Currently we have WLC 4402 and wide range of AP. We use WAP2 with EAP-PEAP-MSCHAP for the WLAN security setup. We use MS IAS as radius server.
Recently, we want to find a way to control what type of wireless devices that can join to our WLAN. One idea is deploying client certificate and use EAP-TLS for authentication. Does this sound a reasonable approach? Or there is a better way to achieve the objective than using EAP-TLS? I have not done EAP-TLS before and I am not sure if I am opening up a big "can of worm" in this direction.
Furthermore, does EAP-TLS only works with WEP encryption? Is TKIP or AES not supported?
if there are any good documents around EAP-TLS with wireless deployment, please let me know. thx.
Under EAP-TLS, does the wireless login process involved user authentication beside client certificate? One of the primary trigger for us to look into this option is to get a two-factor authentication setup for the wireless network.
No, there is no password transmitted during EAP-TLS authentication. EAP-TLS relies upon the authenticating client having a valid certificate with a name that matches an account on the authentication server.
If you require two-factor authentication you will need to use a RADIUS server that supports it or can proxy to something that does.
A PKI is a large undertaking for larger enterprises. Not something you just throw up over night. I would read up and test before committing to EAP-TLS.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...