Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Security for Internal WLAN

I'm trying to figure out the best way to set up authentication on my WLAN for my internal users. I want to use certificates but I'm not exactly sure what layer 2, layer 3 and AAA settings I need to configure for certificates. If I do certificate authentication is that enough or do I also need to use something like RADIUS authentication?

Anyone got any good docs or recommendations on how to configure my WLAN for certificate authentication? Also, I'm curious what methods other people are using to secure their internal WLANs.


Thanks. 

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Security for Internal WLAN

If you're looking for WLAN authentication, I would recommend PEAP.  It requires all users to use their AD credentials and synchronizes with your AD infrastructure via RADIUS.  You can use your own RADIUS server or ACS / AD for authentication.

I've used it in the past and it is very good.

The first link gives you some detail on PEAP.

http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa.html

The second link is a configuration guide.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

Ven

Ven Taylor
8 REPLIES
Hall of Fame Super Silver

Re: Security for Internal WLAN

In order to do certificate authentication either using EAP-TLS or PEAP, 802.1x requires the use of a radius server.  The radius would look at your active directory for user or device authentication.  You would also need to have a pki infrastructure if doing EAP-TLS.  If you do not have a radius server, then pre shared key is your best bet.

-Scott
*** Please rate helpful posts ***
Community Member

Security for Internal WLAN

So basically I need to set up a RADIUS server and configure all of my APs as RADIUS clients, select "WPA+WPA2+802.1x" as the layer 2 security method, configure the AAA server tab to use my RADIUS server and then check "Local-EAP". Then set up a Local EAP profile that uses EAP-TLS. Am I correct that I will also need to change the settings on my client's wireless network config to pass EAP-TLS?

Thanks.

Hall of Fame Super Silver

Security for Internal WLAN

If your AP's are autonomous, then yes.  If you have a WLC, then only the WLC(S) are entered as your AAA client.  No need to select local eap when pointing to a radius server, You do want to select WPA+WPA@, but really only enable WPA2 & AES with 802.1x.

-Scott
*** Please rate helpful posts ***
Community Member

Re: Security for Internal WLAN

I am using WLC.

Thanks guys for the replies. I'm going to check out the two docs that Ven also recommended and I'll see if I have any other questions.

Bronze

Security for Internal WLAN

If you're looking for WLAN authentication, I would recommend PEAP.  It requires all users to use their AD credentials and synchronizes with your AD infrastructure via RADIUS.  You can use your own RADIUS server or ACS / AD for authentication.

I've used it in the past and it is very good.

The first link gives you some detail on PEAP.

http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa.html

The second link is a configuration guide.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

Ven

Ven Taylor
Community Member

Re: Security for Internal WLAN

Ok I looked at the docs and configured my settings. I set up RADIUS on Windows 2008 R2 NPS. Initially I had the WLC configured as a RADIUS client and I was seeing messages that a RADIUS message was received from the invalid RADIUS client IP address 1.2.3.4. The address 1.2.3.4 corresponds to the IP address on the interface for the WLAN. So I switched the IP address on the RADIUS client on NPS to match the IP address 1.2.3.4 and tried accessing the WLAN. Now I'm getting an EAP error:

Explicit EAP failure received (0x50005)

EAP Error Code: 0x40420110

Network authentication failed due to a problem with the user account

I looked on the NPS server logs and don't see any messages there. Account isn't locked out, certificate is valid.

Any other ideas?


Thanks.

Community Member

Re: Security for Internal WLAN

Success!!! I was able to get past this message and get connected to my internal WLAN. Thanks for all of the help guys.

Community Member

I have this problem too

I have this problem too.

Explicit EAP failure received (0x50005)

Can you help me please?

4236
Views
0
Helpful
8
Replies
CreatePlease to create content