Configure Eap Tls Flow With Ise
Configure Eap Tls Flow With Ise
Introduction
This documents describes how to set up a Wireless Local Area Network (WLAN) with 802.1x
security and with the use of Extensible Authentication Protocol (EAP) -Transport Layer Security
(TLS).
Prerequisites
Requirements
Components Used
The information in this document is based on these software and hardware versions:
Background Information
EAP-TLS Flow
2. AP does not permit the client to send any data at this point and sends an authentication
request.
3. The supplicant then responds with an EAP-Response Identity. The WLC then communicates
the user-id information to the Authentication Server.
4. RADIUS server responds back to the client with an EAP-TLS Start Packet. The EAP-TLS
conversation starts at this point.
5. The peer sends an EAP-Response back to the authentication server which contains a
"client_hello" handshake message, a cipher that is set for NULL.
6. The authentication server responds with an Access-challenge packet that contains:
TLS server_hello
handshake message
certificate
server_key_exchange
certificate request
server_hello_done.
7. Client responds with a EAP-Response message that contains:
client_key_exchange
change_cipher_spec
TLS finished
8. After the client authenticates successfully, the RADIUS server responds with an Access-
challenge, which contains the "change_cipher_spec" and handshake finished message.
Upon receiving this, the client verifies the hash in order to authenticate the radius server. A
new encryption key is dynamically derived from the secret during the TLS handshake.
9. At this point, the EAP-TLS enabled wireless client can access the wireless network.
Configure
Cisco Wireless LAN Controller
Step 1. The first step is to configure the RADIUS server on the Cisco WLC. In order to add a
RADIUS server, navigate to Security > RADIUS > Authentication. Click New as shown in the
image.
Step 2. Here, you need to enter the IP address and the shared secret <password> that is used in
order to validate the WLC on the ISE. Click Apply in order to continue as shown in the image.
Step 3. Create WLAN for RADIUS Authentication.
Now, you can create a new WLAN and configure it to use WPA-enterprise mode, so it can use
RADIUS for authentication.
Step 4. Select WLANs from the main menu, choose Create New and click Go as shown in the
image.
Step 5. Let's name the new WLAN EAP. Click Apply in order to continue as shown in the image.
Step 6. Click General and ensure that the Status is Enabled. The default Security Policies is
802.1X authentication and WPA2 as shown in the image.
Step 7. Now, navigate to Security > AAA Servers tab, select the RADIUS server that you just
configured and as shown in the image.
Note: It is a good idea to verify that you can reach the RADIUS server from the WLC before
you continue. RADIUS uses UDP port 1812 (for authentication), so you need to ensure that
this traffic does not get blocked anywhere in the network.
EAP-TLS Settings
In order to build the policy, you need to create the allowed protocol list to use in our policy. Since a
dot1x policy is written, specify the allowed EAP type based on how the policy is configured.
If you use the default, you allow most EAP types for authentication which might not be preferred if
you need to lock down access to a specific EAP type.
Step 1. Navigate toPolicy > Policy Elements > Results > Authentication > Allowed
Protocolsand clickAdd as shown in the image.
Step 2. On this Allowed Protocol list, you can enter the name for the list. In this case, Allow EAP-
TLS box is checked and other boxes are unchecked as shown in the image.
WLC Settings on ISE
Step 1. Open ISE console and navigate to Administration > Network Resources > Network
Devices > Add as shown in the image.
Step 1. Navigate to Administration > Identity Management > Identities > Users > Add as
shown in the image.
Step 1. Navigate to Administration > System > Certificates > Certificate Management >
Trusted certificates.
Click Import in order to import a certificate to ISE. Once you add a WLC and create a user on ISE,
you need to do the most important part of EAP-TLS that is to trust the certificate on ISE. For that
we need to generate CSR.
Step 2. Navigate to Administrauon > Certificates > Certificate Signing Requests > Generate
Certificate Signing Requests (CSR) as shown in the image.
Step 3. In order to generate CSR, navigate to Usage and from the Certificate(s) will be used for
drop down options select EAP Authentication as shown in the image.
Step 4. The CSR generated on ISE can be viewed. Click View as shown in the image.
Step 5. Once CSR is generated, browse for CA server and click Request a certificate as shown
in the image:
Step 6. Once you request a certificate, you get options for User Certificate and advanced
certificate request, click advanced certificate request as shown in the image.
Step 7. Paste the CSR generated in Base-64 encoded certificate request. From the Certificate
Template: drop down option, choose Web Server and click Submit as shown in the image.
Step 8. Once you click Submit, you get the option to select the type of certificate, select Base-64
encoded and click Download certificate chain as shown in the image.
Step 9. The certificate download is completed for the ISE server. You can extract the certificate,
the certificate will contain two certificates, one root certificate and other intermediate. The root
certificate can be imported under Administration > Certifictes > Trusted certificates > Import
as shown in the images.
Step 10. Once you click Submit, the certificate is added to the trusted certificate list. Also, the
intermediate certificate is needed in order to bind with CSR as shown in the image.
Step 11. Once you click on Bind certificate, there is an option to choose the certificate file saved
in your desktop. Browse to the intermediate certificate and click Submit as shown in the image.
Step 12. In order to view the certificate, navigate to Administration > Certificates > System
Certificates as shown in the image.
Step 1. In order to authenticate a wireless user through EAP-TLS, you have to generate a client
certificate. Connect your Windows computer to the network so that you can access the server.
Open a web browser and enter this address: https://sever ip addr/certsrv---
Step 2. Note that the CA must be the same with which the certificate was downloaded for ISE.
For this, you need to browse for the same CA server that you used to download the certificate for
server. On the same CA, click Request a certificate as previously done, however this time you
need to select User as the Certificate Template as shown in the image.
Step 3. Then, click download certificate chain as was done previously for server.
Once you get the certificates, follow these steps in order to import the certificate on windows
laptop:
Step 4. In order to import the certificate, you need to access it from the Microsoft Management
Console (MMC).
1. In order to open the MMC navigate to Start > Run > MMC.
2. Navigate to File > Add / Remove Snap In
3. Double Click Certificates.
4. SelectComputer Account.
5. Select Local Computer > Finish
6. Click OK in order to exit the Snap-In window.
7. Click [+] next to Certificates > Personal > Certificates.
8. Right click on Certificates and select All Tasks > Import.
9. Click Next.
10. Click Browse.
11. Select the .cer, .crt, or .pfx you would like to import.
12. Click Open.
13. Click Next.
14. Select Automatically select the certificate store based on the type of certificate.
15. Click Finish & OK
Once import of certificate is done, you need to configure your wireless client (windows desktop in
this example) for EAP-TLS.
Step 1. Change the wireless profile that was created earlier for Protected Extensible
Authentication Protocol (PEAP) in order to use the EAP-TLS instead. Click EAP wireless profile.
Step 2. Select Microsoft: Smart Card or other certificate and click OK shown in the image.
Step 3. Click settings and select the root certificate issued from CA server as shown in the image.
Step 4. Click Advanced Settings and select User or computer authentication from the 802.1x
settings tab as shown in the image.
Step 5. Now, try to connect again to the wireless network, select the correct profile (EAP in this
example) and Connect. You are connected to the wireless network as shown in the image.
Verify
Use this section in order to confirm that your configuration works properly.
Step 1. The client policy manager state should show as RUN. This means that the client has
completed authentication, obtained IP address and is ready to pass the traffic shown in the image.
Step 2. Also verify the correct EAP method on WLC in the client details page as shown in the
image.
Step 3. Here are the client detail from CLI of the controller (output clipped):