configuring eap-tls on wlc

8/10/2019 Configuring EAP-TLS on WLC

1/12

mrn-cciew~ My CCIE Wireless Journey &

More..

Search Go

Tags

EAP TLS on WLC, Open SSL

0_9_8y

In this post we will see how to configure EAP-TLS on a wireless controller.It is assumed that

you have a PC which has already installed certificates(User Certifcate & Root CA Certificate).

You can learn how to do this by following youtube video from Jerome.(It is one of 7 part series

talking all about EAP TLS in clients, WLC, ACS & you should not miss these)

EAP-TLC configuration on wireless client

As you aware for EAP-TLS to work, WLC should have two certificates install on it.

1. Device Certificate issue to WLC

2. Root Certificate of a CA

Since WLC cannot generate CSR (Certificate Signing Request) by himself, a 3rd party software

(Called OpenSSL) has to use to do this. Again finding out a correct version of OpenSSL that

works well for this a challenge itself. After few trial & errors & reading few forum discussions I

found OpenSSL 0_9_8y version works well with my WLC. You can download it from thislink.

Here is the installation steps I have followed to get this working.

WLC 7.0.116.0 WCS 7.0.172.0 OSL ARCHIVES 5500 DOCS 3500 DOCS ACS DOCS CSC-WIRELESS

Posted by Rasika Nayanajithin WLAN Secuirty, WLC Features 2 COMMENTS

Configuring EAP-TLS on WLCMonday Apr 201322

Configuring EAP-TLS on WLC | mrn-cciew 5/2/2014

http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/ 1 / 12
http://slproweb.com/products/Win32OpenSSL.htmlhttp://www.youtube.com/watch?v=UBE5s6qY5xYhttp://mrncciew.com/tag/open-ssl-0_9_8y/http://mrncciew.com/tag/eap-tls-on-wlc/http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/#commentshttp://mrncciew.com/category/wlc-features/http://mrncciew.com/category/wlan-secuirty/http://mrncciew.com/author/nayarasi/http://mrncciew.com/https://supportforums.cisco.com/community/netpro/wireless-mobilityhttp://www.cisco.com/en/US/customer/products/ps9911/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/customer/products/ps10981/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/customer/products/ps10315/tsd_products_support_series_home.htmlhttp://onlinestudylist.com/archives/ccie_wireless/http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/WCS70MR1.htmlhttp://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/wlc_cg70MR1.html


2/12


http://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-04.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-03.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-02.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-01.png


3/12

Once installation completed you can open a Command prompt (Run as Administrator) & run this

OpenSSL application. Cisco document (Doc ID#75584) describe the below process with respect

to CSR for Authentication of a WLC.

C:\Windows\system32>cd..

C:\Windows>cd..

C:\>cd/OpenSSL/bin

C:\OpenSSL\bin>openssl

OpenSSL>

OpenSSL> req -new -newkey rsa:1024 -nodes -keyout w lc1key.pem -out w lc1req.pem

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

...............................................................................

+++++

..............++++++

writing new private key t o 'w lc1key.pem'-----

Yo u are about to be asked to ent er informat ion t hat will be inco rporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 lette r code) [AU]:

State or Province Name (full name) [Some-State]:VIC

Locality Name (eg, city) []:MEL

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:WLC1.mrn.com

Email Address []:[email protected]

Please ent er the following 'ext ra' att ributes t o be sent w ith your certificate request

A challenge password [] :cisco123An opt ional company name []:

OpenSSL>

I have given my WLC name as Common Name. If you are doing this for Web Authentication you

have to give DNS name for WLC virtual IP. This will create two files in OpenSSL bin folder with

named wlc1key.pem & wlc1req.pem. You have to open wlc1req.pem on to notepad & use

that to make CSR via your Certifcate Authority.


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtmlhttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-05.png


4/12

I have use Microsoft PKI as my CA installed on a windows 2008 server. You have to use

Administrator account of that server to do this & URL for accessing it is

192.168.200.1/certsrv where 192.168.200.1 is server IP. You will see a page like this.

Then You have to click on submit an Advanced Certificate Request as shown in the below.

Then you need to paste notepad output of wlc1req.pem& select the template type as Web

Server & hit the submit button as shown below.

