10-12-2009 06:22 PM - edited 07-03-2021 06:08 PM
Hi All,
I'm having a problem configuring local EAP Authentication using CA (Windows Server) and LDAP server. I followed the URL:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
but it seems that CA has no effect. Any wireless client who has his own LDAP account can access to the network.
What I want is just allow some wireless clients to access if they have approved CA before.
Pls help.
12-07-2009 09:07 AM
A couple of questions. What type of EAP are you using? And, do you have Check Against CA Certificates enabled for that EAP profile (it is disabled by default)?
01-13-2011 12:20 PM
For anyone who reads this, my original post did not really address the question. First, the OP was using EAP-FAST - my mistake! I was thrown off a bit, due to the mention of certificates, which are rarely used with EAP-FAST. Second, there is not a way using Local EAP to require that the device has a certificate, while also requiring that the user log in in some way. There is a way to do that, but that requires using a Cisco ACS with Machine Access Restrictions. Device only authentication could be accomplished using EAP-TLS for the device. Or, with ACS and MAR, the device could use EAP-TLS and the user would use EAP-TLS (if using a Windows supplicant). If you needed to have different users log into the same device, you would either need to have each user's certificate pre-loaded (those who would potentially be logging in), or you could use the Cisco SSC client and use EAP-TLS for the machine and PEAP or EAP-FAST for the user. Not typically done, but it could be.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide