PEAP and EAP-TLS on Server 2008 and Cisco WLC

I think I may have worked it out. I can access the DC via wireless and log on to the domain.
I’ve included the config for my standalone AP.

AP1231.1#term length 0 
AP1231.1#terminal monitor 
AP1231.1#sh run 
Building configuration...

Current configuration : 4936 bytes
!
! Last configuration change at 14:04:19 Sydney Sun Apr 3 2016 by admin
! NVRAM config last updated at 14:04:21 Sydney Sun Apr 3 2016 by admin
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
!
hostname AP1231.1
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
clock timezone Sydney 10
clock summer-time sydney date Oct 4 2015 2:00 Apr 3 2016 2:00
ip subnet-zero
ip domain name bde.local
ip name-server 8.8.8.8
ip name-server 103.26.62.218
!
!
ip dhcp-server 192.168.1.100
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.1.61 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local 
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
dot11 ssid bde.1231.1.ap
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa
   guest-mode
!
dot11 network-map
dot11 arp-cache optional
!
crypto pki trustpoint TP-self-signed-2161280379
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2161280379
 revocation-check none
 rsakeypair TP-self-signed-2161280379
!
!
crypto ca certificate chain TP-self-signed-2161280379
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32313631 32383033 3739301E 170D3032 30333031 30303032 
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31363132 
  38303337 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100D200 7EB46FAF FF6550DD 2B05EA5B A9D9C908 23F8A4BE 007C3A74 218D9345 
  6CEE4181 1CB01978 B4231121 181487F8 2295C011 C058A00C CD515B6D F2395440 
  5CBF49BA 256E4B63 D21C0900 99BADDBF 9A4999D7 E79DB36E B12373C1 820FC392 
  F0E6BD94 AC40C44E C865451B 5644C797 635B068C AFD372A2 AA8FE35C D08CE0FC 
  5FAD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 144CFCDC 3ACAA344 42D767E9 EB41964B 94D413B1 E4301D06 
  03551D0E 04160414 4CFCDC3A CAA34442 D767E9EB 41964B94 D413B1E4 300D0609 
  2A864886 F70D0101 04050003 81810057 CAD74BC2 D40645F7 0BE40DBC 60D02692 
  73481106 4F946427 2191BB84 15950302 B0003F1D 3A244AC8 9A524E13 089F9AB9 
  592933C1 DF26BD06 7BC7CEA6 7A0D03FC 2B1F294B F592CA34 7855E87C 58CBFB73 
  64126E4B 4EECCE5C 69709CE6 738E91D9 79BDA9F3 B1C550B9 001F7D9C 177B0FF8 
  6314B16D 67666FBF 08279EB2 12D7D6
  quit
username admin privilege 15 view root password 7 xxxxxxxxxxxxxxxx
!
bridge irb
!
!
interface Loopback0
 ip address 1.2.3.1 255.255.255.255
 no ip route-cache
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm 
 !
 ssid bde.1231.1.ap
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 hold-queue 160 in
!
interface BVI1
 ip address 192.168.1.130 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.1.100
ip http server
ip http secure-server
ip http help-path http://www.google.com.au
ip radius source-interface BVI1 
!
radius-server local
  no authentication leap
  no authentication mac
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.61 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server retransmit 5
radius-server timeout 10
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 terminal-type exit
 length 0
 width 250
 escape-character 3
!
sntp server 10.1.1.1
end

AP1231.1#

Hi Matt,

On the Cisco APs it’s best to work with the CLI. Their web interface is a pain to work with. The GUI of the Cisco wireless LAN controllers is very nice though.

I took a quick look at your config and it’s looking good. Is everything working as expected?

Rene

Hi Rene, I am in the process of creating a RADIUS server for wirless lan users to access the network as well. The problem is that I’m using stand alone Cisco AIR-AP1131AG-N-K9 and cisco AIR-AP1252AG-N-K9 access points instead of WLC controlled APs. Do you have instructions on how to set up the RADIUS server to accomodate these APs? Or can the same setup as shown above be used for both types? Also I use the CLI rather than the web based setup tools and it can be difficult translating the GUI into the CLI commands.

