Техническая Инструкция для Cisco Cisco 2000 Series Wireless LAN Controller
EAP-TLS
PEAPv1/GTC.
LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported, but only if the LDAP server is set up to return a
clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password.
If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and
PEAPv0/MSCHAPv2 are not supported.
clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password.
If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and
PEAPv0/MSCHAPv2 are not supported.
Note: If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the
RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out
or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client
with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate
manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.
RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out
or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client
with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate
manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.
This example uses EAP-FAST as the Local EAP method on the WLC, which in turn is configured to query the LDAP backend
database for user credentials of a wireless client.
database for user credentials of a wireless client.
Configure
This document uses EAP-FAST with certificates on both the client and the server side. For this, the setup uses Microsoft
Certificate Authority (CA) server to generate the client and server certificates.
Certificate Authority (CA) server to generate the client and server certificates.
The user credentials are stored in the LDAP server so that on successful certificate validation, the controller queries the LDAP
server in order to retrieve the user credentials and authenticates the wireless client.
server in order to retrieve the user credentials and authenticates the wireless client.
This document assumes that these configurations are already in place:
A LAP is registered to the WLC. Refer to
Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC)
for more
information on the registration process.
A DHCP server is configured to assign an IP address to the wireless clients.
Microsoft Windows 2003 server is configured as domain controller as well as CA server. This example uses wireless.com
as the domain.
as the domain.
Refer to
Configuring Windows 2003 as a Domain Controller
for more information on configuring a Windows 2003 server as
a domain controller.
Refer to
Install and Configure the Microsoft Windows 2003 Server as a Certificate Authority (CA) Server
in order to
configure Windows 2003 server as Enterprise CA server.
Network Diagram
This document uses this network setup:
Configurations