Guest

Wireless, LAN (WLAN)

Unified Wireless Network Local EAP Server Configuration Example

Document ID: 91628

Updated: May 31, 2007

   Print

Introduction

This document describes the configuration of a local Extensible Authentication Protocol (EAP) server in a Cisco Wireless LAN Controller (WLC) for the authentication of wireless users.

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the back-end system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, thereby removing dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the Lightweight Directory Access Protocol (LDAP) back-end database to authenticate users. Local EAP supports Lightweight EAP (LEAP), EAP-Flexible Authentication via Secure Tunneling (EAP-FAST), and EAP-Transport Layer Security (EAP-TLS) authentication between the controller and wireless clients.

Note that the local EAP server is not available if there is a global external RADIUS server configuration in the WLC. All authentication requests are forwarded to the global external RADIUS until the Local EAP Server is available. If the WLC looses connectivity to the external RADIUS server, then the local EAP server becomes active. If there is no global RADIUS server configuration, the local EAP server becomes immediately active. The local EAP server cannot be used to authenticate clients, which are connected to other WLCs. In other words, one WLC cannot forward its EAP request to another WLC for authentication. Every WLC should have its own local EAP server and individual database.

Note: Use these commands in order to stop WLC from sending requests to an external radius server .

config wlan disable
        config wlan radius_server auth disable 
        config wlan enable

The local EAP server supports these protocols in 4.1.171.0 software release and later:

  • LEAP

  • EAP-FAST (both username/password, and certificates)

  • EAP-TLS

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Knowledge of how to configure WLCs and lightweight access points (LAPs) for basic operation

  • Knowledge of Lightweight Access Point Protocol (LWAPP) and wireless security methods

  • Basic knowledge of local EAP authentication.

Components Used

The information in this document is based on these software and hardware versions:

  • Windows XP with CB21AG Adapter Card and Cisco Secure Services Client Version 4.05

  • Cisco 4400 Wireless LAN Controller 4.1.171.0

  • Microsoft Certification Authority on Windows 2000 server

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Configure Local EAP on the Cisco Wireless LAN Controller

This document assumes that the basic configuration of the WLC is already completed.

Local EAP Configuration

Complete these steps in order to configure Local EAP:

  1. Add a local net user:

    From the GUI. choose Security > Local Net Users > New, enter the User Name, Password, Guest User, WLAN ID, and Description and click Apply.

    uwn-loc-eap-svr-config-1a.gif

    From the CLI you can use the config netuser add <username> <password> <WLAN id> <description> command:

    Note: This command has been brought down to a second line due to spatial reasons.

    (Cisco Controller) >config netuser add eapuser2 cisco123 1 Employee 
    user local database
    
    
  2. Specify the user credential retrieval order.

    From the GUI, choose Security > Local EAP > Authentication Priority. Then select LDAP, click the "<" button and click Apply. This puts the user credentials in the local database first.

    uwn-loc-eap-svr-config-2.gif

    From the CLI:

    (Cisco Controller) >config local-auth user-credentials local
    
  3. Add an EAP profile:

    In order to do this from the GUI, choose Security > Local EAP > Profiles and click New. When the new window appears, type the Profile Name and click Apply.

    uwn-loc-eap-svr-config-3.gif

    You can also do this using the CLI command config local-auth eap-profile add <profile-name>. In our example, the profile name is EAP-test.

    (Cisco Controller) >config local-auth eap-profile add EAP-test
    
    
  4. Add a method to the EAP profile.

    From the GUI choose Security > Local EAP > Profiles and click on the profile name for which you want to add the authentication methods. This example uses LEAP, EAP-FAST, and EAP-TLS. Click Apply in order to set the methods.

    uwn-loc-eap-svr-config-4.gif

    You can also use the CLI command config local-auth eap-profile method add <method-name> <profile-name> . In our example configuration we add three methods to the profile EAP-test. The methods are LEAP, EAP-FAST, and EAP-TLS whose method names are leap, fast, and tls respectively. This output shows the CLI configuration commands:

    (Cisco Controller) >config local-auth eap-profile method add leap EAP-test
    (Cisco Controller) >config local-auth eap-profile method add fast EAP-test
    (Cisco Controller) >config local-auth eap-profile method add tls EAP-test
    
  5. Configure the parameters of the EAP method. This is only used for EAP-FAST. The parameters to be configured are:

    • Server Key (server-key)—Server key to encrypt/decrypt Protected Access Credentials (PACs) (in hexadecimal).

