk port on the switch, this is to support VLANs. Also a DHCP Server must be available to service clients with IP addresses from the relevant VLANs.<\/p>\n

Create a Local EAP profile for\u00a0EAP-FAST<\/strong><\/p>\n

1.<\/strong>\u00a0Login to the Wireless LAN Controller, and click\u00a0\u201cSecurity\u201d \u2013 \u201cLocal EAP\u201d \u2013 \u201cProfiles\u201d\u00a0\u2013\u00a0\u201cNew\u201d<\/p>\n

<\/p>\n

2.<\/strong>\u00a0 Give the new profile a name and click\u00a0\u201cApply\u201d, in this example we have used \u201cLocal-FAST\u201d<\/p>\n

<\/p>\n

3.<\/strong>\u00a0Tick the\u00a0\u201cEAP-FAST\u201d\u00a0box to allow the profile to use FAST\u00a0as its authentication method, and click\u00a0\u201cApply\u201d<\/p>\n

<\/p>\n

4.<\/strong>\u00a0From the left hand menu select\u00a0\u201cAuthentication Priority\u201d\u00a0and verify\u00a0\u201cLOCAL\u201d\u00a0is selected in the\u00a0\u201cOrder used for Authentication\u201d\u00a0box.<\/p>\n

<\/p>\n

 <\/p>\n

Create a local user<\/strong><\/p>\n

1.\u00a0<\/strong>Under\u00a0\u201cSecurity\u201d\u00a0\u2013\u00a0\u201cAAA\u201d\u00a0select\u00a0\u201cLocal Net Users\u201d\u00a0and click\u00a0\u201cNew\u201d. Create a new user for authentication and click\u00a0\u201cApply\u201d.<\/p>\n

<\/p>\n

 <\/p>\n

\"4.5\"<\/p>\n

 <\/p>\n

Create the WLAN<\/strong><\/p>\n

1.<\/strong>\u00a0Navigate to\u00a0\u201cWLANs\u201d\u00a0select\u00a0\u201cCreate New\u201d\u00a0and hit\u00a0\u201cGo\u201d. Give the profile and SSID a name. in this example we have used \u201cLocal-FAST\u201d the profile name & SSID can be anything you like. Click\u00a0\u201cApply\u201d<\/p>\n

<\/p>\n

2.<\/strong>\u00a0From the\u00a0\u201cGeneral\u201d\u00a0tab enable the WLAN and select an interface to map to the SSID, this can be any available VLAN on the network which we want users to be connected to upon successful authentication, DHCP will also issue an IP address from this range so the interface must be correctly configured.<\/p>\n

<\/p>\n

3.<\/strong>\u00a0Click the\u00a0\u201cSecurity\u201d\u00a0tab and verify that under layer 2 we have the following selected\u00a0\u201cWPA+WPA2\u201d,\u00a0\u201cWPA2 Policy\u201d\u00a0and\u00a0\u201c802.1X\u201d<\/p>\n

<\/p>\n

4.<\/strong>\u00a0Click the\u00a0\u201cAAA\u00a0Servers\u201d\u00a0tab, scroll down and tick the\u00a0\u201cLocal EAP Authentication\u201d\u00a0enabled tick box. From the drop down menu select the profile we created earlier\u00a0\u201cLocal-FAST\u201d\u00a0and make sure that\u00a0\u201cLOCAL\u201d\u00a0is set at the top in the\u00a0\u201cOrder used for Authentication\u201d, finally click\u00a0\u201cApply\u201d<\/p>\n

<\/p>\n

 <\/p>\n

Client Connection and Testing\u00a0<\/strong><\/p>\n

Using the client device perform the following steps:<\/p>\n

1.<\/strong>\u00a0Navigate to\u00a0\u201cNetwork and Sharing Center\u201d, and select\u00a0\u201cSet up a new connection or network\u201d\u00a0<\/p>\n

