Configure Local EAP on WLC

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the external authentication server goes down. When we enable local EAP, the controller serves as the authentication server and the local user database, which removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.

If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then re-authenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP. If we never want the controller to try to authenticate clients using an external RADIUS server,  then use this CLI commands in this order: config wlan radius_server auth disable wlan_id

 Note: Local EAP profiles are not supported on Office Extend 600 AP

EAP Topology

 

We can create network users on WLC either via GUI or CLI. Via CLI method we can define two type of users (Permenant & Guest). If we specify the WLAN ID as “0″ than users will allow to any WLAN. For a guest user you can specify the lifetime. (2 hrs in my example)

But I my example we will use a separate WLAN for test purpose and it is “Test” with WLAN id:8

How to create Local network users on WLC:

Via GUI:

Login to WLC, go to Security > AAA > Local Net Users and on right side click on New to add.

Local user wlc

In my example, I will create a 2 permanent type user and one guest type user.

Local user edit

Here are the all 3 local users in my WLC:

2 Permanent User
1 Guest User

List local user

Via CLI:

Here is the procedure to create netuser with CLI.

(WLAN1) >config netuser ?
add            Creates a local network user.
delete         Delete an existing network user.
description    Sets the description for a network user.
lifetime       Configures the lifetime for a Guest Network User. Valid range is 60 to 31536000 seconds.
maxUserLogin   Configures the maximum number of login sessions allowed for a network user
password       Configures a password for a network user.
wlan-id        Configures a Wireless LAN Id for a network user.
(WLAN1) >config netuser add ?
<username>     Enter name up to 50 alphanumeric characters.
(WLAN1) >config netuser add sandeep ?
<password>     Enter password up to 24 alphanumeric characters.
(WLAN1) >config netuser add sandeep cisco ?
wlan           Enter a Wireless LAN Identifier to associate with or zero for any.
(WLAN1) >config netuser add sandeep cisco wlan ?
<WLAN id>      Enter a Wireless LAN Identifier to associate with or zero for any.
(WLAN1) >config netuser add sandeep cisco wlan 8 ?
userType       Enter the keyword 'userType'.
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent ?
description    Enter the keyword 'description'.
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent description testlab ?
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent description testlab
(WLAN1) >config  netuser add sandeep1 cisco wlan 8 userType permanent description testlab
(WLAN1) >config  netuser add sandeep2 cisco wlan 8 userType guest  lifetime 7200 description testlab

If our WLN don’t have  web-auth security then it will not add a guets user.

WLAN does not have Web-Auth security configured. Guest user not added.

Create local EAP settings on WLC:

Step1: Configure General setting for local EAP (Specify EAP Timers).

Via GUI:

Go to Security > Local EAP > General

EAP general

Specify values for the local EAP timers

Via CLI:

These are the commands through which we can configure these EAP timers

(WLAN1) >config locaL-AUth Active-timeout ?
<1 to 3600>    Enter the timeout period for the Local EAP to remain active, in seconds.
(WLAN1) >config locaL-AUth Active-timeout 300
(WLAN1) >config advanced eap identity-request-timeout?
<seconds>      Enter the number of seconds between 1 and 120
(WLAN1) >config advanced eap identity-request-timeout 30
(WLAN1) >config advanced eap identity-request-retries ?
<retries>      Enter the number of retries between 1 and 20
(WLAN1) >config advanced eap identity-request-retries 2
(WLAN1) >config advanced eap key-index ?
<key-index>    Enter the key index value, 0 or 3.
(WLAN1) >config advanced eap key-index 0
(WLAN1) >config advanced eap request-timeout ?
<seconds>      Enter the number of seconds between 1 and 120
(WLAN1) >config advanced eap request-timeout 30
(WLAN1) >config advanced eap request-retries ?
<retries>      Enter the number of retries between 0 and 20
(WLAN1) >config advanced eap request-retries 2
(WLAN1) >config advanced eap max-login-ignore-identity-response ?
enable         ignore the same username reaching max in the EAP identity response
disable        check the same username reaching max in the EAP identity response
(WLAN1) >config advanced eap max-login-ignore-identity-response enable
(WLAN1) >config advanced eap eapol-key-timeout ?
<milliseconds> Enter the number of milliseconds between 200 and 5000
(WLAN1) >config advanced eap eapol-key-timeout 1000
(WLAN1) >config advanced eap eapol-key-retries ?
<retries>      Enter the number of retries between 0 and 4
(WLAN1) >config advanced eap eapol-key-retries 2