Then you can download the file. Ensure you selected Base 64 encoded option. I have named

it as wlc1ca.cer & put it in the same bin folder where wlc1key.pem in.


http://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-09.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-07.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-06.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-56.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-55.png


5/12

Now by using the following Open SSL commands you can merge these wlc1key file & wlc1ca

file. Also you have to make the final file as .pem prior to upload it onto WLC. Note that we have

given password mrncciew & you need to configure this on WLC when downloading this onto

WLC.

OpenSSL> pkcs12 -export -in wlc1ca.cer -inkey wlc1key.pem-out wlc1ca.p12-clcerts -passin pass:mrncciew-pa

Loading 'screen' into random state - done

OpenSSL> pkcs12 -in wlc1ca.p12-out wlc1ca.pem-passin pass:mrncciew-passout pass:mrncciew

MAC verified OK

OpenSSL>

Then you can download this file wlc1ca.pem file onto WLC.

(WLC1) >transfer dow nload datatype eapdevcert(WLC1) >transfer download path .

(WLC1) >transfer download filename wlc1ca.pem

(WLC1) >transfer download certpassword mrncciew

Sett ing password to

(WLC1) >transfer download serverip 192.168.178.52

(WLC1) >transfer download start

Mode............................................. TFTP

Data T ype........................................ V endor Dev Cert

TFTP Server IP................................... 1 92.168.178.52

TFTP Packet T imeout.............................. 6

TFTP Max Retries................................. 10

TFTP Path........................................ ./

TFTP Filename.................................... wlc1ca.pem

This may take some time.

Are you sure you w ant to start? (y/N) yTFTP EAP Dev cert t ransfer starting.

Certificate installed.

Reboot the switch to use new certificate.

(WLC1) >reset system

Now you need to install Root CA certificate for WLC. Since you have already installed Root CA

on your client you can export by using firefox onto your TFTP folder. Then you can download

this to your WLC. see below firefox screen captures how to do this.


http://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-31.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-10.png


6/12

Now you can download this Root CA to your controller as follows. You can use WLC GUI as well.

(WLC1) >transfer download mode t ftp

(WLC1) >transfer download filename mrn-W2K8-CA.pem

(WLC1) >transfer dow nload datatype eapcacert

(WLC1) >transfer download path .

(WLC1) >transfer download serverip 192.168.178.52

(WLC1) >transfer download start

Mode............................................. TFTP

Data Type........................................ Vendor CA Cert

TFTP Server IP................................... 1 92.168.178.52

TFTP Packet T imeout.............................. 6

TFTP Max Retries................................. 10

TFTP Path........................................ ./

TFTP Filename.................................... mrn-W2K8-CA.pem

This may take some time.

Are you sure you w ant to start? (y/N) y

TFTP EAP CA cert t ransfer starting.

Certificate installed.

Reboot the switch to use new certificate.

(WLC1) >reset system

We Will configure a SSID with authentication via WLC local EAP. Here is the Local EAP Profile

settings. Note that Certificate issuer select as Vendor.


http://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-33.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-32.png


7/12

Twitter Facebook

Rasika Nayanajith

Here is the WLAN Settings

Now it is ready to test client. Here is the successful user Authentication using Local EAP profile

configured for EAP-TLS

These two video from Jerome explain how to configure this & I referred that to make this post.

1. EAP-TLS on a WLC Part 1

2. EAP-TLS on a WLC Part 2

In a future post we will see how to configure this on ACS 5.2.

RELATEDPOST

1. Configuring Local EAP on WLC

2. Configuring EAP-TLC on WLC

3. Configuring EAP-TLS on ACS

4. Configuring RADIUS on WLC

5. Configuring TACACS on WLC

SHARETHIS:

GOOGLE+

RELATED


https://plus.google.com/116988280231729007493https://plus.google.com/116988280231729007493http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/?share=facebook&nb=1http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/?share=twitter&nb=1http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/http://www.youtube.com/watch?v=vhbf-39W3rQhttp://www.youtube.com/watch?v=sazfGz2D3eohttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-40.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-35.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_6/wlc-eap-tls-34.png


8/12

Previous post Next post

Maksym said: December 9, 2013 at 5:54 pm

nayarasi said: December 9, 2013 at 7:23 pm

Your blog is really fanta stic, Rasika! Thank you for sha ring your study!

