Cisco Support Community
Community Member

Most secure way to identify wireless clients - certificates

I am deploying a Wireless POC using a Cisco 3800 switch as the WLC and an AIR-CAP2602-I-E-K9 AP

I will be using a Windows 2012 Server running NPS as the Radius.

My question lies around certificates and I am looking at the most secure way to identify a laptop or not in the case of a non corporate device.

Do I deploy the same certificate to every device? Can I depoly a different certiicate so it could be revoked?

I am looking for some resources on this but currently not sure where to start.



Everyone's tags (1)
Hall of Fame Super Silver

Well the only or best way to

Well the only or best way to secure non domain computers if you need them on your internal network is to use certificates, but you would have to generate a certificate for each machine.  This would be a long process....   Another way is to use an MDM for mobile devices or Cisco ISE that can push out certificates or configuration to a non domain machine for ease of authenticating using a certificate.  Not cheap solutions though.  Non-domain is a bit more difficult and you will not find an easy route of doing these.  There are many articles, but you will just have to give it a shot.


*** Please rate helpful posts ***

Hello Roger,In a perfect

Hello Roger,

In a perfect world/scenario the each wireless device should do a certificate request to the CA.

CA administrator sees the request and based on the device identification, signs the certificate. Then the requester gets the certificate and based on that it can authenticate to your wireless infastructure.


In most production scenarios: how does the requester establish communication with CA so he can make the request/receive the signed request if he doesn't have access to wireless?

One workaround would be that first time the requester have access to a temporary GUEST network where he does the aforementioned process. Then with all things set, the wireless requester can successfully authenticate to your target Wireless network. 


To answer your questions:

 - each wireless device will use its own certificate;

 - if for some reason you decide not to allow one device, you just revoke its certificate.

CreatePlease to create content