Step 1 |
If you are configuring local EAP to use one of
the EAP types listed in the note above, make sure that the appropriate
certificates and PACs (if you will use manual PAC provisioning) have been
imported on the controller.
|
Step 2 |
If you want the controller to
retrieve user credentials from the local user database, make sure that you have
properly configured the local network users on the controller.
|
Step 3 |
If you want the controller to
retrieve user credentials from an LDAP backend database, make sure that you
have properly configured an LDAP server on the controller.
|
Step 4 |
Specify the order in which
user credentials are retrieved from the backend database servers as follows:
-
Choose
Security >
Local EAP >
Authentication
Priority to open the
Priority Order > Local-Auth page.
-
Determine the priority order
in which user credentials are to be retrieved from the local and/or LDAP
databases. For example, you may want the LDAP database to be given priority
over the local user database, or you may not want the LDAP database to be
considered at all.
-
When you have decided on a
priority order, highlight the desired database. Then use the left and right
arrows and the Up and Down buttons to move the desired database to the top of
the right User Credentials box.
Note
|
If both LDAP and LOCAL appear in the right User Credentials box with LDAP on the top and LOCAL on the bottom, local EAP attempts
to authenticate clients using the LDAP backend database and fails over to the local user database if the LDAP servers are
not reachable. If the user is not found, the authentication attempt is rejected. If LOCAL is on the top, local EAP attempts
to authenticate using only the local user database. It does not fail over to the LDAP backend database.
|
-
Click
Apply to commit
your changes.
|
Step 5 |
Specify values
for the local EAP timers as follows:
-
Choose
Security >
Local EAP >
General to open
the General page.
-
In the Local Auth Active Timeout text box, enter the amount of time (in seconds) in which the controller attempts to authenticate wireless clients using local
EAP after any pair of configured RADIUS servers fails. The valid range is 1 to 3600 seconds, and the default setting is 300
seconds.
|
Step 6 |
Specify values for the
Advanced EAP parameters as follows:
-
Choose
Security>
Advanced EAP.
-
In the
Identity Request Timeout text box, enter the amount
of time (in seconds) in which the controller attempts to send an EAP identity
request to wireless clients using local EAP. The valid range is 1 to 120
seconds, and the default setting is 30 seconds.
-
In the Identity Request Max Retries text box, enter the maximum number of times that the controller attempts to retransmit the EAP identity request to wireless
clients using local EAP. The valid range is 1 to 20 retries, and the default setting is 2 retries.
-
In the
Dynamic WEP Key Index text box, enter the key index
used for dynamic wired equivalent privacy (WEP). The default value is 0, which
corresponds to a key index of 1; the valid values are 0 to 3 (key index of 1 to
4).
-
In the
Request Timeout text box, enter the amount of time
(in seconds) in which the controller attempts to send an EAP request to
wireless clients using local EAP. The valid range is 1 to 120 seconds, and the
default setting is 30 seconds.
-
In the Request Max Retries text box, enter the maximum number of times that the controller attempts to retransmit the EAP request to wireless clients
using local EAP. The valid range is 1 to 120 retries, and the default setting is 2 retries.
-
From the
Max-Login Ignore Identity Response drop-down list,
choose
Enable to limit
the number of devices that can be connected to the controller with the same
username. You can log in up to eight times from different devices (PDA, laptop,
IP phone, and so on) on the same controller. The default value is enabled.
-
In the
EAPOL-Key Timeout text box, enter the amount of time
(in seconds) in which the controller attempts to send an EAP key over the LAN
to wireless clients using local EAP. The valid range is 1 to 5 seconds, and the
default setting is 1 second.
Note
|
If the controller and access point are separated by a WAN link, the default timeout of 1 second may not be sufficient.
|
-
In the
EAPOL-Key Max Retries text box, enter the maximum
number of times that the controller attempts to send an EAP key over the LAN to
wireless clients using local EAP. The valid range is 0 to 4 retries, and the
default setting is 2 retries.
-
In the EAP-Broadcast Key Interval text box, enter the interval between the Group Temporal Key (GTK) key rotation for all the stations on a BSSID that is using
WPA protocol. The default interval is 3600 seconds.
-
Click
Apply to commit
your changes.
|
Step 7 |
Create a local EAP profile,
which specifies the EAP authentication types that are supported on the wireless
clients as follows:
-
Choose
Security >
Local EAP >
Profiles to open
the Local EAP Profiles page.
This page lists any local EAP
profiles that have already been configured and specifies their EAP types. You
can create up to 16 local EAP profiles.
Note
|
If you want to delete an existing profile, hover your cursor over the blue drop-down arrow for that profile and choose Remove.
|
-
Click
New to open the
Local
EAP Profiles > New page.
-
In the Profile Name text box,
enter a name for your new profile and then click
Apply.
Note
|
You can enter up to 63 alphanumeric characters for the profile name. Make sure not to include spaces.
|
-
When the Local EAP Profiles
page reappears, click the name of your new profile. The
Local
EAP Profiles > Edit page appears.
-
Select the
LEAP,
EAP-FAST,
EAP-TLS,
and/or
PEAP
check boxes to specify the EAP type that can be used
for local authentication.
Note
|
You can specify more than one EAP type per profile. However, if you choose multiple EAP types that use certificates (such
as EAP-FAST with certificates, EAP-TLS, PEAPv0/MSCHAPv2, and PEAPv1/GTC), all the EAP types must use the same certificate
(from either Cisco or another vendor).
|
Note
|
If you select the PEAP check box, both PEAPv0/MSCHAPv2 or PEAPv1/GTC are enabled on the controller.
|
-
If you chose EAP-FAST and
want the device certificate on the controller to be used for authentication,
select the
Local Certificate
Required check box. If you want to use EAP-FAST with PACs instead
of certificates, leave this check box unselected, which is the default setting.
