PEAP and EAP-TLS on Server 2008 and Cisco WLC

Sorry but I don’t find to replay to your post bellow, this is why I answer here.

then yes, I talk about windows 7 and XP laptop and when I solve this categorie I will probably need to do the same in android, if it’s not possible then could you make a post please with what’s possible to realise?

Are your Windows XP / 7 laptops in the domain or in a workgroup? Domain is easy since you can use group policy to enroll the client certificates and configure the wireless profile for them. If they are in a workgroup then you’ll have to do some scripting if you want everything to be auto-configured. It’s also not a bad idea to create a simple user manual so that users can get a certificate.

Android devices are difficult to “auto enroll”. I’m not sure if there is management software that can do this…I know there is for Apple (google for Apple MDM).

Yes, all laptops are already on a specific domain

I’ve a problem, I noted that 80% of laptops are on a domain and the rest of on other domain. Is there a solution for this?

There probably is. You could create some trust relations between domains, or create a script or something to do automate the following:

Thank you Rene for the explanation, it’s very helpful.
I’m trying to implement your examlpe, I’ve created a test lab, I’ve installed a windows server 2008 R2 on a VMare and I want to use a new AD from the server 2008 (not the existing from the production architecture), then I have 2 questions:

1- As the server is on a VMare what precautions should I take, to isolate my test LAB to don’t disturb the production installation?
2- for the test I’ll install the AD and DNS (all your steps) but when I want to migrate to the existing AD and DNS how can I proceed? sould I remove AD and DNS from the server 2008, is it sufficient ?

Make sure your is not connected somehow to your production network as you might run into issues. I use a separate VLAN on my switch for testing purposes. If you only want to practice with the servers in VMWare then you can set the NICs of your VM guests to use another physical NIC or host-only.

Removing the AD and DNS roles is possible but I always prefer to start with a clean setup. See if you can get everything up and running in VMware and if it works, re-build it for the production network. When you install some roles and remove them later, you never know what kind of “leftovers” you might find later…

I’ve choose the eap tls method through deploy a GPO, I followed all your steps, but when I try to connect to SSID it’s impossible, nothing happens.
after, on my laptop I checked the existing certificate :
I found my wireless certificate in the tab " trused Root certificate authority"
and on the tab “personnal” no certificate. then this is why nothing happens. I don’t know how troubleshoot this problem. do you have any idea?
perhaps on the wlc I forgot something to configure?

Sounds like a client problem. It should have a user certificate. The WLC doesn’t know anything about certificates…it’s only configured for 802.1X. It’s best to check the event viewer of the server running NPS to see why a client wasn’t able to connect.

I’ve opened the event viewer of the server running NPS, to gain time, could you indicate to me on which tab I’ll begin the troubleshooting?

it works! but I added some steps like installing certificate on wlc, how did you do this automatically?

Hi Sam,

There is really no need to install a certificate on the WLC for PEAP or EAP-TLS. The WLC just sits in the middle and only requires a configured radius server and the SSID for WPA(2)-Enterprise…that’s all.

Hi Rene,
Could you please make a post with EAP-TLS authentication by using Apple devices or Android?
Many thanks in advance

Hi Sindy,

I wrote those posts awhile ago, here they are:


what about the validity of certificate?
If I want to provide a perpetual validity, how can I set it with EAP-TLS authentication?

Hi Sam,

When you setup the certificate template for the user you can change the validity period for the user certificate.


Thank you Rene

Hi Rene,
Thanks for the help, it works fine :slight_smile:
Now, I want to create a policy or some thing else concerning private asset of employee.
For this, I’ve created a new SSID for employee’s private asset then I’ve used web authentication on wlc via web portal and AD credentials.
it works fine but after 2 days the employee must to re-enter his login and my question is:
is it possible when the employee connects for the first time to capture his mac address (his private asset) and store it on NPS (radius) and perhaps on wlc I may use these option: MAC filtring and web policy on MAC filter failure, but till now without success, do have you any idea?

Hmm I believe NPS can do MAC based authentication but I’m not sure if it can “store” the MAC address of a device after successful authentication. I also don’t recommend doing any MAC based authentication, especially for wireless since MAC address are always unencrypted in the air and easy to spoof. It doesn’t add any protection at all…

Yes, you’re right but in addition to mac filtering I have to use a layer 2 or 3 authentication.
Then, no solution BYOD with cisco wlc and windows?