    • Time to Live for PAC (pac-ttl)—Sets the Time to Live for the PAC.

    • Authority ID (authority-id) —Sets the authority identifier.

    • Annonymous Provision (anon-provn)—Configures whether anonymous provision is allowed. This is enabled by default.

    For configuration through the GUI, choose Security > Local EAP > EAP-FAST Parameters and enter the Server key, Time to live for the PAC, authority ID (in hex), and Authority ID Information values.

    uwn-loc-eap-svr-config-5.gif

    These are the CLI configuration commands to use in order to set these parameters for EAP-FAST:

    (Cisco Controller) >config local-auth method fast server-key 12345678
    (Cisco Controller) >config local-auth method fast authority-id 43697369f1 CiscoA-ID
    (Cisco Controller) >config local-auth method fast pac-ttl 10
    
  6. Enable local authentication per WLAN:

    From the GUI choose WLANs on the top menu and select the WLAN for which you want to configure local authentication. A new window appears. Click the Security > AAA tabs. Check Local EAP authentication and select the right EAP Profile Name from the pull-down menu as this example shows:

    uwn-loc-eap-svr-config-6.gif

    You can also issue the CLI config wlan local-auth enable <profile-name> <wlan-id> configuration command as shown here:

    (Cisco Controller) >config wlan local-auth enable EAP-test 1 
  7. Set the Layer 2 Security parameters.

    From the GUI interface, in the WLAN Edit window go to the Security > Layer 2 tabs and chose WPA+WPA2 from the Layer 2 Security pull-down menu. Under the WPA+WPA2 Parameters section, set the WPA Encryption to TKIP and WPA2 Encryption AES. Then click Apply.

    uwn-loc-eap-svr-config-7a.gif

    From the CLI, use these commands:

    (Cisco Controller) >config wlan security wpa enable 1 
    (Cisco Controller) >config wlan security wpa wpa1 ciphers tkip enable 1
    (Cisco Controller) >config wlan security wpa wpa2 ciphers aes enable 1 
  8. Verify the configuration:

    (Cisco Controller) >show local-auth config 
    
    User credentials database search order:
        Primary ..................................... Local DB
    
    Timer:
        Active timeout .............................. Undefined
    
    Configured EAP profiles:
        Name ........................................ EAP-test
          Certificate issuer ........................ cisco
          Peer verification options:
            Check against CA certificates ........... Enabled
            Verify certificate CN identity .......... Disabled
            Check certificate date validity ......... Enabled
          EAP-FAST configuration:
            Local certificate required .............. No
            Client certificate required ............. No
          Enabled methods ........................... leap fast tls 
          Configured on WLANs ....................... 1 
    
    EAP Method configuration:
        EAP-FAST:
    --More-- or (q)uit
          Server key ................................ <hidden>
          TTL for the PAC ........................... 10
          Anonymous provision allowed ............... Yes
          Authority ID .............................. 43697369f10000000000000000000
          Authority Information ..................... CiscoA-ID

    You can see specific parameters of wlan 1 with the show wlan <wlan id> command:

    (Cisco Controller) >show wlan 1
    
    
    WLAN Identifier.................................. 1
    Profile Name..................................... austinlab
    Network Name (SSID).............................. austinlab
    Status........................................... Disabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    Interface........................................ management
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Quality of Service............................... Silver (best effort)
    WMM.............................................. Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    --More-- or (q)uit
    IPv6 Support..................................... Disabled
    Radio Policy..................................... All
    Local EAP Authentication......................... Enabled (Profile 'EAP-test')
    Security
    
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Enabled
             TKIP Cipher............................. Enabled
             AES Cipher.............................. Disabled
          WPA2 (RSN IE).............................. Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
                                                                Auth Key Management
             802.1x.................................. Enabled
             PSK..................................... Disabled
             CCKM.................................... Disabled
       CKIP ......................................... Disabled
       IP Security................................... Disabled
       IP Security Passthru.......................... Disabled
       Web Based Authentication...................... Disabled
    --More-- or (q)uit
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       Cranite Passthru.............................. Disabled
       Fortress Passthru............................. Disabled
       H-REAP Local Switching........................ Disabled
       Infrastructure MFP protection................. Enabled 
                                              (Global Infrastructure MFP Disabled)
       Client MFP.................................... Optional
       Tkip MIC Countermeasure Hold-down Timer....... 60
    
     Mobility Anchor List
     WLAN ID     IP Address       Status

    There are other local authentication parameters that can be configured, in particular the active timeout timer. This timer configures the period during which local EAP is used after all RADIUS servers have failed.

    From the GUI, choose Security > Local EAP > General and set the time value. Then click Apply.

    uwn-loc-eap-svr-config-7b.gif

    From the CLI, issue these commands:

    (Cisco Controller) >config local-auth active-timeout ?
    <1 to 3600> Enter the timeout period for the Local EAP to remain active, 
    in seconds.
    (Cisco Controller) >config local-auth active-timeout 60
    

    You can verify the value to which this timer is set up when you issue the show local-auth config command.

    (Cisco Controller) >show local-auth config 
    
    User credentials database search order:
        Primary ..................................... Local DB
    
    Timer:
        Active timeout .............................. 60
    
    Configured EAP profiles:
        Name ........................................ EAP-test
    ... Skip
  9. If you need to generate and load the manual PAC, you can use either the GUI or the CLI.

    From the GUI, select COMMANDS from the top menu and chose Upload File from the list in the right-hand side. Select PAC (Protected Access Credential) from the File Type pull-down menu. Enter all the parameters and click on Upload.

    uwn-loc-eap-svr-config-7c.gif

    From the CLI, enter these commands:

    (Cisco Controller) >transfer upload datatype pac 
    (Cisco Controller) >transfer upload pac ?
                   
    username     Enter the user (identity) of the PAC 
                   
     (Cisco Controller) >transfer upload pac test1 ?
                   
    <validity>     Enter the PAC validity period (days)
                   
    (Cisco Controller) >transfer upload pac test1 60 ?
                   
    <password>     Enter a password to protect the PAC
                   
     (Cisco Controller) >transfer upload pac test1 60 cisco123
    
    (Cisco Controller) >transfer upload serverip 10.1.1.1
    
    (Cisco Controller) >transfer upload filename manual.pac
    
    (Cisco Controller) >transfer upload start 
    
    Mode............................................. TFTP  
    TFTP Server IP................................... 10.1.1.1
    TFTP Path........................................ /
    TFTP Filename.................................... manual.pac
    Data Type........................................ PAC         
    PAC User......................................... test1
    PAC Validity..................................... 60 days
    PAC Password..................................... cisco123
    
    Are you sure you want to start? (y/N) y
    PAC transfer starting.
    File transfer operation completed successfully.

Microsoft Certification Authority

In order to use EAP-FAST version 2 and EAP-TLS authentication, the WLC and all the client devices must have a valid certificate and must also know the public certificate of the Certification Authority.

Installation

If the Windows 2000 Server does not already have Certification Authority services installed, you need to install it.

Complete these steps in order to activate the Microsoft Certification Authority on a Windows 2000 Server:

  1. From the Control Panel, choose Add/Remove Programs. :

    uwn-loc-eap-svr-config-8.gif

  2. Select Add/Remove Windows Components on the left side.

    uwn-loc-eap-svr-config-9.gif

  3. Check Certificate Services.

    uwn-loc-eap-svr-config-10.gif

    Review this warning before you proceed:

    uwn-loc-eap-svr-config-11.gif

  4. Select which type of Certification Authority you want to install. In order to create a simple stand-alone authority, select Stand-alone root CA.

    uwn-loc-eap-svr-config-12.gif

  5. Enter the necessary information about the Certification Authority. This information creates a self-signed certificate for your Certification Authority. Remember the CA name that you use.

    The Certification Authority stores the certificates in a database. This example uses the default setup proposed by Microsoft:

    uwn-loc-eap-svr-config-13.gif

  6. Microsoft Certification Authority services use the IIS Microsoft Web Server in order to create and manage client and server certificates. It needs to restart the IIS service for this:

    uwn-loc-eap-svr-config-14.gif

    The Microsoft Windows 2000 Server now installs the new service. You need to have your Windows 2000 Server installation CD in order to install new Windows Components.