<\/p>\n

 <\/p>\n

2.<\/strong>\u00a0Click\u00a0\u201cManually connect to a wireless network\u201d\u00a0and hit\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

3.<\/strong>\u00a0Type in the name of the SSID name created earlier, in this case we used\u00a0\u201cLocal-FAST\u201d, select\u00a0\u201cWPA2-Enterprise\u201d\u00a0as the Security type and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

4.<\/strong>\u00a0Select\u00a0\u201cChange connection settings\u201d<\/p>\n

<\/p>\n

5.<\/strong>\u00a0From the network properties window select the\u00a0\u201cSecurity\u201d\u00a0tab. select\u00a0\u201cWPA2-Enterprise\u201d\u00a0as the security type and leave\u00a0\u201cAES\u201d\u00a0as the encryption type. from the drop down list select the\u00a0\u201cCisco EAP-FAST\u201d\u00a0authentication method (This option will only be visible if the adapter supports FAST) and click \u201cSettings\u201d<\/p>\n

<\/p>\n

6.<\/strong>\u00a0Verify\u00a0\u201cProtected Access Credentials\u201d\u00a0is ticked and select the\u00a0\u201cUser Credentials\u201d tab<\/p>\n

<\/p>\n

7.<\/strong>\u00a0Under the\u00a0\u201cUser Credentials\u201d\u00a0tab select\u00a0\u201cPrompt automatically for username and password\u201d\u00a0Finally click\u00a0\u201cOK\u201d\u00a0and\u00a0\u201cOK\u201d\u00a0to save the settings and exit the window.<\/p>\n

\"18\"<\/p>\n

8.<\/strong>\u00a0From the windows client check to see the SSID is being broadcast, and click\u00a0\u201cConnect\u201d.<\/p>\n

\"19\"<\/p>\n

9.<\/strong>\u00a0At the prompt for \u201cEAP-FAST credentials\u201d, enter the user account details created earlier and click\u00a0\u201cOK\u201d<\/p>\n

\"20\"<\/p>\n

Once the user is authenticated the connection should appear as\u00a0\u201cConnected\u201d<\/p>\n

\"21.2\"<\/p>\n

The adapter icon also verifies the connection<\/p>\n

\"22\"<\/p>\n

10.<\/strong>\u00a0Launch CMD and issue a \u201cipconfig\u201d to verify DHCP is issuing an IP from the correct subnet. in this case we used VLAN30 so the IP 192.168.30.3 validates a correct IP has been obtained.<\/p>\n

\"23\"<\/p>\n

11.<\/strong>\u00a0Verify we can ping the Default Gateway.<\/p>\n

\"24\"<\/p>\n

12.<\/strong>\u00a0On the WLC, verify the connected client is visible, navigate to\u00a0\u201cMonitor\u201d \u2013 \u201cClients\u201d<\/p>\n

<\/p>\n

Click on the\u00a0\u201cClient MAC Addr\u201d\u00a0and view the details of the client. from the details we can see that the client is connected to the \u201cLocal-FAST\u201d SSID using the local user account \u201cJay\u201d.<\/p>\n

<\/p>\n

If we scroll down to the\u00a0\u201cSecurity Information\u201d\u00a0we can see that we are using \u201c802.1x\u201d along with \u201cEAP-FAST\u201d as our authentication method.<\/p>\n

<\/p>","protected":false},"excerpt":{"rendered":"

EAP-FAST \u2013 Flexible Authentication via Secure Tunnelling\u00a0is a proprietary 802.11X authentication method from Cisco. FAST does not require certificates, the protocol creates a tunnel between<\/p>\n","protected":false},"author":1,"featured_media":2111,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6,17],"tags":[106,104,126,128],"class_list":["post-2081","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","category-security","category-wireless","tag-aaa","tag-authentication","tag-eap","tag-eap-fast"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2081","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=2081"}],"version-history":[{"count":2,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2081\/revisions"}],"predecessor-version":[{"id":2113,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2081\/revisions\/2113"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/2111"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=2081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=2081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=2081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}