WLAN authentication methods

Answered Question
Dec 9th, 2008

Hello,

I have a couple of questions about methods that can be used to authenticate an end user trying to access a WLAN.

1) In the Web authentication method, is it possible for an end user to use its own certificate in order to be authenticated? If yes, does this mean a customized web page has to be used?

2) Is it possible to have multiple authentication methods available (such as Web, VPN, 802.1x) and allow the end user to choose only one of them for authentication?

All answers (and related documentation) are appreciated in advance.

Kind Regards,

Maria

I have this problem too.
0 votes
Correct Answer by Scott Fella about 8 years 21 hours ago

Maria,

The certificate option under WebAuth allows you to change the original default Cisco certificate with a trusted CA certificate. When a user who's is associated to an said that requires Web Policy, he or she will get a certificate error page in which he or she has to accept the certificate before they get redirected to the WebAuth page. This is because on the user device, Cisco is not a trusted CA. Installing a 3rd party certificate allows users to bypass this the same way when you browse to a secure site. RapidSSL is hat I have used alot in the past. They issue a root ca certificate and not chained certificates. Even though 5.1 andnlater code supports chained certificates, it is much easier to jus obtain a root ca certifiate.

Just do a search on Cisco's site for 3rd party certificate.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Scott Fella Tue, 12/09/2008 - 17:57

Let me give this a shot....

WebAuth uses a login page to authenticate a user either by login or passthrough. For a certificate, you need to configure a layer 2 encryption method (EAP). But... with a EAP type encryption, a user can use it's own certificate, if you are using EAP-TLS and the certificate is part of your CA. WebAuth is usally used for guest access which requires a login or passthrough only. No encryption usually and the ssid is broadcasted. Internal wireless users will use a security method the organization requires, so to secure things, you would not want a secure ssid for internal on a subnet that you have a lower type of encryption or authentication method. If you want to use WebAuth, VPN, WEP, or 802.1x, then each should have its own ssid and subnet..... this way you can ACL traffic to secure your network. Don't mix and match... just my thought!

Correct Answer
Scott Fella Wed, 12/10/2008 - 05:05

Maria,

The certificate option under WebAuth allows you to change the original default Cisco certificate with a trusted CA certificate. When a user who's is associated to an said that requires Web Policy, he or she will get a certificate error page in which he or she has to accept the certificate before they get redirected to the WebAuth page. This is because on the user device, Cisco is not a trusted CA. Installing a 3rd party certificate allows users to bypass this the same way when you browse to a secure site. RapidSSL is hat I have used alot in the past. They issue a root ca certificate and not chained certificates. Even though 5.1 andnlater code supports chained certificates, it is much easier to jus obtain a root ca certifiate.

Just do a search on Cisco's site for 3rd party certificate.

marikakis Wed, 12/10/2008 - 05:18

Thank you Scott. I really appreciate your help. I have no problem searching/reading around, but in this case I've been assigned a task quite beyond my knowledge and I have to do it fast (rings a bell?). Dummy tries to learn wireless in 24 hours :-)

Actions

This Discussion