Unanswered Question
Oct 17th, 2007

hallo i have version 3.2.78 on my wlc 4402 and i want to configure it for EAP-TLS. it should be secured by 802.1x and wpa2 but i dont know how to do it properly over the webinterface. every suggestion is appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Wed, 10/17/2007 - 05:05

So you want to use EAP-TLS instead of PEAP. I other words, you want a certificate on each device. Here is a link that might help:


I have always used WPA2 w/PEAP MSChapv2 and a single certificate on the radius server.

You should maybe upgrade to, just in case:


daveman007 Wed, 10/17/2007 - 10:50

Hi thx for replies.

Why would you recommend me peap wit mschapv2 rather than eap-tls.

my problem in addition is that i cant update my wlc 4402 because i am out of warranty.

dennischolmes Wed, 10/17/2007 - 11:07

The reason for single side server certs is for you head. If you have to deal with all those client certs and manage them every single time a device is lost or stolen, your head will explode. By using PEAP or even the old legacy LEAP, you don't have that headache. Simpler management=fewer tylenols taken.

daveman007 Wed, 10/17/2007 - 11:12

but the headache for Security lack will i have it or is it more or less the same security level.

Scott Fella Wed, 10/17/2007 - 11:25

Exactly.... I worked on a project once doing eap-tls......NEVER AGAIN.

You have to look at it this way. Do you have a Root CA configured. If you do or you don't, you should see what MS best practice for having a CA... You will need Excedrin for tension headaches.

daveman007 Wed, 10/17/2007 - 11:34

I have to reach the result that the guys (students)using their (schoolowned)notebooks are not able to insert other personal notebooks. Is peap good for that?

So using peap how do i have to configure the stuff f.i. my CA?

dennischolmes Wed, 10/17/2007 - 11:48

That's a whole different scenario now. I would probably utilize PEAP for authentication and a MAC filter for association purposes. You could also validate a machine against RADIUS but again that could turn into a lot of work. Either way, the machine would be controlled and authentication would take place at a much more secure level.

daveman007 Wed, 10/17/2007 - 11:55

i heard mac filters are not secure because the mac can be changed.

dennischolmes Wed, 10/17/2007 - 12:02

OK. Let's talk security here. The mac filter is not security. It is a method to dictate which laptop is allowed to associate to your access point. After the laptop has associated the user logs in to the network via PEAP and is authenticated. If the authentication fails, the user is not allowed a session on the network. This protects you if somebody steals the laptop they can't login to the network because their authentication fails. Never uses MAC filters as security, only access control.

daveman007 Wed, 10/17/2007 - 12:07

but what if the guy takes another laptop changes the mac and copy the certificate (if possibe dont know) and log with his username and password. would it work?

dennischolmes Wed, 10/17/2007 - 12:14

hmmmm changes the MAC. That CAN be done but only by a very experienced computer guy and the laptop has to be using a flavor of linux. Windows OS does not allow for modification of mac addresses. Even if he gets access to the MAC he doesn't have the logon credentials to defeat your PEAP authentication. So what has he gained? A whole lot of work for absolutely no reward. I'm just trying to make life easy for you here. Certificates will work as well but Jeez at the headaches of managing certificates.

daveman007 Wed, 10/17/2007 - 12:27

ok will do. so you would not recommend eap-tls because of the huge amount of more work. and the same security level.

The peap mschapv2 just works only the certificate commponent doesnt work so i have to work on this.

dennischolmes Wed, 10/17/2007 - 12:30

It's what I would do. This keeps you free to do other things with your time.

daveman007 Wed, 10/17/2007 - 12:39

i know sure it is my first wlan with cisco and radius so i had to speak with some who just did it.

i have to speak about it with my employer i suppose he wants tls anyway

daveman007 Wed, 10/17/2007 - 12:47

thx dennis

last question about mac filtering because i'll do it independently of the eap version.

So mac filtering means register all macs in my wlc and look which of them is looged with wich username f.i.

dennischolmes Wed, 10/17/2007 - 12:53

Register each mac address to the controller. In the description us the user name so that when you look at clients associated you will see the username, mac address, and AP theyre attached to.

daveman007 Wed, 10/17/2007 - 12:44

i know sure it is my first wlan with cisco and radius so i had to speak with some who just did it.

i have to speak about it with my employer i suppose he wants tls anyway

Scott Fella Wed, 10/17/2007 - 12:57

WPA2 w/PEAP MSChapV2 is that way to go. If you want to authenticate via machine or user, that is up to you. Just remember, the type of encryption depends on your devices (supports the authentication type or not) and if you own those devices. Students, Guest, Users... whomever has their own devices is usually put on a guest type network since you don't want the overhead of setting them all up and taking responsibility if something breaks!

daveman007 Wed, 10/17/2007 - 13:06

oh could you explain that a bit easier i am italian and i only learned english at school in Germany :) so...

I have wlc 4402 and ibm notebooks r60e

can i authenticate users via certificate and peap i thought just server certificate and user auth via username password and domain.

daveman007 Wed, 10/17/2007 - 13:11

will try it and see how it works. and which is the best version for us.


This Discussion