How to Set Up EAP-TLS with a Cisco Wireless LAN Controller

How to Set Up EAP-TLS with a Cisco Wireless LAN Controller

The looming threat of data breaches has caused many organizations to evaluate how to better secure their wireless networks. The increasing implementation of digital certificates allows organizations to protect their networks by preventing over-the-air credential theft by MITM and Evil Twin attacks. SecureW2’s security solutions offer everything needed to set up a WPA2-Enterprise network with EAP-TLS certificate-based authentication. Being a vendor neutral cloud-based solution, it can be set up quickly and efficiently with any access points or controllers from major vendors. The following is a step-by-step guide displaying how you can use SecureW2’s onboarding solution, Cloud PKI, and Cloud RADIUS to set up WPA2-Enterprise certificate-based authentication with a Cisco Wireless LAN Controller.

In the past, the process of loading certificates onto users’ devices was difficult, but the SecureW2 self-configuration process requires only a few steps to complete. It takes the burden from IT to onboard every network user, but still allows IT to monitor the Wi-Fi onboarding process. It also provides a host of certificate management tools to keep the network in check, such as Identity Lookup, CRL check, and group-based policies.

 

To complete this setup, you will need the following:

  • A SecureW2 Network Profile configured for EAP-TLS
  • An Identity Provider
  • A Cisco WLC setup with Access Points

 

Setting up the Onboarding SSID

An onboarding SSID is an open SSID users connect to initially to configure their devices for wireless access. The onboarding SSID redirects the user to the SecureW2 landing page where they can enroll for a certificate. From here, the OS of the user’s device is detected and a client is deployed that is specific to that device’s OS. The client then configures the device by installing the Wi-Fi certificate, RADIUS server certificate for server certificate validation, and appropriate network settings required to authenticate via EAP-TLS.

  1. Login to the Cisco Dashboard
  2. In the WLAN tab, click Go next to the Create New dropdown menu
  3. Enter a Profile Name and SSID, and then click Apply
  4. Click the Security tab, and in the Layer 2 Security dropdown menu, select None
  5. Click the Layer 3 tab, and in the Layer 3 Security dropdown menu, select Web Policy

Configuring the Onboarding SSID

Here you would select your Walled Garden configuration or Access Control List (ACL) from the IPv4 dropdown menu. We are going to go through a quick setup for those who do not have one configured before starting this guide.

  1. Click the Security tab on the top menu, and click Access Control Lists
  2. Click New, enter a name in the Access Control List Name text box, and click Apply
  3. In the list that appears, click the ACL you just created and click Add New Rule
    • Here you will see the information that can be populated into a new rule

Configuring Access Control List settings

  1. Navigate to the SecureW2 Management Portal, click Documentation, and click SecureW2 JoinNow Deployment Guide
  2. Scroll to the section in the guide called Chapter 2: Firewall Rules
  3. Here you will find an array of resources you need to allow through the Open SSID
    • For more details, check out our Onboarding SSID video in the Management Portal
  4. For testing purposes, the following are the IP Addresses that need to be allowed:

The required IP addresses to allow on the Open SSID

  1. Copy the first IP Address on the list and navigate to the Cisco dashboard
  2. In the new rules list for the ACL, type 1 in the Sequence textbox
  3. Select IP Address in the dropdown box for Source and paste the IP Address we copied from the guide into the IP Address textbox
  4. In the Netmask textbox, enter 255.255.255
  5. In the Action dropdown box, select Permit and click Apply
  6. Resuming our WLAN configuration, select the ACL List we created from the IPv4 dropdown box
  7. Click the checkbox next to Over-ride Global Config to enable it
  8. In the Web Auth Type dropdown box, select External (Re-direct to external server)
  9. Navigate to the SecureW2 Management Portal, click Network Profiles, and click View for the network profile you’ve configured for this guide
  10. Copy the URL of the landing page that opens and paste it in the URL textbox in the ACL List Configuration

Configuring the settings of the Open SSID

  1. Click Apply
  2. In the General tab, check the box next to Status labelled Enable, and click Apply

 

Setting up the SecureW2 Cloud RADIUS Server

First, we need to add the SecureW2 Cloud RADIUS Server into Cisco, so starting in the SecureW2 Management Portal:

  1. Under the heading AAA Management, click AAA Configuration
  2. Navigate to the Cisco dashboard and click Security
  3. Click Authentication beneath the heading RADIUS, and click New
  4. The following is the information from SecureW2 that you will enter in the Cisco RADIUS
    • Shared Secret
    • Primary IP Address (enter in the textbox called Server IP Address in Cisco)
    • Port

Information needed from SecureW2 to configure the RADIUS Server

  1. After you have entered this information, click Apply

 

Setting up the Secure SSID

Now that we’ve configured the onboarding SSID that will enroll users for a certificate, we need to setup the secure SSID. This SSID needs to be configured for EAP-TLS WPA2-Enterprise Authentication. It also needs to be integrated with a RADIUS server (in this case the SecureW2 RADIUS) that will authenticate the users’ certificates and authorize them for network access.

  1. Click Network Profiles under the heading Device Onboarding
  2. Click Edit that applies to the network profile you created for this WPA2-Enterprise Authentication and copy the name of the network
  3. Navigate to the Cisco dashboard and click the WLANs tab
  4. Next to the dialog box called Create New, click Go
  5. Paste the name of the network into the Profile Name and SSID textboxes, and click Apply
  6. Click the Security tab and click AAA Servers
  7. In the Server 1 dialog box, select the server we created earlier, and click Apply

Configuring the Secure SSID to communicate with the SecureW2 RADIUS server

  1. Under the General Tab, click the check box for Enabled and click Apply

 

Concluding Thoughts

With the final click of Apply, you have set up an Onboarding and Secure SSID on your Cisco WLC, allowing you to begin enrolling for certificates. If you have any questions, general feedback, or would like a free trial of SecureW2’s solutions, contact us with the form below.

Cisco is either registered trademarks or trademarks of Cisco Systems in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.