Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WLC 2504 with Radius 2008 r2 server

Dear all,

I am trying to setup wireless network at my work. I've been looking in to lods guids but i am really struggling with certificate bit. Could you please explain to me weather do i have to have the certificate for wireless netowrk with AD authtication. If we do please explain to me step by step how to do so. I've tried to do it with openssl but getting error on requesting certificate. My current configuration are as follows

Cisco WLC 2504

Cisco Aironet 1142 AP

Cisco 3560 POE switch

Windows 2008 R2( DHCP, DNS, DC, NPS)

Windows 2003 R2 ( CA)

I want to have to wirless networks one for guest and one for clients with radius server authitication. But i am stuck on certificate bit.

Please help any question please let me know.

Thanks

49 REPLIES
New Member

WLC 2504 with Radius 2008 r2 server

WLC 2504 with Radius 2008 r2 server

What is the security type you are using? PEAP-MSCHAPv2? or whatever kind of EAP?

Or are you using web-auth?

In case if you are using PEAP, You need a certificate to be installed on the server in order to build the TLS tunnel between the client and the server when the client tries to authenticate.

What steps you have done so far? I think adding the radius server to the controller is easy and straightforward.

Let us know where exactly you have the problem?

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

WLC 2504 with Radius 2008 r2 server

Hi Amjad,

thanks for replying i've followed this guide and use PEAP ''

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml''

But i can't go any further than 'Configure the wireless Clients'' option in guide they use cisco Aironet Desktop utility which i don't have. Please advise me what else i can do.

Also if you think there are best way of doing this please let me know. What i am trying to do is to have two wirless networks one for guests with only internet and 2nd for clients with windows authtication.

Thanks for your help.

Re: WLC 2504 with Radius 2008 r2 server

Hi Umar;

You need to be more specific about where your problem is.

Is it with configuring your clients? (you dont know how to configure them)

Or they are configured but not working?

Or you need to configure something on your WLC but you are not ableto?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
New Member

WLC 2504 with Radius 2008 r2 server

Hi Amjad,

Here is what i have done i have installed NPS and CA on my DC 2008 and created it as radius server. i have followed the guides to create certificate on the server. Now i have to import certificate to my wlc 2504 which i can't do.

At the moment my access point is getting IP address form radius server but its not joining the wlc as its saying certificate error. I don't remeber the full errors but i can post them on monday.

I don't know how to import certificate i have created on my radius server in to wlc.

Hope fully you understand now. I am doing this on my test network where i am using my dc for NPS and CA. Once this works i am going to try on my live network.

On my live server i got a saperate 2003 CA server and one i learn how to create and import certificate in to wlc i am going to try on that server. But for now i am doing every thing from radius server.

Amjad please let me know if still not clear.

Thanks

WLC 2504 with Radius 2008 r2 server

Umar:
Thanks for clarification. It is a bit clear now but I am a bit confused:

- Why do you want the APs to join WLC via radius? you can make the APs join without using the radius at all. or it is a requirement to have APs join using certificates? the file you posted does not illustrate how to use 802.1x authentication for APs!

- You can use the radius for clients to connect. if this is all what you want then you do not need to install the certificate on the WLC.

If the first point is a requirement, that you use the radius server to authorize the APs then try please following this link:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml#c2

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Re: WLC 2504 with Radius 2008 r2 server

Hi Amjad,

thanks for clarification i think i was bit confused that's why i was having these issues. what i understand you trying to say is i shouldn't use redius for my AP's . You think i should you WLC internal DHCP scope for AP's.

New Member

Re: WLC 2504 with Radius 2008 r2 server

Hi Amjad,

probably its best if i explain to you what we need as you got more understanding of wireless networks. Or you can advise me to follow a guide which suits my crateria.

I want to have two wireless networs one for guests ( only internet access) 2nd one for client ( AD authintication using radius server) . I got cisco WLC 2504 with 4 Aironet 1142 AP's and one Cisco 3560 POE switch. This is what i got at the moment.

I got two DC's (Windows server 2008 R2) i can make one of them as NPS

I got one CA ( Windows Server 2003 r2)

do you know any good step to step guide which i can follow. Thanks you cleared one thing that i don't need licence for my AP's.

Also if i already got a ca in my domian do i have to install it again on DC or i can use the old one.

Amjad i know its bit confusing sorry to botther you and appericate your help.

Thanks

Re: WLC 2504 with Radius 2008 r2 server

Hi All,

It seems I am a bit late but Scoot did most of the job and answered your concerns Umar.

Well, let me explain it to you about what you need in order to get your wireless WLAN up and running with radius server:

- Get your WLC configured and APs joining the WLC. You can configure either internal or external DHCP scope for APs. it does not matter in functionality. External DHCP is preffered though just like Scott explained.

- When APs joined to WLC, configure the radius server on the WLC and the add the WLC entry in the radius server. Same shared secret should be used on WLC and Radius server.

- Create WLAN on the WLC. choose the security of the WLAN to be WPA+WPA2 - 802.1x. This is the option to use radius server. Choose the authentication/accounting radius server you configured from under the WLAN configuraiton.

Now you have everything is configured from the WLC part. from WLC we are done.

If the clients are not able to connect at this point it may be a certificate problem. to solve this do the following:

- Make sure that the Radius server has a certificate installed so it can use it for clients authentication.

- Make sure clients that are connecting trust the certificate issuer the radius server has. If you have Microsoft CA then you can push the CA root certificate to clients via group policy (for domain member).

- If you have any trouble with installing the certificate on the server or in windows clients you better put your request in some microsoft forums. They will help you better and they may have many guides and links that can directly guide you how to fix your windows issues.

Hope this makes it clear to you about what steps needed to get your WLAN runnign correctly.

Amjad

Rating useful replies is more useful than saying "Thank you"
Hall of Fame Super Silver

Re: WLC 2504 with Radius 2008 r2 server

Umar,

Two different things... First off, if your APs are not joining the WLC, you need to make sure the time is correctly setup on the wlc. An invalid ime can result in the AP not joining the wlc. Here is a doc on troubleshooting lwapp join.

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml

Now for your client, that is different. You have installed all services in one server so your AD has a valid certificate when you brought up the CA server. You then need I create your NPS policies using PEAP or EAP-TLS, whichever you prefer. In the docs you posted, it should have a section which when you define your wireless policy, you choose the certificate installed in radius that you want to use for authentication. Then you just need to make sure you setup the client side correctly. You can google PEAP configuration for Windows 7 or EAP-TLS configuration for WIndows 7, etc. there are many guides to help you setup the client side.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: WLC 2504 with Radius 2008 r2 server

Here are some links

http://technet.microsoft.com/en-us/library/dd759219.aspx

https://supportforums.cisco.com/docs/DOC-17544

https://supportforums.cisco.com/docs/DOC-17512

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

WLC 2504 with Radius 2008 r2 server

Hi Scott,

Thanks for your help. I want to clear one thing here that i don't have to import certificate in to wlc for this purpose. I've been reading some posts and they import the certificate in to wlc i.e

''

Creating Certificates Using OpenSSL

From the guides on Cisco’s website that were mentioned in the forum post I could see that OpenSSL was required to get the certificates setup in the correct format that  the WLC would accept. As I am not very used to Linux I downloaded the  Windows version from here After first trying with version 1.0 light I had no success so I then  tried version v0.9.8r and it seemed to work for me. I also had to  install the Visual C++ Redistributables to get the program to install.

