This document describes the configuration example on “How to configure WLC with ACS 5.1 with EAP-FAST authentication”. EAP-FAST is used for 802.1x authentication with Auto/manual PAC provisioning. Wireless Client used in the example is ADU on windows machine.
Configuration ACS 5.1
We need to add WLC under Network Devices as a AAA client. Go to Network Resources-->Network Devices and AAA clients-->create.
Note: -The settings for Network Device Groups are default which can be adjusted per user’s requirement.
2. Configure Access Policies --> Access Services
Note: - Select Default Network Access as Service with EAP-FAST.
In the below example we have selected “Internal Users” stores, It can be changed to AD or other available external Database.
Click on User and Identity Stores-->Internal Identity Stores-->Users. Click on Create button to create a new user account.
Add the Name, Description, Identity Group, password and select the status (enable/disable). After adding the required field click on submit.
Now the User “Test User” has been created and status is Active.
Configure Service Selection Rules
Go to Access Policies-->Access Services-->Service Selection Rules. In this example we have selected the default Service Selection Rules. The Access Service has to be adjusted as per requirement.
Requirement: Basic configuration is already done on WLC so that SSID with WPA-PSK work for this example configuration.
Configure AAA server on WLC
Security-->AAA-->Radius-->Authentication-->Add new AAA server-->save configuration.
“TEST” WLAN is created with SSID as TEST. The status check box has been checked in order to enable the WLAN. Security policy and other settings can be selected as per requirement. Click on apply in order to save the configuration.
Encryption can be selected which support your Wireless Client. In this example we have selected WPA+WPA2 as L2 security. Click on apply to save the settings.
WLAN-->Security-->AAA serveràselect the AAA server from the drop down list. Also please verify if Radius is selected on top under “Authentication priority order used for authentication”.
Wireless Client Configuration
Under profile Management --> Security --> selecting the same configuration as done on WLC. EAP type will be EAP-FAST.
EAP-FAST Authentication Method will be MSCHAPv2. Check the box for Allow Automatic PAC provisioning.
Enter User Name and password in order to connect to the SSID “TEST”.
After entering the User credential, the EAP-FAST authentication process will start.
Once the Authentication is passed, it will wait for the ip address.
Configuring Manual PAC provisioning in ACS
System Administration-->configuration-->Global system options-->EAP-FAST->Settings.
In order to generate the PAC for User “Test User”, please select the name, PAC time to live and password of the user. Go to System Administration-->Configuration-->Global System Options-->EAP-FAST-->Generate PAC.
The User will be prompted to save the PAC file on the local machine.
Video - Wireless Client Connectivity with ACS 5.x and Wireless LAN Controller (WLC)
Varun Ajmani is a Wireless Expert in Cisco TAC. In this Video, Varun has shown How to configure the Wireless LAN controller (WLC) for Extensible Authentication Protocol (EAP) authentication with the use of an external RADIUS server such as Access Control Server (ACS) 5.2.
The configuration includes wireless LAN Controller, Cisco ACS 5.2 and wireless client. In this video, we have shown the EAP type as EAP-FAST. This video also includes how to check the Debugs when the authentication passes or fails.