Knowledge Search


×
 

[WLC] How to use Wireless Controller as authentication server for dot1x SSID

  [KB33978] Show Article Properties


Summary:

This article explains how to use Wireless Controller (WLC) as authentication server for dot1x SSID.

Solution:
  1. Create a service-profile 'dot_tac' for your access, and configure the auth-fallthru as none for the authentication mode.

    set service-profile dot_tac ssid-name dot_tac
    set service-profile dot_tac wpa-ie auth-dot1x disable
    set service-profile dot_tac rsn-ie cipher-ccmp enable
    set service-profile dot_tac rsn-ie enable
    set service-profile dot_tac attr vlan-name default
  2. Create a radio-profile, then associate service-profile to radio-profile. Associate the radio-profile to radios of the AP’s.

    set radio-profile default service-profile dot_tac
  3. As authentication is done by WLC locally, configure dot1x as peap-mschapv2 local and map SSID 'dot_tac' to it.

    set authentication dot1x ssid dot_tac * peap-mschapv2 local
  4. Create Local user on the controller and map it to SSID:

    set user test password <password>
    set user test attr ssid dot_tac
  5. Check whether WLC has valid EAP certificate for dot1x authentication.

    WLC# show crypto certificate eap
  6. If WLC does not have a valid certificate, then create EAP certificate in WLC.

  7. To use a self-signed certificate or Certificate Signing Request (CSR) certificate for WLC authentication, you must generate a public-private key pair.

  8. To create a public-private key pair, use the following command:

    WLC# crypto generate key eap 2048
  9. After creating a public-private key pair, you can generate a self-signed certificate. To generate a self-signed certificate, use the following command:

    WLC# crypto generate self-signed

    Verification:

    WLC# show  session
    1 sessions total
    User Name    SessID  Type  Address              VLAN        AP/Rdo
    ------------ ------  ----- -------------------- ----------  -------
    test         47*     dot1x 10.9.221.212,V6      default     9999/1
Related Links: