Local EAP Authentication on WLC2112 with EAP-FAST & LDAP Server

Unanswered Question
Oct 12th, 2009

Hi All,

I'm having a problem configuring local EAP Authentication using CA (Windows Server) and LDAP server. I followed the URL:


but it seems that CA has no effect. Any wireless client who has his own LDAP account can access to the network.

What I want is just allow some wireless clients to access if they have approved CA before.

Pls help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JASON BOYERS Mon, 12/07/2009 - 09:07

A couple of questions.  What type of EAP are you using?  And, do you have Check Against CA Certificates enabled for that EAP profile (it is disabled by default)?

JASON BOYERS Thu, 01/13/2011 - 12:20

For anyone who reads this, my original post did not really address the question.  First, the OP was using EAP-FAST - my mistake!  I was thrown off a bit, due to the mention of certificates, which are rarely used with EAP-FAST.  Second, there is not a way using Local EAP to require that the device has a certificate, while also requiring that the user log in in some way.  There is a way to do that, but that requires using a Cisco ACS with Machine Access Restrictions.  Device only authentication could be accomplished using EAP-TLS for the device.  Or, with ACS and MAR, the device could use EAP-TLS and the user would use EAP-TLS (if using a Windows supplicant).  If you needed to have different users log into the same device, you would either need to have each user's certificate pre-loaded (those who would potentially be logging in), or you could use the Cisco SSC client and use EAP-TLS for the machine and PEAP or EAP-FAST for the user.  Not typically done, but it could be.


This Discussion



Trending Topics - Security & Network