Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLC 5508 Web Auth and EAP / PEAP

   Morning all, I'm looking for some clarification.

Current setup:

I work in a school, a few years age I installed a 4400 WLC and several APs as a proof of concept exercise to see whether wireless technology would be of benefit to teaching and learning. It was deemed to be so.

This summer I installed 2 x 5508 WLCs and increased AP coverage to 50 - copied over the configs from the old controller - all works fine.

Currently only the staff can access the WLANs with the exception of a public WLAN in the canteen area.

Because there are a limited number of devices, WPA2 in conjunction with MAC filtering was used. However the school wants to open the wireless network to all of the students - potentially this means up to 1000 devices that will no doubt change on a regular basis so MAC filtering is out.

In line with child protection policies I need an 'auditable' trail when students access wireless resources.

Planned setup:

I have setup a test WLAN that uses Web Auth - the WLC is configured to pass authentication requests  ( through an ASA ) onto a RADIUS server which is tied into AD. I have a CA setup as well as a NAP server.

There is no layer 2 security set on the test WLAN and layer 3 is just web authentication. From any mobile device I can authenticate against AD and gain access to the Internet.


With no layer 2 security the WLAN is exposed so I need to introduce some form of end to end encryption - so I am looking at deploying EAP / PEAP.

Would the introduction of EAP / PEAP keep the network as secure as if I was using WPA2 ?

Many thanks.

  • Other Wireless - Mobility Subjects
Cisco Employee

WLC 5508 Web Auth and EAP / PEAP

If you are web authentication you cannot use dot1x as L2 security , so EAP is not an option.

But you can use preshared security , like WPA2 AES with web auth to insure that the traffic is encrypted.

or you can define a wlan profile with dot1x security on l2 and nothing on l3 , by doing so you would definetely hit the utmost security poossible.

Check the following link which contain couple of EAP config examples:


Please make sure to rate correct answers

New Member

WLC 5508 Web Auth and EAP / PEAP

Unfortunately I can't get to that document...but thaks anyway.

So can I use WPA2 with AES and 802.1x  that authenticates against the RADIUS Server?