{"id":2136,"date":"2015-12-22T13:04:00","date_gmt":"2015-12-22T13:04:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=2136"},"modified":"2024-11-18T13:09:09","modified_gmt":"2024-11-18T13:09:09","slug":"cisco-wireless-setting-up-central-authentication-using-leap-with-the-vwlc-as-the-aaa-server","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/cisco-wireless-setting-up-central-authentication-using-leap-with-the-vwlc-as-the-aaa-server\/","title":{"rendered":"Cisco Wireless- Setting up Central Authentication using LEAP with the vWLC as the AAA server"},"content":{"rendered":"

EAP is the Extensible Authentication Protocol which can be setup on the Cisco WLC for authenticating users centrally. in 802.1x when a user connects to an AP, the AP doesnt move any data traffic for the user until it can prove who the user is, the user normally supplies a set of credentials to validate who they are.<\/p>\n

The user also known as the \u201csupplicant\u201d (supplier of the credentials) sends the login details to the AP \u201cthe Authenticator\u201d who then sends the information back to an authentication server for approval, the authentication server is a AAA server which does the Authentication, Authorization and Accounting. The protocol used when the Authenticator (AP)and Authentication server (AAA Server) talk is called \u201cRADIUS\u201d<\/p>\n

There are four types of EAP supported by the Cisco WLC, these are:<\/p>\n

LEAP<\/strong>\u00a0\u2013 Lightweight Extensible Authentication Protocol
\nEasy to set-up \u2013 no certificates, set-up at the user and the server. User and server has mutual authentication \u2013 they authenticate each other, this can avoid users being sucked into a rogue AP as it has direct communication with a AAA server.<\/p>\n

FAST\u00a0<\/strong>\u2013 Flexible Authentication via Secure Tunnelling
\nUses mathematical algorithms, creates a tunnel between the user and AAA server. Uses PAC \u2013 Protected Access Credentials as part of the algorithm, clients must support this in order to be compatible. FAST does not require certificates<\/p>\n

PEAP<\/strong>\u00a0\u2013 Protected EAP
\nUses a certificate on the server side, which we validate \u2013 this must be from a valid CA on our PKI, Uses a username and pw for the AAA to validate the user. Also uses mutual authentication<\/p>\n

EAP-TLS<\/strong>\u00a0\u2013 Transport Layer Security
\nRequires certificates on both the users side and server side, this has to be issued by a trusted CA to authenticate and validate each other.<\/p>\n

In this Step-by-Step guide we will set-up central authentication on the vWLC using LEAP, the WLC will act as the AAA Server, we will create a local EAP profile to authenticate a local user. Lets get started!<\/p>\n

Configure the networking<\/strong><\/p>\n

Make sure all the networking in the background is working, the vWLC management interface and the AP must be connected to a trunk port on the switch, this is to support VLANs. Also a DHCP Server must be available to service clients with IP addresses from the relevant VLANs.<\/p>\n

Create a Local EAP profile for LEAP<\/strong><\/p>\n

1.<\/strong>\u00a0Login to the Wireless LAN Controller, and click\u00a0\u201cSecurity\u201d\u00a0\u2013\u00a0\u201cLocal EAP\u201d\u00a0\u2013\u00a0\u201cProfiles\u201d\u00a0\u2013\u00a0\u201cNew\u201d<\/p>\n

\"1\"<\/p>\n

2.<\/strong>\u00a0 Give the new profile a name and click\u00a0\u201cApply\u201d, in this example we have used \u201cLocal-LEAP\u201d<\/p>\n

\"2\"<\/p>\n

3.<\/strong>\u00a0Tick the\u00a0\u201cLEAP\u201d\u00a0box to allow the profile to use LEAP as its authentication method, and click\u00a0\u201cApply\u201d<\/p>\n

\"3\"<\/p>\n

4.<\/strong>\u00a0From the left hand menu select\u00a0\u201cAuthentication Priority\u201d\u00a0and verify\u00a0\u201cLOCAL\u201d\u00a0is selected in the\u00a0\u201cOrder used for Authentication\u201d\u00a0box.<\/p>\n