Once installed you are able to use it to create the certificates  required. First off you need to create a certificate request and key  that is used with your certificates during certificate exchanges. The  commands to do this are as follows:


OpenSSL>req -new -newkey rsa:1024 -nodes -keyout testkey.pem -out testreq.pem

After completing this command you will be prompted to complete some  options. These are options that will end up in your certificate. the  important one is the Common Name as this should  represent the Domain name of the network that the Wireless LAN  Controller lives on. I have completed the example below to demonstrate  the simple options:


Generating a 1024 bit RSA private key
..........................++++++
......++++++
writing new private key to 'testkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:State1
Locality Name (eg, city) []:City1
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test
Organizational Unit Name (eg, section) []:Web
Common Name (eg, YOUR name) []:*.test.com
Email Address []:test@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test123
An optional company name []:
OpenSSL>

Please note the asterisk * that is inserted before the test.com  domain name. This is a wildcard character so that the certificate can be  used in multiple places.

After this you will end up with three files in the OpenSSL directory,  testkey.pem, testreq.pem and a file called .rnd. The two files that you  are interested in are the ones you created the testkey.pem and  testreq.pem.  It is the testreq file that we are going to use first to  request a certificate from our CA. The testkey.pem file is needed later  on in the process so don’t delete it.

We need to take the data from the testreq.pem file and import in to  our CA to request a certificate. To do this you first off need to open  the testerq.pem file in a text editor that can handle Unix line endings.  In Windows the notepad program can do this. Once opened if you copy the  whole thing. in your web browser if you visit your CA web request page  (In my example it is http://rds.test.com/certsrv). If you log in you  will see a page like this:

Certificate Request Page - Microsoft Active Directory Certificate Services

If you click the Request a Certificate option, then advanced certificate request you will get to the request page. In this page, if you paste the text  you copied in notepad from your testkey.pem file in to the Saved Request box and change the certificate template to Web Server and click submit. The screen shot below shows this.

Certificate Web Server Request

When you click submit, you will then be presented with the following screen:

Download Base 64 encoded certificate from CA

You need to select the Base 64 encoded option and  download the certificate. If you name the file something like  wlc-test.cer instead of the default certnew.cer it will help it stand  out. You will also need to copy this in to the openSSL directory (the  bin folder).

Now what we want to do is combine the certificate we downloaded from  our CA with the certificate key we created, testkey.pem. To do this we  need to use OpenSSL again and enter the following commands:


openssl>pkcs12 -export -in wlc-test.cer -inkey testkey.pem -out  allcerts.p12 -clcerts -passin pass:test123 -passout pass:test123


This gives us the output required for this part of the process in the form of allcerts.p12. We then need to get this in to a format that the WLC will accept, a .pem file. To do this, issue the following commands:


openssl>pkcs12 -in allcerts.p12 -out wlc.pem -passin pass:test123 -passout pass:test123


You should now have the certificate file ready to import in to the WLC in the form of wlc.pem

Importing the certificate to WLAN Controller

Now that you have the wlc.pem file you can upload it  to your controller. To do this you will need to make sure that you have  a working TFTP server configuration. In my testing I used tftpd32 and installed it on my RADIUS server. Great free little tool.

You will then need to log in to the WLC and go to SECURITY>Web  Authentication>Certificate. In here you can download the certificate  from the server. The image below shows you what this should look like:

importing certificate to wlan controller using tftp server

Once it has successfully downloaded you will be prompted to restart  the WLC. Please restart the WLC with the reboot and save option. Once  rebooted you should then see that your certificate is in place like  below:

Wireless LAN Controller with Certificate

This certificate should now be trusted by any computer on your  network that has the CA certificate installed from your CA server. In my  case the CA cert for the test.com domain. ''

why they import to there wlc.

New Member

Re: WLC 2504 with Radius 2008 r2 server

Hall of Fame Super Silver

Re: WLC 2504 with Radius 2008 r2 server

What you are looking at is for webauth so you don't get a certificate error. Don't over read things because it might get confusing. You first need to have the APs join which doesn't require you to install a certificate. Then user authentication using PEAP or EAP-TLS is totally seperate an doesn't require you to upload a certificate either. Is your doing webauth and do not want users to get a certificate error, then you can upload a certificate, but it's not from your CA. It needs to be a third party certificate (verisign, rapidssl, godaddy, etc)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: WLC 2504 with Radius 2008 r2 server

Ohh Brilliant that's mean half of problem is solved. Do you have good guide which i can follow i mentioned above what i am trying to do. Thanks for your help i really apperciate this.

