Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLC configuration for authenticating wireless username/password only

Hello,

It's seems that a lot of people does have issues with "Validating Certificate" on Windows 7 machine when they try to authenticate with their AD username and password on non-domain computers.

I want to be able to authenticate my users with domain and non domain computers without the use of installing a certificate on the computer. I know that now Windows 8 proposes the acceptance of the certificate but Windows 7 and XP does not. "FREAKIN' CHECK BOX"....

I want to enable the user to connect to my wireless WLC 5500 only with their AD username and password. BYOD !!!

I have all the tools that I need, WLC, RADIUS Servers, LDAP Servers, 1142 APs etc....

I saw on a forum that a trusted certificate from Verisign or a certified and validated provider will not request the validation but I'm not sure about that.

Is there anyone having the same problem and frustration ?

Thanks

Dave

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

WLC configuration for authenticating wireless username/password

Hi Dave,

I had the same problem as you and the most convenient thing I could think of was to use a DMZ based captive portal to direct the users through to a pre-authentication page where they can download the certificate and then join the normal SSID after they've installed it but that would require a work instruction / procedure for them to follow and isn't particularly guest friendly! However the pre-auth page could have the instructions on there for them to follow so you remove having to distribute the certificate and document via email/usb keys etc.

The trusted certifciate information you have read is correct. If you fork out the $$ then you can buy a public trusted certificate and devices won't then prompt you to accept the certificate or in the case of XP/Win 7 they will actually be able to join the network without any manual configuration.

Good luck!

Ric

-----------------------------
Please rate helpful / correct posts
12 REPLIES
New Member

WLC configuration for authenticating wireless username/password

In Windows 7 we uncheck 'validate server certificate' which bypasses that step(using MS PEAP).  This is found under your wireless network properties-->security tab-->"settings" by MS PEAP drop down box...

New Member

WLC configuration for authenticating wireless username/password

Hello Tony,

I know about the checkbox. The thing is that I don't want users to go within these settings and change it. As seemless as possible so that I don't have to write a connection procedure and distribute it. I have a lot of BYOD, Iphones, Ipad, Androids, Pc and all...

Regards,

New Member

WLC configuration for authenticating wireless username/password

In the case of non-corporate owned devices or BYOD, we have a separate 'partner' SSID thats anchored to a DMZ controller(and have a policy in place that non-corporate devices are only allowed here).  Although you have to be careful not to add too many SSIDs due to beaconing demands, so we have our 6 SSID's split up between the 2.4 and 5ghz bands.  Our guest ssid is only on the 2.4 along with a 'non-computer' ssid for devices with small bandwidth requirements etc etc..

Hope that helps.

WLC configuration for authenticating wireless username/password

Hi Dave,

I had the same problem as you and the most convenient thing I could think of was to use a DMZ based captive portal to direct the users through to a pre-authentication page where they can download the certificate and then join the normal SSID after they've installed it but that would require a work instruction / procedure for them to follow and isn't particularly guest friendly! However the pre-auth page could have the instructions on there for them to follow so you remove having to distribute the certificate and document via email/usb keys etc.

The trusted certifciate information you have read is correct. If you fork out the $$ then you can buy a public trusted certificate and devices won't then prompt you to accept the certificate or in the case of XP/Win 7 they will actually be able to join the network without any manual configuration.

Good luck!

Ric

-----------------------------
Please rate helpful / correct posts
New Member

WLC configuration for authenticating wireless username/password

Hello Ric,

That's good news. My company will deal with the $$ to do so. Will a Client/Server Authentication certificate do ? I wonder what type of certificate I need to request to my Trusted Public CA.

Regards,

Hall of Fame Super Silver

Re: WLC configuration for authenticating wireless username/passw

You can use a 3rd party certificate if you want. The thing is, you have domain and non domain machines. So your best bet is to use PEAP which only requires a cert on the radius. Your domain machines you can just push out a GPO to trust your internal CA which if you have one, should be trusting it anyways. If you want all other devices to not have to present a cert error, you can use a 3rd party cert. this is generally done with captive portal page also so either way you decide to go, 3rd party certificate is required.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

WLC configuration for authenticating wireless username/password

Hello Scott,

Thank you for the post. PEAP is the way that I had in mind. I'm in a school (college) environment. I want it to be as seamless as possible for my users and students. Everyone here has an AD account but not all of them has a domain computer. Iphones, Ipads, laptops, android phones, even wireless point-of-sale terminals... You know the drill. For monitoring, its nice to have the username of the person who is connected to our wireless environment.

