Step 1 |
If you are configuring local EAP to use one of
the EAP types listed in the note above, make sure that the appropriate
certificates and PACs (if you will use manual PAC provisioning) have been
imported on the controller.
|
Step 2 |
If you want the controller to
retrieve user credentials from the local user database, make sure that you have
properly configured the local network users on the controller.
|
Step 3 |
If you want the controller to
retrieve user credentials from an LDAP backend database, make sure that you
have properly configured an LDAP server on the controller.
|
Step 4 |
Specify the order in which
user credentials are retrieved from the backend database servers as follows:
-
Choose
Security >
Local EAP >
Authentication
Priority to open the
Priority Order > Local-Auth page.
-
Determine the priority order
in which user credentials are to be retrieved from the local and/or LDAP
databases. For example, you may want the LDAP database to be given priority
over the local user database, or you may not want the LDAP database to be
considered at all.
-
When you have decided on a
priority order, highlight the desired database. Then use the left and right
arrows and the Up and Down buttons to move the desired database to the top of
the right User Credentials box.
Note
|
If both LDAP and LOCAL appear in the right User Credentials box with LDAP on the top and LOCAL on the bottom, local EAP attempts
to authenticate clients using the LDAP backend database and fails over to the local user database if the LDAP servers are
not reachable. If the user is not found, the authentication attempt is rejected. If LOCAL is on the top, local EAP attempts
to authenticate using only the local user database. It does not fail over to the LDAP backend database.
|
-
Click
Apply to commit
your changes.
|
Step 5 |
Specify values
for the local EAP timers as follows:
-
Choose
Security >
Local EAP >
General to open
the General page.
-
In the
Local Auth Active Timeout field, enter the
amount of time (in seconds) in which the controller attempts to
authenticate wireless clients using local EAP after any pair of
configured RADIUS servers fails. The valid range is 1 to 3600 seconds,
and the default setting is 300 seconds.
|
Step 6 |
Specify values for the
Advanced EAP parameters as follows:
-
Choose Security> Advanced EAP.
-
In the Identity
Request Timeout field, enter the amount of time (in
seconds) in which the controller attempts to send an EAP identity
request to wireless clients using local EAP. The valid range is 1 to 120
seconds, and the default setting is 30 seconds.
-
In the Identity
Request Max Retries field, enter the maximum number of
times that the controller attempts to retransmit the EAP identity
request to wireless clients using local EAP. The valid range is 1 to 20
retries, and the default setting is 2 retries.
-
In the Dynamic WEP Key
Index field, enter the key index used for dynamic wired
equivalent privacy (WEP). The default value is 0, which corresponds to a
key index of 1; the valid values are 0 to 3 (key index of 1 to 4).
This feature is no longer supported.
-
In the Request
Timeout field, enter the amount of time (in seconds) in
which the controller attempts to send an EAP request to wireless clients
using local EAP. The valid range is 1 to 120 seconds, and the default
setting is 30 seconds.
-
In the Request Max
Retries field, enter the maximum number of times that
the controller attempts to retransmit the EAP request to wireless
clients using local EAP. The valid range is 1 to 120 retries, and the
default setting is 2 retries.
-
From the
Max-Login Ignore Identity Response drop-down
list, enable the feature if you want to ignore the EAP identity
responses when enforcing the net user login limit.
-
In the EAPOL-Key
Timeout field, enter the amount of time (in seconds) in
which the controller attempts to send an EAP key over the LAN to
wireless. The valid range is 200 to 5000 milliseconds, and the default
setting is 1000 milliseconds.
-
In the EAPOL-Key Max
Retries field, enter the maximum number of times that
the controller attempts to send an EAP key over the LAN to wireless
clients using local EAP. The valid range is 0 to 4 retries, and the
default setting is 2 retries.
-
In the EAP-Broadcast Key
Interval field, enter the interval between the Group
Temporal Key (GTK) key rotation for all the stations on a BSSID that is
using WPA protocol. The default interval is 3600 seconds.
-
Click Apply to
commit your changes.
|
Step 7 |
Create a local EAP profile,
which specifies the EAP authentication types that are supported on the wireless
clients as follows:
-
Choose
Security >
Local EAP >
Profiles to open
the Local EAP Profiles page.
This page lists any local EAP
profiles that have already been configured and specifies their EAP types. You
can create up to 16 local EAP profiles.
Note
|
If you want to delete an existing profile, hover your cursor over the blue drop-down arrow for that profile and choose Remove.
|
-
Click
New to open the
Local
EAP Profiles > New page.
-
In the
Profile Name field, enter a name for your new
profile and then click Apply.
