create local users on cisco wifi controller 2500 - guest network not prompting

Hi Struggling here - ive created the new ssid - I can connect using wpa - put in password and ok.

What I want is for each device connecting to have a user name and password "ON" the controller:

eg Joe Smith - has account joes on the controller with his own password.

Ive been told LEAP - which i have some concern around all devices working on - thats another question ;)
Ive done the following:  local EAP authentication ticked - and Ive created a profile called LEAP. and I have created a user (all this on the controller) however - when I connect - it does not prompt for a username   - if i turn on wpa2 it prompts for pre shares key but thats not what I want. I want local username to prompt? - where am I going wrong?   thanks

I'm not wanting AD or radius - i need local usernames on the controller. Cisco WIFI controller 2500
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Follow the walkthrough available @

Feel free to ask if any additional questions
philb19Author Commented:
Thanks  I did glance at that article. Not fully though :) - this is EAP-FAST is that the way to go?. Do I have to use certificates ? I would really like NOT to use certs AT ALL. though we do have in internal Cert authority. Will avoid at any cost
Craig BeckCommented:
You can do it with PEAP instead of EAP-FAST using local users.

Go to the Security tab on the WLC, then choose Local EAP from the left-hand menu.
Create a new EAP profile and select the PEAP check-box.
Click on the name of your new profile to view the properties, then check "Local Certificate Required" and click Apply.

On the WLAN you want to enable PEAP on, go to its Security tab and click on AAA Servers, then tick the "Local EAP Authentication Enabled" box.

Create a local user and test, but make sure you uncheck the 'Validate Server Certificate' option in the client's WLAN profile.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

philb19Author Commented:
thanks does not appear to be working - though no prompt. What do i set the Layer 2 security to none or wpa2 - or pass through eap -?
Craig BeckCommented:
Any WPA mixture will do as long as you tick the 802.1x box.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
philb19Author Commented:
Thanks - followed your instruction and all good - now I need to figure out how to get the users I create on the controller picked up - by clouded scansafe proxy tower (external)
Craig BeckCommented:
Good luck with that - you can't do external accounting with local EAP as far as I know.
philb19Author Commented:
Yeah thanks - reading online it looks like I need ISE to be able to trap and do user (non-Active directory user) reports (from scansafe)  

We use CDA linux VM that gets AD info - for corporate Wifi AD user reporting

its reporting on guest wifi I am after
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.