This document describes how to configure Locally Significant Certificates (LSC) with a Wireless LAN Controller (WLC) and a newly-installed Microsoft Windows Server 2012 R2.
Note: Real deployments might differ in many points and you should have full control and knowledge of the settings on Microsoft Windows Server 2012. This configuration example is only provided as a reference template for Cisco customers to implement and adapt their Microsoft Windows Server configuration in order to make LSC work.
You should understand every change made in Microsoft Windows Server and check the relevant Microsoft documentation if needed.
Note: LSC on WLC is not supported with intermediate-CA, as the root CA will be missing form WLC since the controller will only get the intermediate CA.
The information in this document is based on these software and hardware versions:
WLC Version 7.6
Microsoft Windows Server 2012 R2
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Microsoft Windows Server Configuration
This configuration is shown as performed on a newly-installed Microsoft Windows Server 2012. You must adapt the steps to your domain and your configuration.
Install Active Directory Domain Services for the roles and features wizard.
After installation, you must promote the server to domain controller.
Since this is a new setup, you configure a new forest; but typically in existing deployments, you simply configure these points on an existing domain controller. Here, you choose the LSC2012.com domain. This activates the Domain Name Server (DNS) feature as well.
After a reboot, install the Certificate Authority (CA) service as well as web enrollment.
Choose Enterprise CA and leave everything as default.
Click the Microsoft Windows/Start menu.
Click Administrative tools.
Click Active Directory Users and Computers.
Expand the domain, right-click the Users folder, and choose New Object > User.
In this example, it is named APUSER. Once created, you must edit the user and click the MemberOf tab, and make it a member of the IIS_IUSRS group
The required User Rights Assignments are:
- Allow log on locally
- Log on as a service
Install the Network Device Enrollment Service (NDES).
Choose the account member of the IIS_USRS group, APUSER in this example, as the service account for NDES.
Navigate to Administrative Tools.
Click Internet Information Services (IIS).
Expand the Server > Sites > Default web site > Cert Srv.
For both mscep and mscep_admin, click authentication. Make sure that anonymous authentication is enabled.
Right-click windows authentication and choose Providers. Make sure that NT LAN Manager (NTLM) is first in the list.
Disable the authentication challenge in the registry settings, otherwise Simple Certificate Enrollment Protocol (SCEP) expects challenge password authentication, which is not supported by the WLC.
Open the regeditapplication.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Cryptography\MSCEP\.
Set EnforcePassword to 0.
Click the Microsoft Windows/Start menu.
On the File menu, choose Add/Remove Snap-in. Choose Certification Authority.
Right-click the Certificate Template folder and click Manage.
Right-click an existing template, such as User, and choose Duplicate Template.
Choose the CA to be Microsoft Windows 2012 R2.
On the General tab, add a display name such as WLC and a validity period.
In the Subject Name tab, confirm that Supply in the request is selected.
Click the Issuance Requirements tab. Cisco recommends that you leave Issuance policies blank in a typical hierarchical CA environment:
Click the Extensions tab, Application Policies, and then Edit. Click Add, and ensure that Client Authentication is added as an application policy. Click OK.
Click the Security tab, and then Add.... Ensure that the SCEP service account defined in the NDES service installation has full control of the template, and then click OK.
Return to the Certification Authority GUI interface. Right-click the Certificate Templates directory. Navigate to New > Certificate Template to Issue. Select the WLC template configured previously, and click OK
Change the default SCEP template in the registry settings under Computer > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP. Change the EncryptionTemplate, GeneralPurposeTemplate, and SignatureTemplate keys from IPsec (Offline Request) to the WLC template previously created.
Reboot the system.
On the WLC, navigate to the Security menu. Click Certificates > LSC.
Check the Enable LSC on Controller checkbox.
Enter your Microsoft Windows Server 2012 URL. By default, it is appended with /certsrv/mscep/mscep.dll.
Enter your details in the Params section.
Apply the change.
Click the blue arrow on the upper CA line and choose Add. It should change the status from Not present to present.
Click the AP provisioning tab.
Check the Enable checkbox under AP Provisioning and click Update.
Reboot your access points if they have not rebooted themselves.
The access point, after reboot, joins back and displays with LSC as the certificate type in the Wireless menu.
Note: After 8.3.112, MIC APs cannot join at all once LSC is enabled. Therefore the "attempts to LSC" count feature becomes of limited use
There is currently no specific troubleshooting information available for this configuration.