Note
|
You can enter up to 63 alphanumeric characters for the profile
name. Make sure not to include spaces.
|
-
When the
Local EAP Profiles page is displayed again,
click the name of your new profile. The Local EAP Profiles
> Edit page is displayed.
-
Check the LEAP, EAP-FAST,
EAP-TLS,
and/or PEAP check boxes to specify the EAP type that can be
used for local authentication.
Note
|
You can specify more than one EAP type per profile. However, if
you choose multiple EAP types that use certificates (such as
EAP-FAST with certificates, EAP-TLS, PEAPv0/MSCHAPv2, and
PEAPv1/GTC), all the EAP types must use the same certificate (from
either Cisco or another vendor).
|
Note
|
If you check the PEAP check box, both
PEAPv0/MSCHAPv2 or PEAPv1/GTC are enabled on the controller.
|
-
If you chose
EAP-FAST and want the device certificate on the controller to be used
for authentication, check the Local Certificate Required
check box. If you want to use EAP-FAST with PACs instead of
certificates, leave this check box unselected, which is the default
setting.
Note
|
This option applies only to EAP-FAST because device certificates
are not used with LEAP and are mandatory for EAP-TLS and
PEAP.
|
-
If you chose EAP-FAST and
want the wireless clients to send their device certificates to the
controller in order to authenticate, check the Client Certificate
Required check box. If you want to use EAP-FAST with
PACs instead of certificates, leave this check box unchecked, which is
the default setting.
Note
|
This option applies only to EAP-FAST because client certificates
are not used with LEAP or PEAP and are mandatory for EAP-TLS.
|
-
If you chose
EAP-FAST with certificates, EAP-TLS, or PEAP, choose which certificates
will be sent to the client, the ones from Cisco or the ones from
another Vendor, from the Certificate
Issuer drop-down list. The default setting is Cisco.
-
If you chose EAP-FAST
with certificates or EAP-TLS and want the incoming certificate from the
client to be validated against the CA certificates on the controller,
check the Check
against CA certificates check box. The default setting
is enabled.
-
If you chose EAP-FAST
with certificates or EAP-TLS and want the common name (CN) in the
incoming certificate to be validated against the Local Net Users
configured on the controller, check the Verify Certificate CN
Identity check box. The default setting is disabled.
-
If you chose EAP-FAST
with certificates or EAP-TLS and want the controller to verify that the
incoming device certificate is still valid and has not expired, check
the Check
Certificate Date Validity check box. The default setting
is enabled.
Note
|
Certificate date validity is checked against the current UTC (GMT)
time that is configured on the controller. Timezone offset will be
ignored.
|
-
Click
Apply to commit
your changes.
|
Step 8 |
If you created an EAP-FAST
profile, follow these steps to configure the EAP-FAST parameters:
-
Choose
Security >
Local EAP >
EAP-FAST
Parameters to open the EAP-FAST Method Parameters page.
-
In the Server Key
and Confirm Server Key fields, enter the key (in
hexadecimal characters) used to encrypt and decrypt PACs.
-
In the Time to Live
for the PAC field, enter the number of days for the PAC
to remain viable. The valid range is 1 to 1000 days, and the default
setting is 10 days.
-
In the Authority ID
field, enter the authority identifier of the local EAP-FAST server in
hexadecimal characters. You can enter up to 32 hexadecimal characters,
but you must enter an even number of characters.
-
In the Authority ID
Information field, enter the authority identifier of the
local EAP-FAST server in text format.
-
If you want to enable anonymous
provisioning, check the Anonymous Provision check
box. This feature allows PACs to be sent automatically to clients that
do not have one during PAC provisioning. If you disable this feature,
PACS must be manually provisioned. The default setting is enabled.
Note
|
If the local and/or client certificates are required and you want
to force all EAP-FAST clients to use certificates, uncheck the
Anonymous
Provision check box.
|
-
Click
Apply to commit
your changes.
|
Step 9 |
Enable local EAP on a WLAN
as follows:
-
Choose
WLANs to open
the WLANs page.
-
Click the ID number of the
desired WLAN.
-
When the
WLANs > Edit page is displayed, choose the
Security > AAA Servers tabs to open
the WLANs > Edit (Security > AAA Servers)
page.
-
Uncheck the Enabled check boxes for RADIUS
Authentication Servers and Accounting Server to disable RADIUS
accounting and authentication for this WLAN.
-
Check the Local EAP Authentication
check box to enable local EAP for this WLAN.
-
From the EAP Profile
Name drop-down list, choose the EAP profile that you
want to use for this WLAN.
-
If desired, choose the LDAP server that you want to use
with local EAP on this WLAN from the
LDAP Servers drop-down lists.
-
Click
Apply to commit
your changes.
|
Step 10 |
Click
Save
Configuration to save your changes.
|