    The Certification Authority is now installed.

Install the Certificate in the Cisco Wireless LAN Controller

In order to use EAP-FAST version 2 and EAP-TLS on the local EAP server of a Cisco Wireless LAN Controller, follow these three steps:

  1. Install the device certificate on the Wireless LAN Controller.

  2. Download a Vendor CA Certificate to the Wireless LAN Controller.

  3. Configure the Wireless LAN Controller to use EAP-TLS.

Note that in the example shown in this document, the Access Control Server (ACS) is installed on the same host as the Microsoft Active Directory and Microsoft Certification Authority, but the configuration should be the same if the ACS server is on a different server.

Install the Device Certificate on the Wireless LAN Controller

Complete these steps:

  1. . Complete these steps in order to generate the certificate to import to the WLC:

    1. Go to http://<serverIpAddr>/certsrv.

    2. Choose Request a Certificate and click Next.

    3. Choose Advanced Request and click Next.

    4. Choose Submit a certificate request to this CA using a form and click Next.

    5. Choose Web server for Certificate Template and enter the relevant information. Then mark the keys as exportable.

    6. You now receive a certificate that you need to install in your machine.

  2. Complete these steps in order to retrieve the certificate from the PC:

    1. Open an Internet Explorer browser and choose Tools > Internet Options > Content.

    2. Click Certificates.

    3. Select the newly installed certificate from the pull-down menu.

    4. Click Export.

    5. Click Next twice and choose Yes export the private key. This format is the PKCS#12 (.PFX format).

    6. Choose Enable strong protection.

    7. Type a password.

    8. Save it in a file <tme2.pfx>.

  3. Copy the certificate in the PKCS#12 format to any computer where you have Openssl installed in order to convert it to PEM format.

    openssl pkcs12 -in tme2.pfx -out tme2.pem  
    
    !--- The command to be given, -in <inputfilename>.
    
    Enter Import Password:              
    
    !--- Enter the password given previously, from step 2g.
    
    MAC verified OK
    Enter PEM pass phrase:      
    
    !--- Enter a phrase.
    
    Verifying - Enter PEM pass phrase:
  4. Download the converted PEM format device certificate onto the WLC.

    (Cisco Controller) >transfer download datatype eapdevcert
    
    (Cisco Controller) >transfer download certpassword password 
    
    !--- From step 3.
    
    Setting password to <cisco123>
    
    (Cisco Controller) >transfer download filename tme2.pem
    
    (Cisco Controller) >transfer download start
    
    Mode............................................. TFTP
    Data Type........................................ Vendor Dev Cert
    TFTP Server IP................................... 10.1.1.12
    TFTP Packet Timeout.............................. 6
    TFTP Max Retries................................. 10
    TFTP Path........................................ /
    TFTP Filename.................................... tme2.pem
    
    This may take some time.
    Are you sure you want to start? (y/N) y
    
    TFTP EAP Dev cert transfer starting.
    
    Certificate installed.
      Reboot the switch to use new certificate.
  5. Once rebooted, check the certificate.

    (Cisco Controller) >show local-auth certificates
    
    Certificates available for Local EAP authentication:
    
    Certificate issuer .............................. vendor
      CA certificate:
        Subject: C=US, ST=ca, L=san jose, O=cisco, OU=wnbu, CN=tme
         Issuer: C=US, ST=ca, L=san jose, O=cisco, OU=wnbu, CN=tme
          Valid: 2007 Feb 28th, 19:35:21 GMT to 2012 Feb 28th, 19:44:44 GMT
      Device certificate:
        Subject: C=US, ST=ca, L=san jose, O=cisco, OU=wnbu, CN=tme2
         Issuer: C=US, ST=ca, L=san jose, O=cisco, OU=wnbu, CN=tme
          Valid: 2007 Mar 28th, 23:08:39 GMT to 2009 Mar 27th, 23:08:39 GMT

Download a Vendor CA Certificate to the Wireless LAN Controller

Complete these steps:

  1. Complete these steps in order to retrieve the Vendor CA Certificate:

    1. Go to http://<serverIpAddr>/certsrv.

    2. Choose Retrieve the CA Certificate and click Next.

    3. Choose the CA Certificate.

    4. Click DER encoded.

    5. Click on Download CA certificate and save the certificate as rootca.cer.

  2. Convert the Vendor CA from DER format into PEM format with the openssl x509 -in rootca.cer -inform DER -out rootca.pem -outform PEM command.

