Configuring EAP-TLS on WLC
-
Upload
virender-kumar -
Category
Documents
-
view
240 -
download
0
Transcript of Configuring EAP-TLS on WLC
-
8/10/2019 Configuring EAP-TLS on WLC
1/12
mrn-cciew~ My CCIE Wireless Journey &
More..
Search Go
Tags
EAP TLS on WLC, Open SSL
0_9_8y
In this post we will see how to configure EAP-TLS on a wireless controller.It is assumed that
you have a PC which has already installed certificates(User Certifcate & Root CA Certificate).
You can learn how to do this by following youtube video from Jerome.(It is one of 7 part series
talking all about EAP TLS in clients, WLC, ACS & you should not miss these)
EAP-TLC configuration on wireless client
As you aware for EAP-TLS to work, WLC should have two certificates install on it.
1. Device Certificate issue to WLC
2. Root Certificate of a CA
Since WLC cannot generate CSR (Certificate Signing Request) by himself, a 3rd party software
(Called OpenSSL) has to use to do this. Again finding out a correct version of OpenSSL that
works well for this a challenge itself. After few trial & errors & reading few forum discussions I
found OpenSSL 0_9_8y version works well with my WLC. You can download it from thislink.
Here is the installation steps I have followed to get this working.
WLC 7.0.116.0 WCS 7.0.172.0 OSL ARCHIVES 5500 DOCS 3500 DOCS ACS DOCS CSC-WIRELESS
Posted by Rasika Nayanajithin WLAN Secuirty, WLC Features 2 COMMENTS
Configuring EAP-TLS on WLCMonday Apr 201322
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 1 / 12
http://slproweb.com/products/Win32OpenSSL.htmlhttp://www.youtube.com/watch?v=UBE5s6qY5xYhttp://mrncciew.com/tag/open-ssl-0_9_8y/http://mrncciew.com/tag/eap-tls-on-wlc/http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/#commentshttp://mrncciew.com/category/wlc-features/http://mrncciew.com/category/wlan-secuirty/http://mrncciew.com/author/nayarasi/http://mrncciew.com/https://supportforums.cisco.com/community/netpro/wireless-mobilityhttp://www.cisco.com/en/US/customer/products/ps9911/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/customer/products/ps10981/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/customer/products/ps10315/tsd_products_support_series_home.htmlhttp://onlinestudylist.com/archives/ccie_wireless/http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/WCS70MR1.htmlhttp://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/wlc_cg70MR1.html -
8/10/2019 Configuring EAP-TLS on WLC
2/12
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 2 / 12
http://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-04.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-03.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-02.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-01.png -
8/10/2019 Configuring EAP-TLS on WLC
3/12
Once installation completed you can open a Command prompt (Run as Administrator) & run this
OpenSSL application. Cisco document (Doc ID#75584) describe the below process with respect
to CSR for Authentication of a WLC.
C:\Windows\system32>cd..
C:\Windows>cd..
C:\>cd/OpenSSL/bin
C:\OpenSSL\bin>openssl
OpenSSL>
OpenSSL> req -new -newkey rsa:1024 -nodes -keyout w lc1key.pem -out w lc1req.pem
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...............................................................................
+++++
..............++++++
writing new private key t o 'w lc1key.pem'-----
Yo u are about to be asked to ent er informat ion t hat will be inco rporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 lette r code) [AU]:
State or Province Name (full name) [Some-State]:VIC
Locality Name (eg, city) []:MEL
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:WLC1.mrn.com
Email Address []:[email protected]
Please ent er the following 'ext ra' att ributes t o be sent w ith your certificate request
A challenge password [] :cisco123An opt ional company name []:
OpenSSL>
I have given my WLC name as Common Name. If you are doing this for Web Authentication you
have to give DNS name for WLC virtual IP. This will create two files in OpenSSL bin folder with
named wlc1key.pem & wlc1req.pem. You have to open wlc1req.pem on to notepad & use
that to make CSR via your Certifcate Authority.
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 3 / 12
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtmlhttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-05.png -
8/10/2019 Configuring EAP-TLS on WLC
4/12
I have use Microsoft PKI as my CA installed on a windows 2008 server. You have to use
Administrator account of that server to do this & URL for accessing it is
192.168.200.1/certsrv where 192.168.200.1 is server IP. You will see a page like this.
Then You have to click on submit an Advanced Certificate Request as shown in the below.