In the lab equipment there are no Open s sl soft. How we supposed to configure certificates there?

REPLY

Thanks for the feedback about my blog.. really appreciated.

Regarding the EAP-TLS certs during exam, These are pre-loaded & you do not expect to

install certificate s during the lab exam.

HTH

Rasika

REPLY

ABO UT ME

CC IE#22989 (RS & Wireless)

Configuring Local EAP on WLC

WLC Admin Access via TACACS

How does OEAP work ?

THOUGHTS ON CONFIGURING EAP-TLS ON WLC

LEAVE A REPLY

Enter your comment here...

2


http://mrncciew.com/about/http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/?replytocom=3607#respondhttp://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/#comment-3607http://mrncciew.wordpress.com/http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/?replytocom=3603#respondhttp://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/#comment-3603http://mrncciew.com/2013/04/23/configuring-authentication-types-in-aap/http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/http://mrncciew.com/2013/03/12/how-does-oeap-work/http://mrncciew.com/2013/04/26/wlc-admin-access-via-tacacs/http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/


9/12

FOLLOW BLOG VIA EMAIL

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 204 other followers

Follow

BLOG STATS

277,248 hits

RECENT POSTS

CC IE Policy Update 2014

My Blog 2nd Anniversary !

Well done SL 2014 ICC T20 Champs

Did you notice slow TFTP in 3850 ?

Cisco Wireless Product Comparison

CiscoLive 2014 Melbourne

Are you on Right WLC Software version ?

Cisco RToWLAN Design Guide

WLC C onfig Backup using Prime

Upgrade Prime using CLI

POPULAR NOW !

Lightweight to Autonomous (vice versa) Conversion...

Getting Started with 3850

802.11ac with Cisco 3700 AP

Are you on Right WLC Software version ?

CC IE Policy Update 2014

FOLLOW ME ON TWITTER


http://mrncciew.com/2014/04/17/ccie-policy-update-2014/http://mrncciew.com/2014/02/28/are-you-on-right-wlc-software-version/http://mrncciew.com/2014/01/10/802-11ac-with-cisco-3700-ap/http://mrncciew.com/2013/09/29/getting-started-with-3850/http://mrncciew.com/2012/10/20/lightweight-to-autonomous-conversion/http://mrncciew.com/2014/01/12/upgrade-prime-using-cli/http://mrncciew.com/2014/01/12/wlc-config-backup-using-prime/http://mrncciew.com/2014/01/14/cisco-rtowlan-design-guide/http://mrncciew.com/2014/02/28/are-you-on-right-wlc-software-version/http://mrncciew.com/2014/03/22/ciscolive-2014-melbourne/http://mrncciew.com/2014/03/28/cisco-wireless-product-comparison/http://mrncciew.com/2014/03/31/did-you-notice-slow-tftp-in-3850/http://mrncciew.com/2014/04/07/well-done-sl-2014-icc-t20-champs/http://mrncciew.com/2014/04/11/my-blog-2nd-anniversary/http://mrncciew.com/2014/04/17/ccie-policy-update-2014/http://au.linkedin.com/in/rasikanayanajith


10/12

CATEGORIES

3850

5760

7925G Deployment Guide

802.11ac

802.11n Parameters

AAA

AC S


http://mrncciew.com/category/acs/http://mrncciew.com/category/aaa/http://mrncciew.com/category/802-11n-parameters/http://mrncciew.com/category/802-11ac/http://mrncciew.com/category/7925g-deployment-guide/http://mrncciew.com/category/5760/http://mrncciew.com/category/3850/


