Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8878
Views
0
Helpful
8
Replies

Security for Internal WLAN

Go to solution
snowmizer
Level 1
Level 1

‎03-07-2012 08:22 AM - edited ‎07-03-2021 09:44 PM

I'm trying to figure out the best way to set up authentication on my WLAN for my internal users. I want to use certificates but I'm not exactly sure what layer 2, layer 3 and AAA settings I need to configure for certificates. If I do certificate authentication is that enough or do I also need to use something like RADIUS authentication?

Anyone got any good docs or recommendations on how to configure my WLAN for certificate authentication? Also, I'm curious what methods other people are using to secure their internal WLANs.


Thanks. 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ven Taylor
Level 4
Level 4

‎03-07-2012 08:27 AM

If you're looking for WLAN authentication, I would recommend PEAP.  It requires all users to use their AD credentials and synchronizes with your AD infrastructure via RADIUS.  You can use your own RADIUS server or ACS / AD for authentication.

I've used it in the past and it is very good.

The first link gives you some detail on PEAP.

http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa.html

The second link is a configuration guide.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

Ven

Ven Taylor

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-07-2012 08:25 AM

In order to do certificate authentication either using EAP-TLS or PEAP, 802.1x requires the use of a radius server.  The radius would look at your active directory for user or device authentication.  You would also need to have a pki infrastructure if doing EAP-TLS.  If you do not have a radius server, then pre shared key is your best bet.

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
snowmizer
Level 1
Level 1
In response to Scott Fella

‎03-07-2012 08:28 AM

So basically I need to set up a RADIUS server and configure all of my APs as RADIUS clients, select "WPA+WPA2+802.1x" as the layer 2 security method, configure the AAA server tab to use my RADIUS server and then check "Local-EAP". Then set up a Local EAP profile that uses EAP-TLS. Am I correct that I will also need to change the settings on my client's wireless network config to pass EAP-TLS?

Thanks.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to snowmizer

‎03-07-2012 08:31 AM

If your AP's are autonomous, then yes.  If you have a WLC, then only the WLC(S) are entered as your AAA client.  No need to select local eap when pointing to a radius server, You do want to select WPA+WPA@, but really only enable WPA2 & AES with 802.1x.

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
snowmizer
Level 1
Level 1
In response to Scott Fella

‎03-07-2012 08:48 AM

I am using WLC.

Thanks guys for the replies. I'm going to check out the two docs that Ven also recommended and I'll see if I have any other questions.

0 Helpful

Go to solution
Ven Taylor
Level 4
Level 4

‎03-07-2012 08:27 AM

If you're looking for WLAN authentication, I would recommend PEAP.  It requires all users to use their AD credentials and synchronizes with your AD infrastructure via RADIUS.  You can use your own RADIUS server or ACS / AD for authentication.

I've used it in the past and it is very good.

The first link gives you some detail on PEAP.

http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa.html

The second link is a configuration guide.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

Ven

Ven Taylor
0 Helpful

Go to solution
snowmizer
Level 1
Level 1
In response to Ven Taylor

‎03-07-2012 02:27 PM

Ok I looked at the docs and configured my settings. I set up RADIUS on Windows 2008 R2 NPS. Initially I had the WLC configured as a RADIUS client and I was seeing messages that a RADIUS message was received from the invalid RADIUS client IP address 1.2.3.4. The address 1.2.3.4 corresponds to the IP address on the interface for the WLAN. So I switched the IP address on the RADIUS client on NPS to match the IP address 1.2.3.4 and tried accessing the WLAN. Now I'm getting an EAP error:

Explicit EAP failure received (0x50005)

EAP Error Code: 0x40420110

Network authentication failed due to a problem with the user account

I looked on the NPS server logs and don't see any messages there. Account isn't locked out, certificate is valid.

Any other ideas?


Thanks.

0 Helpful

Go to solution
snowmizer
Level 1
Level 1
In response to snowmizer

‎03-09-2012 06:54 AM

Success!!! I was able to get past this message and get connected to my internal WLAN. Thanks for all of the help guys.

0 Helpful

Go to solution
SMirlan79
Level 1
Level 1
In response to snowmizer

‎05-20-2014 04:02 AM

I have this problem too.

Explicit EAP failure received (0x50005)

Can you help me please?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card