Then you need to paste notepad output of wlc1req.pem& select the template type as Web
Server & hit the submit button as shown below.
Then you can download the file. Ensure you selected Base 64 encoded option. I have named
it as wlc1ca.cer & put it in the same bin folder where wlc1key.pem in.
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 4 / 12
http://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-09.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-07.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-06.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-56.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-55.png -
8/10/2019 Configuring EAP-TLS on WLC
5/12
Now by using the following Open SSL commands you can merge these wlc1key file & wlc1ca
file. Also you have to make the final file as .pem prior to upload it onto WLC. Note that we have
given password mrncciew & you need to configure this on WLC when downloading this onto
WLC.
OpenSSL> pkcs12 -export -in wlc1ca.cer -inkey wlc1key.pem-out wlc1ca.p12-clcerts -passin pass:mrncciew-pa
Loading 'screen' into random state - done
OpenSSL> pkcs12 -in wlc1ca.p12-out wlc1ca.pem-passin pass:mrncciew-passout pass:mrncciew
MAC verified OK
OpenSSL>
Then you can download this file wlc1ca.pem file onto WLC.
(WLC1) >transfer dow nload datatype eapdevcert(WLC1) >transfer download path .
(WLC1) >transfer download filename wlc1ca.pem
(WLC1) >transfer download certpassword mrncciew
Sett ing password to
(WLC1) >transfer download serverip 192.168.178.52
(WLC1) >transfer download start
Mode............................................. TFTP
Data T ype........................................ V endor Dev Cert
TFTP Server IP................................... 1 92.168.178.52
TFTP Packet T imeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... wlc1ca.pem
This may take some time.
Are you sure you w ant to start? (y/N) yTFTP EAP Dev cert t ransfer starting.
Certificate installed.
Reboot the switch to use new certificate.
(WLC1) >reset system
Now you need to install Root CA certificate for WLC. Since you have already installed Root CA
on your client you can export by using firefox onto your TFTP folder. Then you can download
this to your WLC. see below firefox screen captures how to do this.
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 5 / 12
http://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-31.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-10.png -
8/10/2019 Configuring EAP-TLS on WLC
6/12
Now you can download this Root CA to your controller as follows. You can use WLC GUI as well.
(WLC1) >transfer download mode t ftp
(WLC1) >transfer download filename mrn-W2K8-CA.pem
(WLC1) >transfer dow nload datatype eapcacert
(WLC1) >transfer download path .
(WLC1) >transfer download serverip 192.168.178.52
(WLC1) >transfer download start
Mode............................................. TFTP
Data Type........................................ Vendor CA Cert
TFTP Server IP................................... 1 92.168.178.52
TFTP Packet T imeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... mrn-W2K8-CA.pem
This may take some time.
Are you sure you w ant to start? (y/N) y
TFTP EAP CA cert t ransfer starting.
Certificate installed.
Reboot the switch to use new certificate.
(WLC1) >reset system
We Will configure a SSID with authentication via WLC local EAP. Here is the Local EAP Profile
settings. Note that Certificate issuer select as Vendor.
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 6 / 12
http://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-33.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-32.png -
8/10/2019 Configuring EAP-TLS on WLC
7/12
Twitter Facebook
Rasika Nayanajith
Here is the WLAN Settings
Now it is ready to test client. Here is the successful user Authentication using Local EAP profile
configured for EAP-TLS
These two video from Jerome explain how to configure this & I referred that to make this post.
1. EAP-TLS on a WLC Part 1
2. EAP-TLS on a WLC Part 2
In a future post we will see how to configure this on ACS 5.2.
RELATEDPOST
1. Configuring Local EAP on WLC
2. Configuring EAP-TLC on WLC
3. Configuring EAP-TLS on ACS
4. Configuring RADIUS on WLC
5. Configuring TACACS on WLC
SHARETHIS:
GOOGLE+
RELATED
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 7 / 12
https://plus.google.com/116988280231729007493https://plus.google.com/116988280231729007493http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/?share=facebook&nb=1http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/?share=twitter&nb=1http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/http://www.youtube.com/watch?v=vhbf-39W3rQhttp://www.youtube.com/watch?v=sazfGz2D3eohttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-40.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-35.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-34.png -
8/10/2019 Configuring EAP-TLS on WLC
8/12
Previous post Next post
Maksym said: December 9, 2013 at 5:54 pm
nayarasi said: December 9, 2013 at 7:23 pm
Your blog is really fanta stic, Rasika! Thank you for sha ring your study!
