Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Help with WLC 2500

Hi

I am looking for a decent guide on how to configure the following to all work together

Cisco wireless lan controller 2500 - (which is already configured and working with the LAP's), I just need to get authentication working for our coporate lan.

It needs to use 802.1x wireless authentication with with a windows 2008 R2 NPS server that links into active directory. We also have a CA installed on our network.

I need to use EAP-TLS which I believe uses both client and server side certificates and is more tricky than PEAP.

I also need the windows 7 client settings for EAP-TLS to work with NPS and the controller/AP

Getting everything to work together if proving rather difficult.

There must be an upto guide out there, all the ones I have read include some cisco client side software which we wont be using and normally a older IAS server not NPS.

This is the config of my WLAN, should this work for EAP-TLS?

WLAN Identifier.................................. 1

Profile Name.....................................

Network Name (SSID)..............................

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

   Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 10 seconds

Session Timeout.................................. 1800 seconds

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ vlan xx

Multicast Interface.............................. Not Configured

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver (best effort)

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

   Authentication................................ x.x.x.x 1812

   Accounting.................................... x.x.x.x 1813

   Dynamic Interface............................. Enabled

Local EAP Authentication......................... Disabled

Security

802.11 Authentication:........................ Open System

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Enabled

         TKIP Cipher............................. Disabled

         AES Cipher.............................. Enabled

      WPA2 (RSN IE).............................. Enabled

         TKIP Cipher............................. Disabled

         AES Cipher.............................. Enabled

                                                               Auth Key Management

         802.1x.................................. Enabled

         PSK..................................... Disabled

         CCKM.................................... Disabled

         FT(802.11r)............................. Disabled

         FT-PSK(802.11r)......................... Disabled

FT Reassociation Timeout......................... 20

FT Over-The-Air mode............................. Enabled

FT Over-The-Ds mode.............................. Enabled

CCKM tsf Tolerance............................... 1000

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   H-REAP Local Switching........................ Disabled

   H-REAP Local Authentication................... Disabled

   H-REAP Learn IP Address....................... Enabled

   Client MFP.................................... Optional

   Tkip MIC Countermeasure Hold-down Timer....... 60

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

1 REPLY
Hall of Fame Super Silver

Re: Help with WLC 2500

I don't think you will find any one guide on this... This can help you get started, but its for PEAP, which is just requires minor changes on the NPS and the cleint side configuration.  IAS and NPS are very similar in the configuration also.

http://pcloadletter.co.uk/2011/07/11/cisco-wifi-active-directory-auth/.

http://araihan.wordpress.com/2010/04/30/complete-guide-to-build-a-cisco-wireless-infrastructure-using-cisco-wlc-5500-cisco-1142-ap-and-microsoft-radius-server/

-Scott
*** Please rate helpful posts ***
1383
Views
0
Helpful
1
Replies
CreatePlease to create content