Configuring EAP-TLS On WLC

Configuring EAP-TLS on WLC | mrn-cciew
WLC 7.0.116.0
WC S 7.0.172.0
5/2/2014
OSL ARC HIVES
5500 DOC S
3500 DOC S
AC S DOC S
C SC -WIRELESS
mrn-cciew ~ My CCIE Wireless Journey &
Go
Search
More..
22 Monday Apr 2013
Configuring EAP-TLS on WLC

Posted by Rasika Nayanajith in W LAN Secuirty, W LC Features
Tags
2 C OMMENTS
In this post we will see how to configure EAP-TLS on a wireless controller.It is assumed that
you have a PC which has already installed certificates(User Certifcate & Root CA Certificate).
You can learn how to do this by following youtube video from Jerome.(It is one of 7 part series
talking all about EAP TLS in clients, WLC, ACS & you should not miss these)
EAP TLS on WLC, Open SSL

0_9_8y
EAP-TLC configuration on wireless client

As you aware for EAP-TLS to work, WLC should have two certificates install on it.
1. Device Certificate issue to WLC
2. Root Certificate of a CA
Since WLC cannot generate CSR (Certificate Signing Request) by himself, a 3rd party software
(Called OpenSSL) has to use to do this. Again finding out a correct version of OpenSSL that
works well for this a challenge itself. After few trial & errors & reading few forum discussions I
found OpenSSL 0_9_8y version works well with my WLC. You can download it from this link.
Here is the installation steps I have followed to get this working.
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
1 / 12
5/2/2014
2 / 12
5/2/2014
Once installation completed you can open a Command prompt (Run as Administrator) & run this
OpenSSL application. Cisco document (Doc ID#75584) describe the below process with respect
to CSR for Authentication of a WLC.
C:\W indow s\system32>cd..

C:\W indow s>cd..
C:\>cd /OpenSSL/bin
C:\OpenSSL\bin>openssl
OpenSSL>
OpenSSL> req -new -new key rsa:1024 -nodes -keyout w lc1key.pem -out w lc1req.pem
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...............................................................................
+++++
..............++++++
w riting new private key to 'w lc1key.pem'
----You are about to be asked to enter information that w ill be incorporated
into your certificate request.
W hat you are about to enter is w hat is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there w ill be a default value,
If you enter '.', the field w ill be left blank.
----Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:VIC
Locality Name (eg, city) []:MEL
Organization Name (eg, company) [Internet W idgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:W LC1.mrn.com
Email Address []:mrncciew @gmail.com
Please enter the follow ing 'extra' attributes to be sent w ith your certificate request
A challenge passw ord []:cisco123
An optional company name []:
OpenSSL>
I have given my WLC name as Common Name. If you are doing this for Web Authentication you
have to give DNS name for WLC virtual IP. This will create two files in OpenSSL bin folder with
named wlc1key.pem & wlc1req.pem. You have to open wlc1req.pem on to notepad & use
that to make CSR via your Certifcate Authority.
3 / 12
5/2/2014
I have use Microsoft PKI as my CA installed on a windows 2008 server. You have to use
Administrator account of that server to do this & URL for accessing it is
192.168.200.1/certsrv where 192.168.200.1 is server IP. You will see a page like this.
Then You have to click on submit an Advanced Certificate Request as shown in the below.
Then you need to paste notepad output of wlc1req.pem& select the template type as Web
Server & hit the submit button as shown below.
Then you can download the file. Ensure you selected Base 64 encoded option. I have named
it as wlc1ca.cer & put it in the same bin folder where wlc1key.pem in.
4 / 12
5/2/2014
Now by using the following Open SSL commands you can merge these wlc1key file & wlc1ca
file. Also you have to make the final file as .pem prior to upload it onto WLC. Note that we have
given password mrncciew & you need to configure this on WLC when downloading this onto
WLC.
OpenSSL> pkcs12 -export -in w lc1ca.cer -inkey w lc1key.pem -out w lc1ca.p12 -clcerts -passin pass:mrncciew -passout pass:
Loading 'screen' into random state - done
OpenSSL> pkcs12 -in w lc1ca.p12 -out w lc1ca.pem -passin pass:mrncciew -passout pass:mrncciew
MAC verified OK
OpenSSL>
Then you can download this file wlc1ca.pem file onto WLC.
(W LC1) >transfer dow nload datatype eapdevcert

(W LC1) >transfer dow nload path .
(W LC1) >transfer dow nload filename w lc1ca.pem
(W LC1) >transfer dow nload certpassw ord mrncciew
Setting passw ord to <mrncciew >
(W LC1) >transfer dow nload serverip 192.168.178.52
(W LC1) >transfer dow nload start
Mode............................................. TFTP
Data Type........................................ Vendor Dev Cert
TFTP Server IP................................... 192.168.178.52
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... w lc1ca.pem
This may take some time.
Are you sure you w ant to start? (y/N) y
TFTP EAP Dev cert transfer starting.
Certificate installed.
Reboot the sw itch to use new certificate.
(W LC1) >reset system
Now you need to install Root CA certificate for WLC. Since you have already installed Root CA
on your client you can export by using firefox onto your TFTP folder. Then you can download
this to your WLC. see below firefox screen captures how to do this.
5 / 12
5/2/2014
Now you can download this Root CA to your controller as follows. You can use WLC GUI as well.
(W LC1)
(W LC1)
(W LC1)
(W LC1)
(W LC1)
(W LC1)
>transfer dow nload