Hall of Fame Super Silver

Re: WLC 2504 with Radius 2008 r2 server

By the way... That link is for guest webauth not 802.1x.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: WLC 2504 with Radius 2008 r2 server

Ok thanks. Do you know any good step to step guide i should follow?

Hall of Fame Super Silver

Re: WLC 2504 with Radius 2008 r2 server

Try this... It's IAS, but it 95% the same as NPS

http://araihan.wordpress.com/2010/04/30/complete-guide-to-build-a-cisco-wireless-infrastructure-using-cisco-wlc-5500-cisco-1142-ap-and-microsoft-radius-server/

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: WLC 2504 with Radius 2008 r2 server

Here is a link with a lot of good guides

http://www.cisco.com/en/US/products/ps10315/prod_configuration_examples_list.html

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

WLC 2504 with Radius 2008 r2 server

I checked the first one and i was stuck on the certificate part. So you think i should ignor installation of CA things relates to certificate for now as i don't want webauthintication at the moment. I will try this again on monday and i will post the error i was getting on my AP.

Thanks now seems i am getting some where.

New Member

WLC 2504 with Radius 2008 r2 server

Another question when i use Radius server do i still have to create Internal DHCP scope on WLC for AP's.

Hall of Fame Super Silver

Re: WLC 2504 with Radius 2008 r2 server

You don't have to. It's an option, but its best to use an external dhcp. I only use the wlc dhcp for guest if I have no other choice

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: WLC 2504 with Radius 2008 r2 server

I would not even use that doc if your not doing webauth. If you are doing 802.1x you will need a ca for that. For PEAP you will need a certificate on the radius server. For EAP-TLS, you will need a certificate on the radius and each device.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
New Member

WLC 2504 with Radius 2008 r2 server

Ok thanks for the information. Again bit confused which one shall i use than 802.1x, PEAP or EAP-TLS.

I want client to log on to windows via wireless and later a saperate network for guests.

Hall of Fame Super Silver

Re: WLC 2504 with Radius 2008 r2 server

Take everything one step at a time. 802.1x is EAP. You can choose to use either PEAP or EAP-TLS which PEAP is most widely used and simpler to implement. The only difference between PEAP and EAP-TLS, is to make it simple, PEAP only requires a certificate on the radius server. EAP-TLS requires a certificate on the radius server and each client device. PEAP you can authenticate via AD username or password or machine authentication, NOT BOTH! Machine authentication will require you to make sure these devices are joined to the domain. If you have devices you don't have on the domain and those devices need to also be on the wireless, then use PEAP. EAP-TLS requires devices to have a certificate and these devices have to be joined to the domain or you will need to manually add the certificate into the device. Again, if you want to use your CA and authenticate users via Active Directory, its easier to go with PEAP and that is what you should start out with first. If you can get PEAP to work with AD, then play around and get PEAP using machine authentication to work and the EAP-TLS.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
New Member

WLC 2504 with Radius 2008 r2 server

Dear Scott and Amjad,

You both are stars thanks alot for guiding me through. I will do what you have told me on Monday and will update you. Really appericate your helps.

Thanks

New Member

WLC 2504 with Radius 2008 r2 server

I will go with PEAP because i want only domain machine to authiticate on wireless. All non domain machine will use only guest wireless. Thanks for clarification.

New Member

WLC 2504 with Radius 2008 r2 server

Hall of Fame Super Silver

Re: WLC 2504 with Radius 2008 r2 server

That doc is fine also.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
12254
Views
10
Helpful
49
Replies
CreatePlease to create content