{"id":2114,"date":"2015-12-22T12:55:00","date_gmt":"2015-12-22T12:55:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=2114"},"modified":"2024-11-18T13:02:17","modified_gmt":"2024-11-18T13:02:17","slug":"cisco-wireless-central-authentication-using-peap-with-the-vwlc-as-the-aaa-server","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/cisco-wireless-central-authentication-using-peap-with-the-vwlc-as-the-aaa-server\/","title":{"rendered":"Cisco Wireless- Central Authentication using PEAP with the vWLC as the AAA server"},"content":{"rendered":"

In this Step-by-Step guide we will set-up central authentication on the vWLC using PEAP \u2013 Protected Extensible Authentication Protocol, this type of authentication uses a certificate on the server side, which we validate \u2013 this must be from a valid CA on our PKI, however in this example we will use a self signed certificate issued by the vWLC. The supplicant will use a username and pw for the AAA server to validate the user, therefore we will use mutual authentication.<\/p>\n

The WLC will act as the AAA Server, we will create a local EAP profile to authenticate a local user. check out \u201cSetting up Central Authentication using PEAP with the vWLC as the AAA server<\/a>\u201d for more information on the EAP types.<\/p>\n

Configure the networking<\/strong><\/p>\n

Make sure all the networking in the background is working, the vWLC management interface and the AP must be connected to a trunk port on the switch, this is to support VLANs. Also a DHCP Server must be available to service clients with IP addresses from the relevant VLANs.<\/p>\n

Create a Local EAP profile for PEAP<\/strong><\/p>\n

1.<\/strong>\u00a0Login to the Wireless LAN Controller, and click\u00a0\u201cSecurity\u201d \u2013 \u201cLocal EAP\u201d \u2013 \u201cProfiles\u201d\u00a0\u2013\u00a0\u201cNew\u201d<\/p>\n

<\/p>\n

2.<\/strong>\u00a0 Give the new profile a name and click\u00a0\u201cApply\u201d, in this example we have used \u201cLocal-PEAP\u201d<\/p>\n

<\/p>\n

3.<\/strong>\u00a0Tick the\u00a0\u201cPEAP\u201d\u00a0box to allow the profile to use PEAP as its authentication method, and click\u00a0\u201cApply\u201d<\/p>\n

<\/p>\n

4.<\/strong>\u00a0From the left hand menu select\u00a0\u201cAuthentication Priority\u201d\u00a0and verify\u00a0\u201cLOCAL\u201d\u00a0is selected in the\u00a0\u201cOrder used for Authentication\u201d\u00a0box.<\/p>\n

\"5\"<\/p>\n

 <\/p>\n

Create a local user<\/strong><\/p>\n

1.\u00a0<\/strong>Under\u00a0\u201cSecurity\u201d\u00a0\u2013\u00a0\u201cAAA\u201d\u00a0select\u00a0\u201cLocal Net Users\u201d\u00a0and click\u00a0\u201cNew\u201d. Create a new user for authentication and click\u00a0\u201cApply\u201d.<\/p>\n

\"5\"<\/p>\n

 <\/p>\n

\"4.5\"<\/p>\n

 <\/p>\n

Create the WLAN<\/strong><\/p>\n

1.<\/strong>\u00a0Navigate to\u00a0\u201cWLANs\u201d\u00a0select\u00a0\u201cCreate New\u201d\u00a0and hit\u00a0\u201cGo\u201d. Give the profile and SSID a name. in this example we have used \u201cLocal-PEAP\u201d the profile name & SSID can be anything you like. Click\u00a0\u201cApply\u201d<\/p>\n

<\/p>\n

 <\/p>\n

2.<\/strong>\u00a0From the\u00a0\u201cGeneral\u201d\u00a0tab enable the WLAN and select an interface to map to the SSID, this can be any available VLAN on the network which we want users to be connected to upon successful authentication, DHCP will also issue an IP address from this range so the interface must be correctly configured.<\/p>\n

<\/p>\n

3.<\/strong>\u00a0Click the\u00a0\u201cSecurity\u201d\u00a0tab and verify that under layer 2 we have the following selected\u00a0\u201cWPA+WPA2\u201d,\u00a0\u201cWPA2 Policy\u201d\u00a0and\u00a0\u201c802.1X\u201d<\/p>\n

<\/p>\n

4.<\/strong>\u00a0Click the\u00a0\u201cAAA\u00a0Servers\u201d\u00a0tab, scroll down and tick the\u00a0\u201cLocal EAP Authentication\u201d\u00a0enabled tick box. From the drop down menu select the profile we created earlier\u00a0\u201cLocal PEAP\u201d\u00a0and make sure that\u00a0\u201cLOCAL\u201d\u00a0is set at the top in the\u00a0\u201cOrder used for Authentication\u201d, finally click\u00a0\u201cApply\u201d<\/p>\n

<\/p>\n

 <\/p>\n

Client Testing\u00a0<\/strong><\/p>\n

Using the client device perform the following tests:<\/p>\n

1.<\/strong>\u00a0Check to make sure the SSID is being broadcast<\/p>\n

<\/p>\n

2.<\/strong>\u00a0Select the SSID and connect to it providing the credentials of the user created earlier.<\/p>\n

<\/p>\n

The user will be prompted with a certificate warning, if a trusted certificated is used from a valid CA the certificate will be shown as trusted, in this example we have used a self signed certificate by the vWLC therefore its appearing as not verified. click\u00a0\u201cMore Details\u201d\u00a0to view the certificate properties.<\/p>\n

\"16\"<\/p>\n

\"17\"<\/p>\n

Once we are happy the certificate is from a trusted source click\u00a0\u201cAccept\u201d\u00a0to continue and connect<\/p>\n

3.<\/strong>\u00a0Verify the connection is successful<\/p>\n

<\/p>\n

4.<\/strong>\u00a0Verify the \u00a0correct IP address is being obtained by the client when connected to the relevant VLAN, in this case we used VLAN 20.<\/p>\n

<\/p>\n

5.<\/strong>\u00a0On the WLC, verify the connected client is visible and that central authentication is being performed, navigate to\u00a0\u201cMonitor\u201d \u2013 \u201cClients\u201d<\/p>\n

<\/p>\n

Click on the\u00a0\u201cClient MAC Addr\u201d\u00a0and view the details of the client. from the details we can see that the client is connected to the \u201cLocal-PEAP\u201d SSID using the local user account \u201cJay\u201d and the authentication is being handled centrally at the WLC.<\/p>\n

<\/p>\n

If we scroll down to the\u00a0\u201cSecurity Information\u201d\u00a0we can see that we are using \u201c802.1x\u201d along with \u201cPEAP\u201d as our authentication method.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

In this Step-by-Step guide we will set-up central authentication on the vWLC using PEAP \u2013 Protected Extensible Authentication Protocol, this type of authentication uses a<\/p>\n","protected":false},"author":1,"featured_media":2134,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6,17],"tags":[104,126,129],"class_list":["post-2114","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","category-security","category-wireless","tag-authentication","tag-eap","tag-peap"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=2114"}],"version-history":[{"count":1,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2114\/revisions"}],"predecessor-version":[{"id":2135,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2114\/revisions\/2135"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/2134"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=2114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=2114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=2114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}