Local EAP Authentication on WLC2112 with EAP-FAST & LDAP Server

trongduc · ‎10-12-2009

Hi All,

I'm having a problem configuring local EAP Authentication using CA (Windows Server) and LDAP server. I followed the URL:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

but it seems that CA has no effect. Any wireless client who has his own LDAP account can access to the network.

What I want is just allow some wireless clients to access if they have approved CA before.

Pls help.

JASON BOYERS · ‎12-07-2009

A couple of questions. What type of EAP are you using? And, do you have Check Against CA Certificates enabled for that EAP profile (it is disabled by default)?

JASON BOYERS · ‎01-13-2011

For anyone who reads this, my original post did not really address the question. First, the OP was using EAP-FAST - my mistake! I was thrown off a bit, due to the mention of certificates, which are rarely used with EAP-FAST. Second, there is not a way using Local EAP to require that the device has a certificate, while also requiring that the user log in in some way. There is a way to do that, but that requires using a Cisco ACS with Machine Access Restrictions. Device only authentication could be accomplished using EAP-TLS for the device. Or, with ACS and MAR, the device could use EAP-TLS and the user would use EAP-TLS (if using a Windows supplicant). If you needed to have different users log into the same device, you would either need to have each user's certificate pre-loaded (those who would potentially be logging in), or you could use the Cisco SSC client and use EAP-TLS for the machine and PEAP or EAP-FAST for the user. Not typically done, but it could be.