Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC] How to use Wireless Controller as authentication server for dot1x SSID



Article ID: KB33978 KB Last Updated: 17 Mar 2019Version: 1.0

This article explains how to use Wireless Controller (WLC) as authentication server for dot1x SSID.

  1. Create a service-profile 'dot_tac' for your access, and configure the auth-fallthru as none for the authentication mode.

    set service-profile dot_tac ssid-name dot_tac
    set service-profile dot_tac wpa-ie auth-dot1x disable
    set service-profile dot_tac rsn-ie cipher-ccmp enable
    set service-profile dot_tac rsn-ie enable
    set service-profile dot_tac attr vlan-name default
  2. Create a radio-profile, then associate service-profile to radio-profile. Associate the radio-profile to radios of the AP’s.

    set radio-profile default service-profile dot_tac
  3. As authentication is done by WLC locally, configure dot1x as peap-mschapv2 local and map SSID 'dot_tac' to it.

    set authentication dot1x ssid dot_tac * peap-mschapv2 local
  4. Create Local user on the controller and map it to SSID:

    set user test password <password>
    set user test attr ssid dot_tac
  5. Check whether WLC has valid EAP certificate for dot1x authentication.

    WLC# show crypto certificate eap
  6. If WLC does not have a valid certificate, then create EAP certificate in WLC.

  7. To use a self-signed certificate or Certificate Signing Request (CSR) certificate for WLC authentication, you must generate a public-private key pair.

  8. To create a public-private key pair, use the following command:

    WLC# crypto generate key eap 2048
  9. After creating a public-private key pair, you can generate a self-signed certificate. To generate a self-signed certificate, use the following command:

    WLC# crypto generate self-signed


    WLC# show  session
    1 sessions total
    User Name    SessID  Type  Address              VLAN        AP/Rdo
    ------------ ------  ----- -------------------- ----------  -------
    test         47*     dot1x,V6      default     9999/1
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search