WLSE Express AAA Server Certificate Configuration Guide, 2.12 - Configuring AAA Certificates on WLSE [CiscoWorks Wireless LAN Solution Engine (WLSE) Express]

Table Of Contents

Configuring AAA Certificates on WLSE

Using the GUI for Certificate Configuration

Using the CLI for Certificate Configuration

Configuring AAA Certificates on WLSE

Revised: March 27, 2006, OL-9069-01

This chapter provides instructions for installing and configuring certificates and private keys onto the WLSE AAA Server. The examples assume that three files in PEM format (required by the WLSE) reside in a folder on your computer:

•The CA root certificate root-cert.pem

•The server certificate server-cert.pem

•The server private key server-key.pem

The certificate and private keys files can be created and exported to your computer using the procedures shown in sections Generating Certificates with OpenSSL, or Certificate Generation with Windows CA.

Using the GUI for Certificate Configuration

The following example shows how to configure the settings for Cisco-PEAP. The steps for MS-PEAP and EAP-TLS are essentially the same.

Note An anomaly exists in the WLSE Express 2.12 software that prevents you from uploading the CA root certificate for EAP-TLS. (The GUI text box is missing.)

Step 1 Using the WLSE Express GUI, navigate to the Cisco-PEAP Settings page by selecting Admin >
AAA Administration > Cisco-PEAP Settings.

Step 2 Enter the password used to protect the private key file into the Private Key Password and Confirm Private Key Password fields.

Step 3 Enter the full paths to the server certificate, server private key, and CA root certificate files respectively into the next three fields. The easiest way to do that is to click the Browse buttons and navigate to the files.

Step 4 Select the appropriate Inner Service from the choices shown.

Inner Service is the service used by PEAP to perform authentication. Select Local to fetch the username and password from a local database. Select LDAP to fetch the username and password from a remote LDAP directory. Select Windows Domain-Auth to use the Windows username and password.

Step 5 After all fields on the form have been completed, click Submit.

This uploads the certificates and private key and makes the appropriate configuration changes to the AAA Server. Figure 3-1 shows an example of a completed form.

Figure 3-1 Configuring PEAP Settings

Note The fields where you enter the pathnames to the certificate files are cleared after the upload, so there is no visual confirmation that the certificate upload has succeeded.

Using the CLI for Certificate Configuration

You can use the WLSE CLI to generate default certificates and private keys for PEAP and EAP-TLS with the mkcert command option. The mkcert command generates a new RSA key pair and a self-signed certificate. You can specify parts of the name included in the certificate, or simply rely on the default values provided. Since the certificate is self-signed, the name will be used for both the Subject and Issuer.

Use the mkcert command to return the AAA server to a known valid state that permits the server to be restarted if failing due to an invalid certificate.

An example for Cisco-PEAP follows. Typical input is shown in bold font.
admin@wlse:
aaa-server cisco-peap mkcert
file /cisco-ar/certs/cisco-peap/server-cert.pem already exists, do you want to overwrite? 
[y/n]: 
y
We will now generate an RSA key-pair and self-signed certificate that
may be used for test purposes
Generating a 1536 bit RSA private key
...++++
............................++++
writing new private key to '/cisco-ar/certs/cisco-peap/server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
Organization Name (eg, company) [WLSE]:
Organizational Unit Name (eg, section) [AAA]:
Common Name (eg, server or installation name) [wlse.cisco.com]:
Server self-signed certificate now resides in /cisco-ar/certs/cisco-peap/server-cert.pem
Server private RSA key now resides in /cisco-ar/certs/cisco-peap/server-key.pem
Remember to install additional CA certificates for client verification admin@wlse:
Generating default certificates and private keys for MS-PEAP and EAP-TLS is essentially the same. Use a command like the following to generate a certificate for MS-PEAP:

aaa-server ms-peap mkcert
Use a command like the following to generate a certificate for EAP-TLS:

aaa-server eap-tls mkcert

	WLSE Express AAA Server Certificate Configuration Guide, 2.12
	Configuring AAA Certificates on WLSE
WLSE Express AAA Server Certificate Configuration Guide, 2.12 WLSE AAA Server Certificate Configuration Guide PDF Index About This Guide Introduction Generating Certificates Configuring AAA Certificates on WLSE	Download this chapter Configuring AAA Certificates on WLSE Table Of Contents Configuring AAA Certificates on WLSE Using the GUI for Certificate Configuration Using the CLI for Certificate Configuration Configuring AAA Certificates on WLSE Revised: March 27, 2006, OL-9069-01 This chapter provides instructions for installing and configuring certificates and private keys onto the WLSE AAA Server. The examples assume that three files in PEM format (required by the WLSE) reside in a folder on your computer: •The CA root certificate root-cert.pem •The server certificate server-cert.pem •The server private key server-key.pem The certificate and private keys files can be created and exported to your computer using the procedures shown in sections Generating Certificates with OpenSSL, or Certificate Generation with Windows CA. Using the GUI for Certificate Configuration The following example shows how to configure the settings for Cisco-PEAP. The steps for MS-PEAP and EAP-TLS are essentially the same. Note An anomaly exists in the WLSE Express 2.12 software that prevents you from uploading the CA root certificate for EAP-TLS. (The GUI text box is missing.) Step 1 Using the WLSE Express GUI, navigate to the Cisco-PEAP Settings page by selecting Admin > AAA Administration > Cisco-PEAP Settings. Step 2 Enter the password used to protect the private key file into the Private Key Password and Confirm Private Key Password fields. Step 3 Enter the full paths to the server certificate, server private key, and CA root certificate files respectively into the next three fields. The easiest way to do that is to click the Browse buttons and navigate to the files. Step 4 Select the appropriate Inner Service from the choices shown. Inner Service is the service used by PEAP to perform authentication. Select Local to fetch the username and password from a local database. Select LDAP to fetch the username and password from a remote LDAP directory. Select Windows Domain-Auth to use the Windows username and password. Step 5 After all fields on the form have been completed, click Submit. This uploads the certificates and private key and makes the appropriate configuration changes to the AAA Server. Figure 3-1 shows an example of a completed form. Figure 3-1 Configuring PEAP Settings Note The fields where you enter the pathnames to the certificate files are cleared after the upload, so there is no visual confirmation that the certificate upload has succeeded. Using the CLI for Certificate Configuration You can use the WLSE CLI to generate default certificates and private keys for PEAP and EAP-TLS with the mkcert command option. The mkcert command generates a new RSA key pair and a self-signed certificate. You can specify parts of the name included in the certificate, or simply rely on the default values provided. Since the certificate is self-signed, the name will be used for both the Subject and Issuer. Use the mkcert command to return the AAA server to a known valid state that permits the server to be restarted if failing due to an invalid certificate. An example for Cisco-PEAP follows. Typical input is shown in bold font. admin@wlse: aaa-server cisco-peap mkcert file /cisco-ar/certs/cisco-peap/server-cert.pem already exists, do you want to overwrite? [y/n]: y We will now generate an RSA key-pair and self-signed certificate that may be used for test purposes Generating a 1536 bit RSA private key ...++++ ............................++++ writing new private key to '/cisco-ar/certs/cisco-peap/server-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: Organization Name (eg, company) [WLSE]: Organizational Unit Name (eg, section) [AAA]: Common Name (eg, server or installation name) [wlse.cisco.com]: Server self-signed certificate now resides in /cisco-ar/certs/cisco-peap/server-cert.pem Server private RSA key now resides in /cisco-ar/certs/cisco-peap/server-key.pem Remember to install additional CA certificates for client verification admin@wlse: Generating default certificates and private keys for MS-PEAP and EAP-TLS is essentially the same. Use a command like the following to generate a certificate for MS-PEAP: aaa-server ms-peap mkcert Use a command like the following to generate a certificate for EAP-TLS: aaa-server eap-tls mkcert
	© 1992-2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.