>transfer dow nload
>transfer dow nload
>transfer dow nload
>transfer dow nload
>transfer dow nload
mode tftp
filename mrn-W 2K8-CA.pem
datatype eapcacert
path .
serverip 192.168.178.52
start
Mode............................................. TFTP
Data Type........................................ Vendor CA Cert
TFTP Server IP................................... 192.168.178.52
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... mrn-W 2K8-CA.pem
This may take some time.
Are you sure you w ant to start? (y/N) y
TFTP EAP CA cert transfer starting.
Certificate installed.
Reboot the sw itch to use new certificate.
(W LC1) >reset system
We Will configure a SSID with authentication via WLC local EAP. Here is the Local EAP Profile
settings. Note that Certificate issuer select as Vendor.
6 / 12
5/2/2014
Here is the WLAN Settings
Now it is ready to test client. Here is the successful user Authentication using Local EAP profile
configured for EAP-TLS
These two video from Jerome explain how to configure this & I referred that to make this post.
1. EAP-TLS on a WLC Part 1
2. EAP-TLS on a WLC Part 2
In a future post we will see how to configure this on ACS 5.2.
RELATED POST
1.
2.
3.
4.
5.
Configuring
Configuring
Configuring
Configuring
Configuring
Tw itter
Local EAP on WLC

EAP-TLC on WLC
EAP-TLS on ACS
RADIUS on WLC
TACACS on WLC
Facebook
Rasika Nayanajith
S HARE THIS:
GOOGLE+
RELATED
7 / 12
5/2/2014
Configuring Local EAP on WLC

WLC Admin Access via TACACS
How does OEAP work ?
Previous post
Next post
THOUGHTS ON CONFIGURING EAP-TLS ON WLC
Maksym said:
December 9, 2013 at 5:54 pm
Your blog is really fantastic, Rasika! Thank you for sharing your study!
In the lab equipment there are no Open ssl soft. How w e supposed to configure certificates there?
REPLY
nayarasi said:
December 9, 2013 at 7:23 pm
Thanks for the feedback about my blog.. really appreciated.

Regarding the EAP-TLS certs during exam, These are pre-loaded & you do not expect to
install certificates during the lab exam.
HTH
Rasika
REPLY
LEAVE A REPLY
Enter your comment here...
A BOUT ME
C C IE#22989 (RS & Wireless)
8 / 12
5/2/2014
FOLLOW BLOG VIA EMA IL

Enter your em ail address to follow this blog and receive notifications of new posts by em ail.
Join 204 other followers
Follow
BLOG STA TS
277,248 hits
RECENT POSTS
C C IE Policy Update 2014

My Blog 2nd Anniversary !
Well done SL 2014 IC C T20 C hamps
Did you notice slow TFTP in 3850 ?
C isco Wireless Product C omparison
C iscoLive 2014 Melbourne
Are you on Right WLC Software version ?
C isco RToWLAN Design Guide
WLC C onfig Backup using Prime
Upgrade Prime using C LI
POPULA R NOW !
Lightweight to Autonomous (vice versa) C onversion...

Getting Started with 3850
802.11ac with C isco 3700 AP
Are you on Right WLC Software version ?
C C IE Policy Update 2014
FOLLOW ME ON TWITTER
9 / 12
5/2/2014
CA TEGORIES
3850
5760
7925G Deployment Guide
802.11ac
802.11n Parameters
AAA
AC S
10 / 12
5/2/2014
AP Registration
Autonomous AP C onfig
AVC
Best Practices
C APWAP Analysis
C C IE Planning
C C IE Wireless
C C IE Written
C LI
C onverged Access
C WNE
DHC P
General
Guest Wireless
Home Lab
HSRP
IOS based WLC
IP Services
IPv6
Mobility
MSE
Multicast
Netflow
Office Extend
Prime Infrastructure
QoS
Rogue Management
RRM
Spanning Tree Protocol
Video over Wireless
Voice over Wireless
WGB
Wireless Packet C apture
Wireless QoS
Wireless Troubleshooting
WLAN Secuirty
WLC
WLC Features
WLC Management
BLOGS I FOLLOW
www.ccierants.com
www.my80211.com/home/
wirelessccie.blogspot.com.au
Revolution Wi-Fi
www.simplywifi.co/blog
11 / 12
5/2/2014
wifigeeks.org
jenniferhuber.blogspot.com.au
NetBoyers
Tarun pahuja C C IE Wireless Version 2
No Strings Attached Show
A RCHIVES
April 2014 (3)

March 2014 (3)
February 2014 (1)
January 2014 (10)
December 2013 (12)
November 2013 (4)
October 2013 (3)
September 2013 (6)
August 2013 (6)
July 2013 (10)
June 2013 (10)
May 2013 (23)
April 2013 (26)
March 2013 (50)
February 2013 (17)
January 2013 (14)
December 2012 (14)
November 2012 (9)
October 2012 (5)
September 2012 (1)
August 2012 (1)
May 2012 (1)
April 2012 (1)
G+
mrncciew on
Blog at W ordPress.com. Customized Chateau Theme.
Follow
12 / 12

Configuring EAP-TLS On WLC

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuring EAP-TLS On WLC

Uploaded by

Copyright:

Available Formats

Configuring EAP-TLS on WLC | mrn-cciew

OSL ARC HIVES

mrn-cciew ~ My CCIE Wireless Journey &

22 Monday Apr 2013