Техническая Инструкция для Cisco Cisco 2000 Series Wireless LAN Controller

 

This document explains how to configure Extensible Authentication Protocol (EAP) - Flexible Authentication via Secure Tunneling 
(FAST) Local EAP authentication on a Wireless LAN Controller (WLC). This document also explains how to configure Lightweight 
Directory Access Protocol (LDAP) server as the backend database for Local EAP to retrieve user credentials and authenticate the
user. 

There are no specific requirements for this document. 

The information in this document is based on these software and hardware versions:  



Cisco 4400 Series WLC that runs firmware 4.2 



Cisco Aironet 1232AG Series Lightweight Access Point (LAP)  



Microsoft Windows 2003 server configured as domain controller, LDAP server as well as Certificate Authority server. 



Cisco Aironet 802.11 a/b/g Client Adapter that runs firmware release 4.2  



Cisco Aironet Desktop Utility (ADU) that runs firmware version 4.2  

The information in this document was created from the devices in a specific lab environment. All of the devices used in this 
document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact 
of any command. 

Refer to the 

Cisco Technical Tips Conventions

 for more information on document conventions. 

Local EAP authentication on Wireless LAN Controllers was introduced with Wireless LAN Controller version 4.1.171.0.  

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally on the controller. It is 
designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes 
disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the 
authentication server and the local user database, so it removes dependence on an external authentication server. Local EAP 
retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports 
LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.

Local EAP can use an LDAP server as its backend database to retrieve user credentials. 

An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a 
particular user. These credentials are then used to authenticate the user.  

The LDAP backend database supports these Local EAP methods:  



EAP-FAST/GTC 

  

  

      

Requirements

  

      

Components Used

  

      

Conventions

  

 

  

      

Network Diagram

  

  

  

      

Generate a Device Certificate for the WLC

  

      

Downloading the Device Certificate onto the WLC

  

      

Install the Root Certificate of PKI into the WLC

  

      

Generate a Device Certificate for the Client

  

      

Generate the Root CA Certificate for the Client

  

      

Configure Local EAP on the WLC

  

  

      

Creating Users on the Domain Controller

  

      

Configure the User for LDAP Access