    The output file is rootca.pem in the PEM format.

  3. Download the Vendor CA Certificate:

    (Cisco Controller) >transfer download datatype eapcacert
    
    (Cisco Controller) >transfer download filename ?
                   
    <filename>     Enter filename up to 16 alphanumeric characters.
                   
    (Cisco Controller) >transfer download filename rootca.pem
    
    (Cisco Controller) >transfer download start ?
                   
    (Cisco Controller) >transfer download start 
    
    Mode............................................. TFTP  
    Data Type........................................ Vendor CA Cert
    TFTP Server IP................................... 10.1.1.12
    TFTP Packet Timeout.............................. 6
    TFTP Max Retries................................. 10
    TFTP Path........................................ /
    TFTP Filename.................................... rootca.pem
    
    This may take some time.
    Are you sure you want to start? (y/N) y
    
    TFTP EAP CA cert transfer starting.
    
    Certificate installed.
      Reboot the switch to use new certificate.

Configure the Wireless LAN Controller to use EAP-TLS

Complete these steps:

From the GUI, choose Security > Local EAP > Profiles, choose the profile and check for these settings:

  • Local Certificate Required is enabled.

  • Client Certificate Required is enabled.

  • Certificate Issuer is Vendor.

  • Check against CA certificates is enabled.

uwn-loc-eap-svr-config-15.gif

Install the Certificate Authority Certificate on the Client Device

Download and Install a Root CA Certificate for the Client

The client must obtain a root CA Certificate from a Certification Authority server. There are several methods you can use to obtain a client certificate and install it on the Windows XP machine. In order to acquire a valid certificate, the Windows XP user has to be logged in using their user ID and must have a network connection.

A web browser on the Windows XP client and a wired connection to the network were used to obtain a client certificate from the private root Certification Authority server. This procedure is used to obtain the client certificate from a Microsoft Certification Authority server:

  1. Use a web browser on the client and point the browser to the Certification Authority server. In order to do this, enter http://IP-address-of-Root-CA/certsrv.

  2. Log in using Domain_Name\user_name. You must log in using the username of the individual who is to use the XP client.

  3. On the Welcome window, choose Retrieve a CA certificate and click Next.

  4. Select Base64 Encoding and Download CA certificate.

  5. On the Certificate Issued window, click Install this certificate and click Next.

  6. Choose Automatically select the certificate store and click Next, for successful Import message.

  7. Connect to the Certification Authority for retrieving the Certificate Authority certificate:

    uwn-loc-eap-svr-config-16.gif

  8. Click Download CA certificate.

    uwn-loc-eap-svr-config-17.gif

    uwn-loc-eap-svr-config-18.gif

    uwn-loc-eap-svr-config-19.gif

    uwn-loc-eap-svr-config-20.gif

  9. In order to check that the Certification Authority certificate is correctly installed, open Internet Explorer and choose Tools > Internet Options > Content > Certificates.

    uwn-loc-eap-svr-config-21.gif

    uwn-loc-eap-svr-config-22.gif

    In Trusted Root Certification Authority, you should see your newly installed Certification Authority:

    uwn-loc-eap-svr-config-23.gif

Generate a Client Certificate for a Client Device

The client must obtain a certificate from a Certification Authority server for the WLC to authenticate a WLAN EAP-TLS client. There are several methods that you can use in order to obtain a client certificate and install it on the Windows XP machine. In order to acquire a valid certificate, the Windows XP user has to be logged in using their user ID and must have a network connection (either a wired connection or a WLAN connection with 802.1x security disabled).

A web browser on the Windows XP client and a wired connection to the network are used to obtain a client certificate from the private root Certification Authority server. This procedure is used to obtain the client certificate from a Microsoft Certification Authority server:

  1. Use a web browser on the client and point the browser to the Certification Authority server. In order to do this, enter http://IP-address-of-Root-CA/certsrv.

  2. Log in using Domain_Name\user_name. You must log in using the username of the individual who uses the XP client. (The username gets embedded into the client certificate.)