Note
|
This option applies only to EAP-FAST because device certificates are not used with LEAP and are mandatory for EAP-TLS and
PEAP.
|
-
If you chose EAP-FAST and want the wireless clients to
send their device certificates to the controller in order to authenticate,
select the
Client Certificate
Required check box. If you want to use EAP-FAST with PACs instead
of certificates, leave this check box unselected, which is the default setting.
Note
|
This option applies only to EAP-FAST because client certificates are not used with LEAP or PEAP and are mandatory for EAP-TLS.
|
-
If you chose EAP-FAST with certificates, EAP-TLS, or PEAP,
choose which certificates will be sent to the client, the ones from
Cisco or the
ones from another
Vendor, from
the Certificate Issuer drop-down list. The default setting is Cisco.
-
If you chose EAP-FAST with certificates or
EAP-TLS and want the incoming certificate from the client to be validated
against the CA certificates on the controller, select the
Check against CA
certificates check box. The default setting is enabled.
-
If you chose EAP-FAST with certificates or EAP-TLS and want the common name (CN) in the incoming certificate to be validated
against the Local Net Users configured on the controller, select the Verify Certificate CN Identity check box. The default setting is disabled.
-
If you chose EAP-FAST with certificates or
EAP-TLS and want the controller to verify that the incoming device certificate
is still valid and has not expired, select the
Check Certificate Date
Validity check box. The default setting is enabled.
Note
|
Certificate date validity is checked against the current UTC (GMT) time that is configured on the controller. Timezone offset
will be ignored.
|
-
Click
Apply to commit
your changes.
|
Step 8 |
If you created an EAP-FAST
profile, follow these steps to configure the EAP-FAST parameters:
-
Choose
Security >
Local EAP >
EAP-FAST
Parameters to open the EAP-FAST Method Parameters page.
-
In the Server Key and Confirm Server Key text boxes, enter
the key (in hexadecimal characters) used to encrypt and decrypt PACs.
-
In the Time to Live for the PAC text box, enter the number
of days for the PAC to remain viable. The valid range is 1 to 1000 days, and
the default setting is 10 days.
-
In the Authority ID text box, enter the authority
identifier of the local EAP-FAST server in hexadecimal characters. You can
enter up to 32 hexadecimal characters, but you must enter an even number of
characters.
-
In the Authority ID Information text box, enter the
authority identifier of the local EAP-FAST server in text format.
-
If you want to enable anonymous provisioning, select the
Anonymous
Provision check box. This feature allows PACs to be sent
automatically to clients that do not have one during PAC provisioning. If you
disable this feature, PACS must be manually provisioned. The default setting is
enabled.
Note
|
If the local and/or client certificates are required and you want to force all EAP-FAST clients to use certificates, unselect
the Anonymous Provision check box.
|
-
Click
Apply to commit
your changes.
|
Step 9 |
Enable local EAP on a WLAN
as follows:
-
Choose
WLANs to open
the WLANs page.
-
Click the ID number of the
desired WLAN.
-
When the
WLANs > Edit page appears, choose the
Security >
AAA Servers
tabs to open the
WLANs > Edit (Security > AAA Servers) page.
-
Unselect the
Enabled check boxes for Radius
Authentication Servers and Accounting Server to disable RADIUS accounting and
authentication for this WLAN.
-
Select the
Local EAP
Authentication check box to enable local EAP for this WLAN.
-
From the EAP Profile Name drop-down list, choose the EAP
profile that you want to use for this WLAN.
-
If desired, choose the LDAP server that you want to use
with local EAP on this WLAN from the
LDAP Servers drop-down lists.
-
Click
Apply to commit
your changes.
|
Step 10 |
Enable EAP
parameters on a WLAN as follows:
-
Choose
WLANs to open
the WLANs page.
-
Click the ID number of the
desired WLAN.
-
When the
WLANs > Edit page appears, choose the
Security >
AAA Servers
tabs to open the
WLANs > Edit (Security > AAA Servers) page.
-
Select the
Enable check
box to configure EAP parameters for this WLAN.
-
In the
EAPOL Key Timeout (200 to 5000 millisec) text box,
enter the amount of time (in milliseconds) in which the controller attempts to
send an EAP key over the WLAN to wireless clients using local EAP. The valid
range is 200 to 5000 milliseconds and the default value is 1000 milliseconds.
-
In the EAPOL Key Retries (0 to
4) text box, enter the maximum number of times that the controller
attempts to send an EAP key over the WLAN to wireless clients using local EAP.
The valid range is 0 to 4 retries and the default setting is 2 retries.
-
In the
Identity Request Timeout (1 to 120 sec) text box,
enter the amount of time (in seconds) in which the controller attempts to send
an EAP identity request to wireless clients within WLAN using local EAP. The
valid range is 1 to 120 seconds and the default value is 30 seconds.
-
In the
Identity Request Retries (1 to 20 sec) text box,
enter the maximum number of times that the controller attempts to retransmit
the EAP identity request to wireless clients within WLAN using local EAP. The
valid range is 1 to 20 retries, and the default setting is 2 retries.
-
In the
Request Timeout (1 to 120 sec) text box, enter the
amount of time (in seconds) in which the controller attempts to send an EAP
parameter request to wireless clients within WLAN using local EAP. The valid
range is 1 to 120 seconds, and the default setting is 30 seconds.
-
In the
Request Retries (1 to 20 sec) text box, enter the
maximum number of times that the controller attempts to retransmit the EAP
parameter request to wireless clients within WLAN using local EAP. The valid
range is 1 to 20 retries, and the default setting is 2 retries.
-
Click
Apply to commit
your changes.
|
Step 11 |
Click
Save
Configuration to save your changes.
|