I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth. The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer.
When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged. On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?
WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...