EAP-TLS on the WLC
Certificates are always difficult. Why ? Because we don’t work often with it, but when you know how everything is working, it’s very easy.
First I created an certificate request with the tool OpenSSL.
OpenSSL>req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
You got some questions and you fill in the things you want to.
Now you open the myreq.pem file with wordpad and copy the content to the CA server for a Certificate Request.
When the certificate is issued, download it as a BASE64 file.
Copy this file to the OpenSSL/bin folder.
openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts
-passin pass:check123 -passout pass:check123
Where check123 is the password.
openssl>pkcs12 -in CA.p12 -out final.pem -passin pass:check123 -passout pass:check123
Now we can upload the final.pem to the WLC.
The WLC also needs the CA root certificate. It’s the same procedure, but you can also use Mozilla. (See the youtube video’s of Jerome.)
Upload this CAroot cert also to the WLC.
If you have configured a radius server at the WLC, make sure it’s DISABLED !
Although it’s not selected at the WLAN, if it’s enabled, the WLC will contact the Radius server first !!!!
Ofcourse you’ll have to create a certificate for the client.
First make an AD user and request a user certificate. (See the links).
Create an EAP-TLS profile on the client with the correct certificate.
I used the documentation of :