I also want to incorporate router SSH access on the RADIUS server so it verifies the user before he can gain privileged access. Do you have instructions for this?

Cheers,

Matt.

Hi Matt,

I do have an example for SSH with a RADIUS server. Here’s a simple example for freeradius.

First, edit /etc/freeradius/clients.conf and add the following:

client 192.168.1.1 {
secret = MY_KEY
nastype = cisco
shortname = SW1
}

The switch is using IP address 192.168.1.1 and the secret key between freeradius and the switch will be “MY_KEY”.

And add the following to the /etc/freeradius/users file:

MY_USER Cleartext-Password := "MY_PASSWORD"
         Service-Type = NAS-Prompt-User,
         Cisco-AVPair = "shell:priv-lvl=15"

On your switch (or router) you need to add the following commands, I’m assuming you already configured SSH:

aaa new-model
aaa authentication login SSH group radius local
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key MY_KEY

line vty 0 4
 login authentication SSH

Once you SSH into the switch, it will check the radius server. If it fails, it will fallback to local authentication.

The configuration on the APs is a bit different. Cisco has an example that should be 99% similar:

Rene

Hi,
PEAP using MS-CHAPv2 ,What does it mean ?
Thanks

Hi Sims,

PEAP is the mechanism that builds a secure TLS tunnel. Within this tunnel, a device authenticates itself. MS-CHAPv2 is a common authentication method.

Rene

19 posts were merged into an existing topic: PEAP and EAP-TLS on Server 2008 and Cisco WLC

Hi Rene,

I am still not very clear on the difference between the PEAP “method” versus the MS-CHAPv2 “protocol” how are they different. Is PEAP similar to an SA when establishing a IPsec tunnel? Also do you have a recommendation for a good site similar to this one for where we can learn more about system administration with Windows. I really enjoyed how you blended Cisco and windows together in this lesson .

Hello Daniel

Protected Extensible Authentication Protocol (PEAP) is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.

EAP, which is the protocol that is encrypted, and protected by PEAP, is an authentication framework. It is a framework that leverages various types of authentication mechanisms, one of which is MS-CHAPv2.

Conversely, MS-CHAPv2 is a method of authentication, the actual mechanism by which authentication takes place. You can take a look at normal CHAP in action at the following lesson to find out more about how it works.

I hope this has been helpful!

Laz

Hi there.
can these steps be used for a wired implementation of EAP-TLS with 802.1x ?

Hello George

Yes, the implementation is similar when applying EAP-TLS to wired networks using 802.1x. You can find out more info here:

You can also see an example of how 802.1x has been implemented on a Cisco switch at the following lesson:

By default, PEAP is used, but you can change that.

I hope this has been helpful!

Laz

Thanks; you comment was helpful

Hello Laz ,

in EAP-Tls you have requested a User Certificate in Windows Client through certsrv website , is this Certificate Type only useful for this User or you hast meant , that all Users who log in this Computer can use this Certificate ? is this a certificate User or a Client Certificate ?
Thanks .

Hello Mohammad

As seen within the lesson, this is a client certificate. It can sometimes be called a user certificate as well, but the idea is that the certificate is installed within the Windows Registry of this particular Windows user. A user that logs in to the same computer with different credentials will not have this client certificate in their own registry. Therefore it is only used on a per-Windows-user basis.

I hope this has been helpful!

Laz

I read Rene’s detailed post regarding using AD and the WLC5508 to create a network policy that enrolls users to the WLAN with certificates. Is Windows server AD the only option to use 802.1x and password-less access?

Thank you

Hello John

Windows Server AD is not the only option to use 802.1x and password-less access. You can use various other platforms that leverage the RADIUS protocol including freeRADIUS , Cisco ISE, TACACS+, and Aruba ClearPass to name a few. These servers can integrate with various directory services, not just Active Directory.

The key is to have a server that supports EAP-TLS, which is the protocol used for certificate-based authentication in 802.1x. This allows the server to validate the client’s certificate to provide password-less access.

So, you have several options to choose from depending on your network infrastructure, budget, and specific requirements.

I hope this has been helpful!

Laz