Regards,

WLC configuration for authenticating wireless username/password

Yeah you're touching on some of the biggest challenges and particularly in environments like Education where you need to be able to secure logins and quite often log web traffic as well therefore requiring additional authentication on your proxy server etc.. BYOD is causing a lot of headache!

Good luck with your deployment.

-----------------------------
Please rate helpful / correct posts
Hall of Fame Super Silver

Re: WLC configuration for authenticating wireless username/passw

It really comes down to what you can manage. GPO can be used for your domain computers but for the rest you do have to rely on PEAP. Radius should keep accounts of the login and the WLC will show the username for that client device. It when you want to allow this but not allow that or they can get on and access these resources but a student can't. That's when ISE comes in handy because you can profile device types. Many schools I have done will use GPO for the most part and then manually have to touch other devices or put out a guide on how to connect. You know that by know:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

WLC configuration for authenticating wireless username/password

Information About Captive Bypassing

WISPr is a draft protocol that enables users to roam between different wireless service providers. Some devices (For example, Apple iOS devices) have a mechanism using which they can determine if the device is connected to Internet, based on an HTTP WISPr request made to a designated URL. This mechanism is used to allow users to launch the web browser if they need to provide credentials to access Internet, and the actual authentication is done in the background every time the device connects to a new SSID.

This HTTP request triggers a webauth interception in the controller as any other page requests are performed by a wireless client. This interception leads to a webauth process, which will be completed normally. If the webauth is being used with any of the controller splash page features (URL provided by a configured RADIUS server), the splash page may never be displayed because the WISPr requests are made at very short intervals, and as soon as one of the queries is able to reach the designated server, any web redirection or splash page display process that is performed in the background is aborted, and the device processes the page request, thus breaking the splash page functionality.

For example, Apple introduced an iOS feature to facilitate network access when captive portals are present. This feature detects the presence of a captive portal by sending a web request on connecting to a wireless network and directs the request to http://www.apple.com/library/test/success.html. If a response is received, then the Internet access is assumed to be available and no further interaction is required. If no response is received, then the Internet access is assumed to be blocked by the captive portal and Apples’s Captive Network Assistant (CNA) auto-launches the pseudo-browser to request portal login in a controlled window. The CNA may break when redirecting to an ISE captive portal. The controller prevents this pseudo-browser from popping up.

You can now configure the controller to bypass WISPr detection process, so the webauth interception is only done when a user requests a webpage leading to splash page load in user context, without the WISPr detection being performed in the background.

Configuring Captive Bypassing (CLI)

Use these commands to configure captive bypassing:

    config network web-auth captive-bypass {enable | disable}—Enables or disables the controller to support bypass of captive portals at the network level.

    show network summary—Displays the status for the WISPr protocol detection feature.

Note : Configuring Captive Bypassing

for more information : http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01010101.html

WLC configuration for authenticating wireless username/password

Thanks for that completely unrelated response Basant

-----------------------------
Please rate helpful / correct posts
New Member

WLC configuration for authenticating wireless username/password

Hello everyone,

I would like to thank everybody who contributed to my request / question. I actually requested a Server/Client Certificate from GlobalSign (36 $$ / 2 years) and implemented it in my NPS. I've use this procedure to request a certificate: https://wiki.cac.washington.edu/pages/viewpage.action?pageId=28940090

Configured PEAP with my NPS and WLC. Now, almost all clients can authenticate with their device, even Windows 7. The only message that I get is this one on Windows 7.

They only have to click on connect. The client does not have the Root Certificate or the intermediate certificate in their store. I only got a Samsung phone that could'nt authenticate for now.

Your thoughts are gladly appreciate and feedback too. Thanks...

Dave

1437
Views
2
Helpful
12
Replies