  3. On the Welcome window, choose Request a certificate and click Next.

  4. Choose Advanced request and click Next.

  5. Choose Submit a certificate request to this CA using a form and click Next.

  6. On the Advanced Certificate Request form, choose the Certificate Template as User, specify the Key Size as 1024 and click Submit.

  7. On the Certificate Issued window, click Install this certificate. This results in the successful installation of a client certificate on the Windows XP client.

    uwn-loc-eap-svr-config-24.gif

    uwn-loc-eap-svr-config-25.gif

  8. Select Client Authentication Certificate.

    uwn-loc-eap-svr-config-26.gif

    The client certificate is now created.

  9. In order to check that the certificate is installed, go to Internet Explorer and choose Tools > Internet Options > Content > Certificates. In the Personal tab, you should see the certificate.

    uwn-loc-eap-svr-config-27.gif

EAP-TLS with Cisco Secure Services Client on the Client Device

Complete these steps:

  1. The WLC, by default, broadcasts the SSID, so it is shown in the Create Networks list of scanned SSIDs. In order to create a Network Profile, you can click the SSID in the list (Enterprise) and click Create Network.

    If the WLAN infrastructure is configured with broadcast SSID disabled, you must manually add the SSID. In order to do this, click Add under Access Devices and manually enter the appropriate SSID (for example, Enterprise). Configure active probe behavior for the client. That is, where the client actively probes for its configured SSID. Specify Actively search for this access device after you enter the SSID on the Add Access Device window.

    Note: The port settings do not permit enterprise modes (802.1X) if the EAP authentication settings are not first configured for the profile.

  2. Click Create Network in order to launch the Network Profile window, which permits you to associate the chosen (or configured) SSID with an authentication mechanism. Assign a descriptive name for the profile.

    Note: Multiple WLAN security types and/or SSIDs can be associated under this authentication profile.

    uwn-loc-eap-svr-config-28.gif

  3. Turn on authentication and check the EAP-TLS method. Then click Configure in order to configure EAP-TLS properties.

  4. Under Network Configuration Summary, click Modify in order to configure the EAP / credentials settings.

  5. Specify Turn On Authentication, choose EAP-TLS under Protocol, and choose Username as the Identity.

  6. Specify Use Single Sign on Credentials to use log on credentials for network authentication. Click Configure to set up EAP-TLS parameters.

    uwn-loc-eap-svr-config-29.gif

    uwn-loc-eap-svr-config-30.gif

  7. In order to have a secured EAP-TLS configuration you need to check the RADIUS server certificate. In order to do this, check Validate Server Certificate.

    uwn-loc-eap-svr-config-31.gif

  8. In order to validate the RADIUS server certificate, you need to give Cisco Secure Services Client information in order to accept only the right certificate. Choose Client > Trusted Servers > Manage Current User Trusted Servers.

    uwn-loc-eap-svr-config-32.gif

    uwn-loc-eap-svr-config-33.gif

  9. Give a name for the rule and check the name of the server certificate.

    uwn-loc-eap-svr-config-34.gif

    The EAP-TLS configuration is finished.

  10. Connect to the Wireless network profile. The Cisco Secure Services Client asks for the user login:

    uwn-loc-eap-svr-config-35.gif

    The Cisco Secure Services Client receives the server certificate and checks it (with the rule configured and the Certification Authority installed). It then asks for the certificate to use for the user.

  11. After the client authenticates, choose SSID under the Profile in the Manage Networks tab and click Status to query connection details.

    The Connection Details window provides information on the client device, connection status and statistics, and authentication method. The WiFi Details tab provides details on the 802.11 connection status, which includes the RSSI, 802.11 channel, and authentication/encryption.

    uwn-loc-eap-svr-config-36.gif

    uwn-loc-eap-svr-config-37.gif

    uwn-loc-eap-svr-config-38.gif

Debug Commands

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

Note: Refer to Important Information on Debug Commands before you use debug commands.

These debug commands can be employed at the WLC to monitor progress of the authentication exchange:

  • debug aaa events enable

  • debug aaa detail enable

  • debug dot1x events enable

  • debug dot1x states enable

  • debug aaa local-auth eap events enable

    OR

  • debug aaa all enable

Related Information

Updated: May 31, 2007
Document ID: 91628