In the lab equipment there are no Open s sl soft. How we supposed to configure certificates there?
REPLY
Thanks for the feedback about my blog.. really appreciated.
Regarding the EAP-TLS certs during exam, These are pre-loaded & you do not expect to
install certificate s during the lab exam.
HTH
Rasika
REPLY
ABO UT ME
CC IE#22989 (RS & Wireless)
Configuring Local EAP on WLC
WLC Admin Access via TACACS
How does OEAP work ?
THOUGHTS ON CONFIGURING EAP-TLS ON WLC
LEAVE A REPLY
Enter your comment here...
2
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 8 / 12
http://mrncciew.com/about/http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/?replytocom=3607#respondhttp://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/#comment-3607http://mrncciew.wordpress.com/http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/?replytocom=3603#respondhttp://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/#comment-3603http://mrncciew.com/2013/04/23/configuring-authentication-types-in-aap/http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/http://mrncciew.com/2013/03/12/how-does-oeap-work/http://mrncciew.com/2013/04/26/wlc-admin-access-via-tacacs/http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/ -
8/10/2019 Configuring EAP-TLS on WLC
9/12
FOLLOW BLOG VIA EMAIL
Enter your email address to follow this blog and receive notifications of new posts by email.
Join 204 other followers
Follow
BLOG STATS
277,248 hits
RECENT POSTS
CC IE Policy Update 2014
My Blog 2nd Anniversary !
Well done SL 2014 ICC T20 Champs
Did you notice slow TFTP in 3850 ?
Cisco Wireless Product Comparison
CiscoLive 2014 Melbourne
Are you on Right WLC Software version ?
Cisco RToWLAN Design Guide
WLC C onfig Backup using Prime
Upgrade Prime using CLI
POPULAR NOW !
Lightweight to Autonomous (vice versa) Conversion...
Getting Started with 3850
802.11ac with Cisco 3700 AP
Are you on Right WLC Software version ?
CC IE Policy Update 2014
FOLLOW ME ON TWITTER
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 9 / 12
http://mrncciew.com/2014/04/17/ccie-policy-update-2014/http://mrncciew.com/2014/02/28/are-you-on-right-wlc-software-version/http://mrncciew.com/2014/01/10/802-11ac-with-cisco-3700-ap/http://mrncciew.com/2013/09/29/getting-started-with-3850/http://mrncciew.com/2012/10/20/lightweight-to-autonomous-conversion/http://mrncciew.com/2014/01/12/upgrade-prime-using-cli/http://mrncciew.com/2014/01/12/wlc-config-backup-using-prime/http://mrncciew.com/2014/01/14/cisco-rtowlan-design-guide/http://mrncciew.com/2014/02/28/are-you-on-right-wlc-software-version/http://mrncciew.com/2014/03/22/ciscolive-2014-melbourne/http://mrncciew.com/2014/03/28/cisco-wireless-product-comparison/http://mrncciew.com/2014/03/31/did-you-notice-slow-tftp-in-3850/http://mrncciew.com/2014/04/07/well-done-sl-2014-icc-t20-champs/http://mrncciew.com/2014/04/11/my-blog-2nd-anniversary/http://mrncciew.com/2014/04/17/ccie-policy-update-2014/http://au.linkedin.com/in/rasikanayanajith -
8/10/2019 Configuring EAP-TLS on WLC
10/12
CATEGORIES
3850
5760
7925G Deployment Guide
802.11ac
802.11n Parameters
AAA
AC S
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 10 / 12
http://mrncciew.com/category/acs/http://mrncciew.com/category/aaa/http://mrncciew.com/category/802-11n-parameters/http://mrncciew.com/category/802-11ac/http://mrncciew.com/category/7925g-deployment-guide/http://mrncciew.com/category/5760/http://mrncciew.com/category/3850/ -
8/10/2019 Configuring EAP-TLS on WLC
11/12
AP Registration
Autonomous AP Config
AVC
Best Practices
CAPWAP Analysis
CC IE Planning
CCIE Wireless
CC IE Written
CLI
Converged Access
CWNE
DHCP
General
Guest Wireless
Home Lab
HSRP
IOS based WLC
IP Services
IPv6
Mobility
MSE
Multicast
Netflow
Office Extend
Prime Infrastructure