Step2: We have to create a local EAP profile, which specifies the EAP authentication types that are supported on the wireless clients. I have created a profile named “Test-Local-EAP” and enable EAP-FAST, EAP-TLS & PEAP as allowed protocol.

Via GUI:

EAP profile

Choose Security > Local EAP > Profiles to open the Local EAP Profiles page, We can create up to 16 local EAP profiles. Click New to open the Local EAP Profiles > New page. In the Profile Name text box, enter a name for our new profile(Test-Local-EAP) and then click Apply.

When the Local EAP Profiles page reappears, click the name of our new profile (Test-Local-EAP). The Local EAP Profiles > Edit page appears. Select the EAP-FAST, EAP-TLS, and/or PEAP check boxes to specify the EAP type that can be used for local authentication and then click on Apply.

*** If we chose EAP-FAST and want the device certificate on the controller to be used for authentication, select the Local Certificate Required check box. If we want to use EAP-FAST with PACs instead of certificates, leave this check box unselected, which is the default setting.

EAP profile edit

EAP-FAST parameters can be changed via “Security -> Local EAP -> EAP-FAST Parameters” section as shown below.

EAP Fast

Step3: Now enable local EAP on a WLAN.

Choose WLANs to open the WLANs page.

Untitled

 

Click the ID number of the Test WLAN.

Untitled

 

When the WLANs > Edit page appears, choose the Security > AAA Servers tabs to open the WLANs > Edit (Security > AAA Servers) page.  Select the Local EAP Authentication check box to enable local EAP for this WLAN. From the EAP Profile Name drop-down list, choose the EAP profile that you want to use for this WLAN.

*** We must disable the Radius server authentication means don’t check that box

EAPonwlan3

Click Apply to save.

Via CLI:

Create a local EAP profile

(WLAN1) >config local-auth eap-profile add ?
<profile-name> Enter the profile name, up to 63 alphanumeric characters.
(WLAN1) >config local-auth eap-profile add Test-Local-EAP
Add an EAP method to a local EAP profile by entering this command:
(WLAN1) >config local-auth eap-profile method ?
add            Adds a method to a Local EAP Profile.
delete         Deletes a method from a Local EAP Profile.
fast           Configure EAP-FAST parameters.
(WLAN1) >config local-auth eap-profile method add ?
<EAP-profile-method> Method for an EAP Profile.
(WLAN1) >config local-auth eap-profile method add fast Test-Local-EAP
(WLAN1) >config local-auth eap-profile method add tls Test-Local-EAP
(WLAN1) >config local-auth eap-profile method add peap Test-Local-EAP
Configure EAP-FAST parameters if you created an EAP-FAST profile by entering this command:
(WLAN1) >config local-auth method fast ?
anon-prov      Configures whether anonymous provision is allowed.
authority-id   Set the authority identifier.
pac-ttl        Set Time to Live for the PAC (Protected Access Credentials).
server-key     Set the server key to encrypt/decrypt PACs.
Enable local EAP and attach an EAP profile to a WLAN by entering this command:
(WLAN1) >config wlan local-auth enable Test-Local-EAP ?
<wlanid>       Enables the EAP profile on this WLAN.
(WLAN1) >config wlan local-auth enable Test-Local-EAP 8

Save your changes by entering this command:

(WLAN1) >save config

Lets test EAP Fast and PEAP (EAP-TLS need certificate on client and server side and it is not possible because right now for me to install certificate now, we will do in future post)

Let check first for PEAP client association:

PEAP client asso

Now we will check for EAP-FAST client association:

EAP Fast client asso

If any one found any error in this post then please let me know or just comment here 🙂

Advertisements

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s