Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Configure WLan for user certificate authentication

I have windows CA and NPS (radius server).

I want wireless clients / devices using active directory user certificates (generated by AD CA) to authenticate and encrypted to wireless WLAN.

I have setup WLAN as [WPA2][Auth(802.1X)] and pointing to Radius server (windows NPS).

My test notebook PC has ca.cer and username certificate installed in trusted and personal stores. And configure the wireless profile as "Microsoft: smart card or other certificate".

However when I try to connect I got failed. And wireshark on NPS showing no traffic on port 1812.

Could someone please help a look anything wrong on WLC setting?

Thanks.

GPING

5 REPLIES
Hall of Fame Super Silver

Re: Configure WLan for user certificate authentication

All that is needed on the wlc is to set your encryption method which would be WPA2-AES 802.1x. Then you point your WLAN to use the radius server. It's probably your NPS policies or client configuration

Try to use peap and test first. This should verify your certificate and policy. When you can get that working, then try EAP-TLS again.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Configure WLan for user certificate authentication

Hi, Scott,

My WLC setting: SSID-Test, WPA2 802.1x, AES, Radius server overwrite interficace "ticked", Server1 - x.x.x.x port 1812,

Local EAP auth - Enabled and profile = "Peap"

On my NPS, I got 2 policies (enabled only one of them for test).

NPS-Policy 1: Auth method = Microsoft PEAP -> "wireless server certificate", User group ="test users".

On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft PEAP" with ca.cer installed and ticked . When "connect", I got connected with login user credential.

NPS-Policy 2: Auth method = "Microsoft Smart card or other certificate" -> wireless server certificate"

On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft Smart card or other certificate". Choose "use a certificate on this computer". (I have one user certificate installed on Personal store). Also ticked "Validate server certificate" and ticked the ca.cer which was installed. When "connect" I failed.

I tried some other combination, like TKIP instead of AES, but I got "

The settings saved on this computer for the network do not match the requiremen

ts of the network" - really frastrated.

Could please point me where got wrong?

THanks

GPING

Hall of Fame Super Silver

Re: Configure WLan for user certificate authentication

Why do you have local eap if your using a radius server? Also AAA override isn't required unless you want to force a vlan change, etc. Remove these setting on the WLAN and then try testing.

Thanks,

Scott F. Fella

Sr. Network Engineer

CDW Corporation

CDW Plaza - 120 S. Riverside

Ninth Floor

Chicago, IL 60606

Cell: 630-935-7333

e-Mail: scott.fella@cdw.com

From: gping2005 >

Reply-To: "cisco-support@sgaur.hosted.jivesoftware.com" >

Date: Sunday, May 6, 2012 8:59 PM

To: Scott Fella >

Subject: - Re: Configure WLan for user certificate authentication

Home<>

Re: Configure WLan for user certificate authentication

created by gping2005<> in Getting Started with Wireless - View the full discussion<>

-Scott
*** Please rate helpful posts ***
New Member

Re: Configure WLan for user certificate authentication

WLC > WLAN settings > security > "Radius server overwrite interface" is needed as I have just test with NPS-policy 1.

My WLC management & access points are in vlan7, SSID vlan in 3,

Anyway changing the settings on WLC WLAN security "Radius server over interface" and untick "local EAP auth" did not help my NPS-policy2 being connected by Win7 with user certificate auth.

Could you mind I send you some screen dumps to your email addr above?

Thanks

G.

Hall of Fame Super Silver

Re: Configure WLan for user certificate authentication

That is fine. What I need to see is you wlc WLAN setting and your NPS policy. You can right click on your nps server icon and export. This way I can see exactly what you have and even fix it if it's wrong. Also send some failed logs.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
1836
Views
0
Helpful
5
Replies
CreatePlease to create content