EAP-TLS on the WLC


Certificates are always difficult. Why ? Because we don’t work often with it, but when you know how everything is working, it’s very easy.

First I created an certificate request with the tool OpenSSL.

OpenSSL>req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

You got some questions and you fill in the things you want to.

Now you open the myreq.pem file with wordpad and copy the content to the CA server for a Certificate Request.

When the certificate is issued, download it as a BASE64 file.
Copy this file to the OpenSSL/bin folder.

openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts
-passin pass:check123 -passout pass:check123

Where check123 is the password.

openssl>pkcs12 -in CA.p12 -out final.pem -passin pass:check123 -passout pass:check123

Now we can upload the final.pem to the WLC.

The WLC also needs the CA root certificate. It’s the same procedure, but you can also use Mozilla. (See the youtube video’s of Jerome.)
Upload this CAroot cert also to the WLC.

Now we can create a local EAP profile on the WLC :

Make sure that the AAA Server of the WLAN is set to local EAP authentication.

If you have configured a radius server at the WLC, make sure it’s DISABLED !
Although it’s not selected at the WLAN, if it’s enabled, the WLC will contact the Radius server first !!!!

Ofcourse you’ll have to create a certificate for the client.
First make an AD user and request a user certificate. (See the links).

Create an EAP-TLS profile on the client with the correct certificate.

Here you see the client information :

I used the documentation of :

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml

About Joost van der Made

Me

One response to “EAP-TLS on the WLC”

  1. Pablo says :

    great info. I set it up and all works up to the part where I revoke the certificate from the CA. Is there something on the WLC to ask for revocation information from the CA? thk

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: