Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

EAP-FAST configuration guide for ACS 5.1 with WLC

     

    Introduction

    This document describes the configuration example on “How to configure WLC with ACS 5.1 with EAP-FAST authentication”. EAP-FAST is used for 802.1x authentication with Auto/manual PAC provisioning. Wireless Client used in the example is ADU on windows machine.

    Network Diagram

     

    1.jpg

    Configuration ACS 5.1

    We need to add WLC under Network Devices as a AAA client. Go to Network Resources-->Network Devices and AAA clients-->create.

    2.jpg

     

    Note: - The settings for Network Device Groups are default which can be adjusted per user’s requirement.

    2. Configure Access Policies --> Access Services

    3.jpg

     

    4.jpg

     

    Note : - Select Default Network Access as Service with EAP-FAST.

    In the below example we have selected “Internal Users” stores, It can be changed to AD or other available external Database.

    5.jpg

     

    Click on User and Identity Stores-->Internal Identity Stores-->Users. Click on Create button to create a new user account.

    6.jpg

     

    Add the Name, Description, Identity Group, password and select the status (enable/disable). After adding the required field click on submit.

    7.jpg

     

    Now the User “Test User” has been created and status is Active.

    8.jpg

     

    Configure Service Selection Rules

    Go to Access Policies-->Access Services-->Service Selection Rules. In this example we have selected the default Service Selection Rules. The Access Service has to be adjusted as per requirement.

    9.jpg

     

    WLC Configuration

    Requirement: Basic configuration is already done on WLC so that SSID with WPA-PSK work for this example configuration.

    Configure AAA server on WLC

    Security-->AAA-->Radius-->Authentication-->Add new AAA server-->save configuration.

    10.jpg

     

    Configuring WLAN

    “TEST” WLAN is created with SSID as TEST. The status check box has been checked in order to enable the WLAN. Security policy and other settings can be selected as per requirement. Click on apply in order to save the configuration.

    11.jpg

     

    Encryption can be selected which support your Wireless Client. In this example we have selected WPA+WPA2 as L2 security. Click on apply to save the settings.

    12.jpg

     

    WLAN-->Security-->AAA serveràselect the AAA server from the drop down list. Also please verify if Radius is selected on top under “Authentication priority order used for authentication”.

    13.jpg

     

    Wireless Client Configuration

    14.jpg

     

    Under profile Management --> Security --> selecting the same configuration as done on WLC. EAP type will be EAP-FAST.

     

    15.jpg

     

    EAP-FAST Authentication Method will be MSCHAPv2. Check the box for Allow Automatic PAC provisioning.

    16.jpg

     

    17.jpg

     

    Enter User Name and password in order to connect to the SSID “TEST”.

    18.jpg

     

    After entering the User credential, the EAP-FAST authentication process will start.

    19.jpg

     

    Once the Authentication is passed, it will wait for the ip address.

    20.jpg

     

    21.jpg

     

    Configuring Manual PAC provisioning in ACS

    System Administration-->configuration-->Global system options-->EAP-FAST->Settings.

     

    22.jpg

     

    In order to generate the PAC for User “Test User”, please select the name, PAC time to live and password of the user. Go to System Administration-->Configuration-->Global System Options-->EAP-FAST-->Generate PAC.

    23.jpg

     

    The User will be prompted to save the PAC file on the local machine.

    24.jpg

    Video - Wireless Client Connectivity with ACS 5.x and Wireless LAN Controller (WLC)

    Varun Ajmani is a Wireless Expert in Cisco TAC. In this Video, Varun has shown How to configure the Wireless LAN controller (WLC) for Extensible Authentication Protocol (EAP) authentication with the use of an external RADIUS server such as Access Control Server (ACS) 5.2.

    The configuration includes wireless LAN Controller, Cisco ACS 5.2 and    wireless client. In this video, we have shown the EAP type as EAP-FAST. This video also includes how to check the Debugs when the authentication  passes or fails.

    Related Links

    Cisco Secure Services Client with ACS 4.x, EAP-FAST Authentication

    EAP-FAST Version 1.02 Configuration Guide with ACS 3.2

    User Guide for the Cisco Secure Access Control System 5.1

    Comments
    Cisco Employee

    Awsome compilation of the steps with the snapshots  !

    9094
    Views
    10
    Helpful
    1
    Comments