\"5\"<\/p>\n

 <\/p>\n

Create a local user<\/strong><\/p>\n

1.\u00a0<\/strong>Under\u00a0\u201cSecurity\u201d\u00a0\u2013\u00a0\u201cAAA\u201d\u00a0select\u00a0\u201cLocal Net Users\u201d\u00a0and click\u00a0\u201cNew\u201d. Create a new user for authentication and click\u00a0\u201cApply\u201d.<\/p>\n

\"5\"<\/p>\n

 <\/p>\n

\"4.5\"<\/p>\n

 <\/p>\n

Create the WLAN<\/strong><\/p>\n

1.<\/strong>\u00a0Navigate to\u00a0\u201cWLANs\u201d\u00a0select\u00a0\u201cCreate New\u201d\u00a0and hit\u00a0\u201cGo\u201d. Give the profile and SSID a name. in this example we have used \u201cLocal-LEAP\u201d the profile name & SSID can be anything you like. Click\u00a0\u201cApply\u201d<\/p>\n

\"6\"<\/p>\n

2.<\/strong>\u00a0From the\u00a0\u201cGeneral\u201d\u00a0tab enable the WLAN and select an interface to map to the SSID, this can be any available VLAN on the network which we want users to be connected to upon successful authentication, DHCP will also issue an IP address from this range so the interface must be correctly configured.<\/p>\n

<\/p>\n

3.<\/strong>\u00a0Click the\u00a0\u201cSecurity\u201d\u00a0tab and verify that under layer 2 we have the following selected\u00a0\u201cWPA+WPA2\u201d,\u00a0\u201cWPA2 Policy\u201d\u00a0and\u00a0\u201c802.1X\u201d<\/p>\n

<\/p>\n

4.<\/strong>\u00a0Click the\u00a0\u201cAAA Servers\u201d\u00a0tab, scroll down and tick the\u00a0\u201cLocal EAP Authentication\u201d\u00a0enabled tick box. From the drop down menu select the profile we created earlier\u00a0\u201cLocal LEAP\u201d\u00a0and make sure that\u00a0\u201cLOCAL\u201d\u00a0is set at the top in the\u00a0\u201cOrder used for Authentication\u201d, finally click\u00a0\u201cApply\u201d<\/p>\n

\"9\"<\/p>\n

 <\/p>\n

Client Testing\u00a0<\/strong><\/p>\n

Using the client device perform the following tests:<\/p>\n

1.<\/strong>\u00a0Check to make sure the SSID is being broadcast<\/p>\n

\"13\"<\/p>\n

2.<\/strong>\u00a0Select the SSID and connect to it providing the credentials of the user created earlier.<\/p>\n

\"14\"<\/p>\n

3.<\/strong>\u00a0Verify the connection is successful<\/p>\n

\"15\"<\/p>\n

4.<\/strong>\u00a0Verify the \u00a0correct IP address is being obtained by the client when connected to the relevant VLAN, in this case we used VLAN 10.<\/p>\n

\"16\"<\/p>\n

5.<\/strong>\u00a0On the WLC, verify the connected client is visible and that central authentication is being performed, navigate to\u00a0\u201cMonitor\u201d\u00a0\u2013\u00a0\u201cClients\u201d<\/p>\n

\"10\"<\/p>\n

Click on the\u00a0\u201cClient MAC Addr\u201d\u00a0and view the details of the client. from the details we can see that the client is connected to the \u201cLocal-LEAP\u201d SSID using the local user account \u201cJay\u201d and the authentication is being handled centrally at the WLC.<\/p>\n

\"11\"<\/p>\n

If we scroll down to the\u00a0\u201cSecurity Information\u201d\u00a0we can see that we are using \u201c802.1x\u201d along with \u201cLEAP\u201d as our authentication method.<\/p>\n

\"12\"<\/p>\n","protected":false},"excerpt":{"rendered":"

EAP is the Extensible Authentication Protocol which can be setup on the Cisco WLC for authenticating users centrally. in 802.1x when a user connects to<\/p>\n","protected":false},"author":1,"featured_media":2154,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6,17],"tags":[104,126,130],"class_list":["post-2136","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","category-security","category-wireless","tag-authentication","tag-eap","tag-leap"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=2136"}],"version-history":[{"count":1,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2136\/revisions"}],"predecessor-version":[{"id":2155,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2136\/revisions\/2155"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/2154"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=2136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=2136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=2136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}