Solved

802.1x Setup 5508 WLC

Posted on 2012-12-27
7
2,955 Views
1 Endorsement
Last Modified: 2013-01-23
Hey Experts,

I'm looking to get any additional tips to configuring 802.1x authentication over wireless on a Cisco 5508 and 1142 AP's. The config on the WLC is very straightforward: one WLAN that will use 802.1x to authenticate users. We have one ACS and AD server to handle the authentication process. I'm still verifying what type of authentication we will be doing, EAPOL, EAP-TLS, ETC

 Is the configuration on the WLC as simple as configuring the RADIUS server and enabling 802.1x for the SSID on the controller? Are there any cool testing methods in case authentication does not work? It seems pretty straight forward, but I'm looking for any gotchas that may arise that you have experienced. I'm not a wireless guy per say. If you need more info, I will gladly provide. Thanks again guys.
1
Comment
Question by:Leeeee
  • 3
  • 3
7 Comments
 
LVL 9

Expert Comment

by:newmath
ID: 38724828
RADIUS out of Active Directory is pretty straight forward. If AD fails to authenticate a client, and the access points are setup for RADIUS authentication, then that client would simply not join the wireless network.
0
 
LVL 21

Accepted Solution

by:
mcsween earned 500 total points
ID: 38724886
I just set this up in my environment.  You will need a Root CA and a NPS server.  I set my domain joined computers to only authenticate using only the computer certificate (smart card or other certificate in NPS).  You can setup your WiFi networks for the clients in Group Policy under Computer Config, Policies, Windows Settings, Security Settings,  Wireless Network Policies.

I set mine up to use TLS Authentication Only (Certificates) with the exception of a half dozen people that are allowed to use PEAP/EAP-MSCHAP v2.  This can be accomplished with multiple Network Policies on your NPS server.

Here are some links I used to set mine up.

This one gets you the jist of what you are doing but he doesn't use a LAG to connect the controller to the network which I strongly suggest you do.
http://araihan.wordpress.com/2010/04/30/complete-guide-to-build-a-cisco-wireless-infrastructure-using-cisco-wlc-5500-cisco-1142-ap-and-microsoft-radius-server/

Here is how Cisco wants you to do it, I used most of this and this talks about setting up the LAG.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Medium_Enterprise_Design_Profile/chap4.html

This will help you get your Root CA setup (do not install this on a domain controller unless you absolutely have to)
http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx

Follow Other Cisco Lightweight Access Points (LAPs) about 1/2 way down to setup DHCP server to autoconfigure  your access points
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808714fe.shtml
0
 
LVL 21

Expert Comment

by:mcsween
ID: 38724914
If you run into specific questions feel free to post in here and I'll help as best I can.  If this controller is going to support multiple subnets across WAN links you will also want to setup H-REAP (local switching) for the APs located outside the building where the WLC is.  If you are not familiar with the term CAPWAP read up on it and you will see why H-REAP is needed in remote offices.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 5

Author Comment

by:Leeeee
ID: 38724964
@mcsween, Awesome thank you. We have LAG set up from the WLC to a stack of 3750's. Let me digest some of the material in the links. We will not be using H-REAP as nothing will be traversing the WAN, at least not currently. I'm more concerned about the Microsoft side of things (they're running a PKI environment with smart cards) then the 802.1x set up on the controller.

Thanks again, I'll report back.
0
 
LVL 21

Expert Comment

by:mcsween
ID: 38725647
The 802.1x setup on the controller is a piece of cake; just enter the radius server and secret on the WLC and that's it.  Configuring your NPS server can be a bit tricky if you aren't familiar with it.  

I'm not using smart cards in my environment but as I understand them, they work the exact same way as certificates.  You will still want to enable certificate auto-enrollment for your wireless computers (AD Computer objects) so they can authenticate to the wireless before the user logs on.  Once the user logs in the authentication switches over to the user or smart card.
0
 
LVL 5

Author Comment

by:Leeeee
ID: 38731592
@mods, please keep this open...implementing next week..thanks
0
 
LVL 5

Author Comment

by:Leeeee
ID: 38810647
Straight forward, thanks mcsween.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question