QoS
Rogue Management
RRM
Spanning Tree Protocol
Video over Wireless
Voice over Wireless
WGB
Wireless Packet Capture
Wireless QoS
Wireless Troubleshooting
WLAN Secuirty
WLC
WLC Features
WLC Management
BLOGS I FOLLOW
www.ccierants.com
www.my80211.com/home/
wirelessccie.blogspot.com.au
Revolution Wi-Fi
www.simplywifi.co/blog
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 11 / 12
http://www.simplywifi.co/bloghttp://www.revolutionwifi.net/http://wirelessccie.blogspot.com.au/http://www.my80211.com/home/http://www.ccierants.com/http://mrncciew.com/category/wlc-management/http://mrncciew.com/category/wlc-features/http://mrncciew.com/category/wlc/http://mrncciew.com/category/wlan-secuirty/http://mrncciew.com/category/wireless-troubleshooting/http://mrncciew.com/category/wireless-qos/http://mrncciew.com/category/wireless-packet-capture/http://mrncciew.com/category/wgb/http://mrncciew.com/category/voice-over-wireless/http://mrncciew.com/category/video-over-wireless/http://mrncciew.com/category/spanning-tree-protocol/http://mrncciew.com/category/rrm/http://mrncciew.com/category/rogue-management/http://mrncciew.com/category/qos/http://mrncciew.com/category/prime-infrastructure/http://mrncciew.com/category/office-extend/http://mrncciew.com/category/netflow/http://mrncciew.com/category/multicast/http://mrncciew.com/category/mse/http://mrncciew.com/category/mobility/http://mrncciew.com/category/ipv6/http://mrncciew.com/category/ip-services/http://mrncciew.com/category/ios-based-wlc/http://mrncciew.com/category/hsrp/http://mrncciew.com/category/home-lab/http://mrncciew.com/category/guest-wireless/http://mrncciew.com/category/general/http://mrncciew.com/category/dhcp/http://mrncciew.com/category/cwne/http://mrncciew.com/category/converged-access/http://mrncciew.com/category/wlc/cli/http://mrncciew.com/category/ccie-written/http://mrncciew.com/category/ccie-wireless-2/http://mrncciew.com/category/ccie-planning/http://mrncciew.com/category/capwap-analysis/http://mrncciew.com/category/best-practices/http://mrncciew.com/category/avc/http://mrncciew.com/category/autonomous-ap-config/http://mrncciew.com/category/ap-registration/ -
8/10/2019 Configuring EAP-TLS on WLC
12/12
G+
wifigeeks.org
jenni ferhuber.blogspot.com.au
NetBoyers
Tarun pahuja CC IE Wireless Version 2
No Strings Attached Show
ARCHIVES
April 2014(3)
March 2014(3)
February 2014(1)
January 2014(10)
December 2013(12)
November 2013(4)
October 2013(3)
September 2013(6)
August 2013(6)
July 2013(10)
June 2013(10)
May 2013(23)
April 2013(26)
March 2013(50)
February 2013(17)
January 2013(14)
December 2012(14)
November 2012(9)
October 2012(5)
September 2012(1)
August 2012(1)
May 2012(1)
April 2012(1)
mrncciew on
Blog a t Wo rdPress.com. Customized Chateau Theme. FollowFollow
Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014
http://void%280%29/http://theme.wordpress.com/credits/mrncciew.com/http://wordpress.com/?ref=footer_bloghttps://plus.google.com/116988280231729007493?prsrc=3http://mrncciew.com/2012/04/http://mrncciew.com/2012/05/http://mrncciew.com/2012/08/http://mrncciew.com/2012/09/http://mrncciew.com/2012/10/http://mrncciew.com/2012/11/http://mrncciew.com/2012/12/http://mrncciew.com/2013/01/http://mrncciew.com/2013/02/http://mrncciew.com/2013/03/http://mrncciew.com/2013/04/http://mrncciew.com/2013/05/http://mrncciew.com/2013/06/http://mrncciew.com/2013/07/http://mrncciew.com/2013/08/http://mrncciew.com/2013/09/http://mrncciew.com/2013/10/http://mrncciew.com/2013/11/http://mrncciew.com/2013/12/http://mrncciew.com/2014/01/http://mrncciew.com/2014/02/http://mrncciew.com/2014/03/http://mrncciew.com/2014/04/http://nostringsattachedshow.com/http://cciew.wordpress.com/http://netboyers.wordpress.com/http://jenniferhuber.blogspot.com.au/http://wifigeeks.org/