Avatar of Leeeee
Leeeee
Flag for United States of America asked on

802.1x Setup 5508 WLC

Hey Experts,

I'm looking to get any additional tips to configuring 802.1x authentication over wireless on a Cisco 5508 and 1142 AP's. The config on the WLC is very straightforward: one WLAN that will use 802.1x to authenticate users. We have one ACS and AD server to handle the authentication process. I'm still verifying what type of authentication we will be doing, EAPOL, EAP-TLS, ETC

 Is the configuration on the WLC as simple as configuring the RADIUS server and enabling 802.1x for the SSID on the controller? Are there any cool testing methods in case authentication does not work? It seems pretty straight forward, but I'm looking for any gotchas that may arise that you have experienced. I'm not a wireless guy per say. If you need more info, I will gladly provide. Thanks again guys.
Wireless NetworkingSecurityNetwork Security

Avatar of undefined
Last Comment
Leeeee

8/22/2022 - Mon
newmath

RADIUS out of Active Directory is pretty straight forward. If AD fails to authenticate a client, and the access points are setup for RADIUS authentication, then that client would simply not join the wireless network.
ASKER CERTIFIED SOLUTION
Bradley Fox

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Bradley Fox

If you run into specific questions feel free to post in here and I'll help as best I can.  If this controller is going to support multiple subnets across WAN links you will also want to setup H-REAP (local switching) for the APs located outside the building where the WLC is.  If you are not familiar with the term CAPWAP read up on it and you will see why H-REAP is needed in remote offices.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml
Leeeee

ASKER
@mcsween, Awesome thank you. We have LAG set up from the WLC to a stack of 3750's. Let me digest some of the material in the links. We will not be using H-REAP as nothing will be traversing the WAN, at least not currently. I'm more concerned about the Microsoft side of things (they're running a PKI environment with smart cards) then the 802.1x set up on the controller.

Thanks again, I'll report back.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Bradley Fox

The 802.1x setup on the controller is a piece of cake; just enter the radius server and secret on the WLC and that's it.  Configuring your NPS server can be a bit tricky if you aren't familiar with it.  

I'm not using smart cards in my environment but as I understand them, they work the exact same way as certificates.  You will still want to enable certificate auto-enrollment for your wireless computers (AD Computer objects) so they can authenticate to the wireless before the user logs on.  Once the user logs in the authentication switches over to the user or smart card.
Leeeee

ASKER
@mods, please keep this open...implementing next week..thanks
Leeeee

ASKER
Straight forward, thanks mcsween.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.