11/12

AP Registration

Autonomous AP Config

AVC

Best Practices

CAPWAP Analysis

CC IE Planning

CCIE Wireless

CC IE Written

CLI

Converged Access

CWNE

DHCP

General

Guest Wireless

Home Lab

HSRP

IOS based WLC

IP Services

IPv6

Mobility

MSE

Multicast

Netflow

Office Extend

Prime Infrastructure

QoS

Rogue Management

RRM

Spanning Tree Protocol

Video over Wireless

Voice over Wireless

WGB

Wireless Packet Capture

Wireless QoS

Wireless Troubleshooting

WLAN Secuirty

WLC

WLC Features

WLC Management

BLOGS I FOLLOW

www.ccierants.com

www.my80211.com/home/

wirelessccie.blogspot.com.au

Revolution Wi-Fi

www.simplywifi.co/blog


http://www.simplywifi.co/bloghttp://www.revolutionwifi.net/http://wirelessccie.blogspot.com.au/http://www.my80211.com/home/http://www.ccierants.com/http://mrncciew.com/category/wlc-management/http://mrncciew.com/category/wlc-features/http://mrncciew.com/category/wlc/http://mrncciew.com/category/wlan-secuirty/http://mrncciew.com/category/wireless-troubleshooting/http://mrncciew.com/category/wireless-qos/http://mrncciew.com/category/wireless-packet-capture/http://mrncciew.com/category/wgb/http://mrncciew.com/category/voice-over-wireless/http://mrncciew.com/category/video-over-wireless/http://mrncciew.com/category/spanning-tree-protocol/http://mrncciew.com/category/rrm/http://mrncciew.com/category/rogue-management/http://mrncciew.com/category/qos/http://mrncciew.com/category/prime-infrastructure/http://mrncciew.com/category/office-extend/http://mrncciew.com/category/netflow/http://mrncciew.com/category/multicast/http://mrncciew.com/category/mse/http://mrncciew.com/category/mobility/http://mrncciew.com/category/ipv6/http://mrncciew.com/category/ip-services/http://mrncciew.com/category/ios-based-wlc/http://mrncciew.com/category/hsrp/http://mrncciew.com/category/home-lab/http://mrncciew.com/category/guest-wireless/http://mrncciew.com/category/general/http://mrncciew.com/category/dhcp/http://mrncciew.com/category/cwne/http://mrncciew.com/category/converged-access/http://mrncciew.com/category/wlc/cli/http://mrncciew.com/category/ccie-written/http://mrncciew.com/category/ccie-wireless-2/http://mrncciew.com/category/ccie-planning/http://mrncciew.com/category/capwap-analysis/http://mrncciew.com/category/best-practices/http://mrncciew.com/category/avc/http://mrncciew.com/category/autonomous-ap-config/http://mrncciew.com/category/ap-registration/


12/12

G+

wifigeeks.org

jenni ferhuber.blogspot.com.au

NetBoyers

Tarun pahuja CC IE Wireless Version 2

No Strings Attached Show

ARCHIVES

April 2014(3)

March 2014(3)

February 2014(1)

January 2014(10)

December 2013(12)

November 2013(4)

October 2013(3)

September 2013(6)

August 2013(6)

July 2013(10)

June 2013(10)

May 2013(23)

April 2013(26)

March 2013(50)

February 2013(17)

January 2013(14)

December 2012(14)

November 2012(9)

October 2012(5)

September 2012(1)

August 2012(1)

May 2012(1)

April 2012(1)

mrncciew on

Blog a t Wo rdPress.com. Customized Chateau Theme. FollowFollow

http://void%280%29/http://theme.wordpress.com/credits/mrncciew.com/http://wordpress.com/?ref=footer_bloghttps://plus.google.com/116988280231729007493?prsrc=3http://mrncciew.com/2012/04/http://mrncciew.com/2012/05/http://mrncciew.com/2012/08/http://mrncciew.com/2012/09/http://mrncciew.com/2012/10/http://mrncciew.com/2012/11/http://mrncciew.com/2012/12/http://mrncciew.com/2013/01/http://mrncciew.com/2013/02/http://mrncciew.com/2013/03/http://mrncciew.com/2013/04/http://mrncciew.com/2013/05/http://mrncciew.com/2013/06/http://mrncciew.com/2013/07/http://mrncciew.com/2013/08/http://mrncciew.com/2013/09/http://mrncciew.com/2013/10/http://mrncciew.com/2013/11/http://mrncciew.com/2013/12/http://mrncciew.com/2014/01/http://mrncciew.com/2014/02/http://mrncciew.com/2014/03/http://mrncciew.com/2014/04/http://nostringsattachedshow.com/http://cciew.wordpress.com/http://netboyers.wordpress.com/http://jenniferhuber.blogspot.com.au/http://wifigeeks.org/

configuring eap-tls on wlc

Documents