I’ve choose the eap tls method through deploy a GPO, I followed all your steps, but when I try to connect to SSID it’s impossible, nothing happens.
after, on my laptop I checked the existing certificate :
I found my wireless certificate in the tab " trused Root certificate authority"
and on the tab “personnal” no certificate. then this is why nothing happens. I don’t know how troubleshoot this problem. do you have any idea?
perhaps on the wlc I forgot something to configure?
Sounds like a client problem. It should have a user certificate. The WLC doesn’t know anything about certificates…it’s only configured for 802.1X. It’s best to check the event viewer of the server running NPS to see why a client wasn’t able to connect.
I’ve opened the event viewer of the server running NPS, to gain time, could you indicate to me on which tab I’ll begin the troubleshooting?
it works! but I added some steps like installing certificate on wlc, how did you do this automatically?
Hi Sam,
There is really no need to install a certificate on the WLC for PEAP or EAP-TLS. The WLC just sits in the middle and only requires a configured radius server and the SSID for WPA(2)-Enterprise…that’s all.
Hi Rene,
Could you please make a post with EAP-TLS authentication by using Apple devices or Android?
Many thanks in advance
Hi Sindy,
I wrote those posts awhile ago, here they are:
Rene
what about the validity of certificate?
If I want to provide a perpetual validity, how can I set it with EAP-TLS authentication?
Hi Sam,
When you setup the certificate template for the user you can change the validity period for the user certificate.
Rene
Thank you Rene
Hi Rene,
Thanks for the help, it works fine 
Now, I want to create a policy or some thing else concerning private asset of employee.
For this, I’ve created a new SSID for employee’s private asset then I’ve used web authentication on wlc via web portal and AD credentials.
it works fine but after 2 days the employee must to re-enter his login and my question is:
is it possible when the employee connects for the first time to capture his mac address (his private asset) and store it on NPS (radius) and perhaps on wlc I may use these option: MAC filtring and web policy on MAC filter failure, but till now without success, do have you any idea?
Hmm I believe NPS can do MAC based authentication but I’m not sure if it can “store” the MAC address of a device after successful authentication. I also don’t recommend doing any MAC based authentication, especially for wireless since MAC address are always unencrypted in the air and easy to spoof. It doesn’t add any protection at all…
Yes, you’re right but in addition to mac filtering I have to use a layer 2 or 3 authentication.
Then, no solution BYOD with cisco wlc and windows?
Hello Rene,
Thank you for explaining this brilliantly. I have both PEAP and EAP-TLS working. But using EAP-TLS I am having issues with the CRL revocation list. I am using computer certificates and when I revoked the certificate for a particular computer, it can still connect to the wireless network. I have been checking lots of forums but still cannot get this working. Can you please suggest something ? Thank you
Rakesh
Hmm good question, I would have to check it to see how it’s done. If I have some spare time I’ll try it.
Thank you Rene.
Can I avoid installing the Certificate Server and use the wlc for cert instead
Thanks
Noob on wireless so this site has been very useful
Hi Cam,
Unfortunately not. The certificate on the WLC is meant for web authentication, not for user authentication. You’ll really need a CA and a radius server for EAP-TLS.
Rene
But why exactly do you want to add the MAC authentication next to a decent layer 2 or 3 authentication?