Cisco Cisco Wireless LAN Controller Module Leaflet
Unified Wireless Network Local EAP Server
Configuration Example
Configuration Example
Document ID: 91628
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Configure Local EAP on the Cisco Wireless LAN Controller
Local EAP Configuration
Microsoft Certification Authority
Installation
Install the Certificate in the Cisco Wireless LAN Controller
Install the Device Certificate on the Wireless LAN Controller
Download a Vendor CA Certificate to the Wireless LAN Controller
Configure the Wireless LAN Controller to use EAP−TLS
Install the Certificate Authority Certificate on the Client Device
Download and Install a Root CA Certificate for the Client
Generate a Client Certificate for a Client Device
EAP−TLS with Cisco Secure Services Client on the Client Device
Debug Commands
Related Information
Prerequisites
Requirements
Components Used
Conventions
Configure Local EAP on the Cisco Wireless LAN Controller
Local EAP Configuration
Microsoft Certification Authority
Installation
Install the Certificate in the Cisco Wireless LAN Controller
Install the Device Certificate on the Wireless LAN Controller
Download a Vendor CA Certificate to the Wireless LAN Controller
Configure the Wireless LAN Controller to use EAP−TLS
Install the Certificate Authority Certificate on the Client Device
Download and Install a Root CA Certificate for the Client
Generate a Client Certificate for a Client Device
EAP−TLS with Cisco Secure Services Client on the Client Device
Debug Commands
Related Information
Introduction
This document describes the configuration of a local Extensible Authentication Protocol (EAP) server in a
Cisco Wireless LAN Controller (WLC) for the authentication of wireless users.
Cisco Wireless LAN Controller (WLC) for the authentication of wireless users.
Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is
designed for use in remote offices that want to maintain connectivity to wireless clients when the back−end
system becomes disrupted or the external authentication server goes down. When you enable local EAP, the
controller serves as the authentication server and the local user database, thereby removing dependence on an
external authentication server. Local EAP retrieves user credentials from the local user database or the
Lightweight Directory Access Protocol (LDAP) back−end database to authenticate users. Local EAP supports
Lightweight EAP (LEAP), EAP−Flexible Authentication via Secure Tunneling (EAP−FAST), and
EAP−Transport Layer Security (EAP−TLS) authentication between the controller and wireless clients.
designed for use in remote offices that want to maintain connectivity to wireless clients when the back−end
system becomes disrupted or the external authentication server goes down. When you enable local EAP, the
controller serves as the authentication server and the local user database, thereby removing dependence on an
external authentication server. Local EAP retrieves user credentials from the local user database or the
Lightweight Directory Access Protocol (LDAP) back−end database to authenticate users. Local EAP supports
Lightweight EAP (LEAP), EAP−Flexible Authentication via Secure Tunneling (EAP−FAST), and
EAP−Transport Layer Security (EAP−TLS) authentication between the controller and wireless clients.
Note that the local EAP server is not available if there is a global external RADIUS server configuration in the
WLC. All authentication requests are forwarded to the global external RADIUS until the Local EAP Server is
available. If the WLC looses connectivity to the external RADIUS server, then the local EAP server becomes
active. If there is no global RADIUS server configuration, the local EAP server becomes immediately active.
The local EAP server cannot be used to authenticate clients, which are connected to other WLCs. In other
words, one WLC cannot forward its EAP request to another WLC for authentication. Every WLC should have
its own local EAP server and individual database.
WLC. All authentication requests are forwarded to the global external RADIUS until the Local EAP Server is
available. If the WLC looses connectivity to the external RADIUS server, then the local EAP server becomes
active. If there is no global RADIUS server configuration, the local EAP server becomes immediately active.
The local EAP server cannot be used to authenticate clients, which are connected to other WLCs. In other
words, one WLC cannot forward its EAP request to another WLC for authentication. Every WLC should have
its own local EAP server and individual database.
Note: Use these commands in order to stop WLC from sending requests to an external radius server .
config wlan disable
config wlan radius_server auth disable