Cisco WLC: EAP-TLS Secured Wireless with Certificate Services

KB ID 0001420

Problem

Ah certificates! If I had a pound for every time I’ve heard “I don’t like certificates”, I could retire! The following run through is broken down into the following parts;

Note: If you are scared of certificates, sometimes it’s easier to setup password (PEAP) Authentication, get that working then migrate to EAP-TLS, but I’ll leave that to you.

 

Setup The Cisco WLC (WLAN)

I’m assuming your WLC is deployed, and working, and all your AP’s are properly configured, we are simply going to add a RADIUS Server and configure a new wireless LAN to use that RADIUS server for authentication.

WLC RADIUS Setup

Log into the WLC web console > Security > AAA > RADIUS > authentication > New.

Specify the IP address of the RADIUS server and a shared secret (you will need to enter this on the Windows RADIUS server, so write it down!) > Apply.

WLC WLAN Setup

WLAN > Create New > Go.

Specify a profile name, and SSID for the new WLAN  > Apply

Edit your new WLAN > Select  enabled. If your WLC has many VLANs/Interfaces select the one you want your wireless clients to egress on. Note: you can also turn off SSID broadcast if you wish, remember your GPO will need an additional setting if you do this.

Security > Layer 2  >Set the following;

  • Layer 2 Security: WPA+WPA2
  • WPA +WPA2 Parameters: WPA2 Policy-AES
  • Authentication Key Management: 802.1x

 

Security Tab > AAA Servers.

  • Authentication Servers: Enabled
  • Server1: {Your RADIUS Server}
  • EAP Parameters: Enable

Note: You may wish to scroll down, and remove Local and LDAP authentication methods, but you dont have to.

Click APPLY.

 

Save Configuration > OK > OK.

SETUP Windows NAP (RADIUS)

Network Access Protection is a server ‘Role‘, Launch Server Manager > Local Server > Manage >Add Roles and Features > If you get an initial welcome page, tick the box to ‘skip’ > Next > Accept the ‘Role based or feature based installation’ > Next > Next > Add ‘Network Policy and Access Server’ > Next > Add Features > Next > Next > Network Policy Server > Next Install.

Go and have a coffee, when complete  open administrative tools ‘Network Policy Server.’ Right click NPS > Register server in Active Directory.

Radius Clients > New > Enter a friendly name >Enter the IP address of the WLC > Enter, and confirm the shared secret you used above > OK.

Note: This may be a different IP to the management IP of the WLC, ensure you enter the correct IP that the AAA requests will be coming from.

Connection Request Policies > New > Give it a sensible name > Next.

Add > NAS Port Type > Wireless- IEEE 802.11 > Wireless Other > OK > OK.

Note: You don’t actually need ‘Wireless other’, I usually add it for Meraki and it’s force of habit.

Next > Next > Next.

Next > Finish.

Network Polices> New > Give it a sensible name > Next

Add > NAS Port Type > Wireless- IEEE 802.11 > Wireless Other > OK > OK.

Note: You don’t actually need ‘Wireless other’, I usually add it for Meraki and it’s force of habit.

Next > Access granted > Next.

Add > Microsoft Smart Card or Other certificate > OK

Note: If you wanted to use PEAP then then you would add this here instead!

Untick all the bottom options, (unless you are using PEAP, which would need MS-CHAP-v2) > Next.

Edit > Ensure the certificate information for the NAP server is correct > OK > Next.

Next > Nap Enforcement > Untick ‘Enable auto remediation…’ > Next.

Finish.

Setup Certificate Auto Enrolment

Again I’m assuming you have a domain PKI/Certificate Services deployment already, if not, then follow the instructions in the post below;

Microsoft PKI Planning and Deploying Certificate Services

So rather than reinvent the wheel, I’ve already covered computer certificate auto enrolment, see the following article, then come back here when you are finished.

Deploying Certificates via ‘Auto Enrolment’

At this point: You might want to connect to the WLAN manually to make sure everything is OK before deploying the settings via GPO!

Deploy Wireless Settings via Group Policy

Remember this is a Computer Policy, so it needs to link to an OU that has computer (not user) in it, create and link a new GPO > then give it a sensible name. 

Edit the GPO.

Navigate to: Computer Configuration > Policies > Window Settings > Security Settings > Wireless Network (IEEE 802.11) Policies > Create A New Wireless Network Policy for Windows Vista and Later Releases.

Give it a name > Add > Infrastructure > Supply the Profile name and SSID, (I keep them the same to avoid confusion).

Note: As mentioned above, if you are not Broadcasting the SSID, then also tick the bottom option also.

Security Tab: Authentication = WPA2 Enterprise > Encryption = AES > Change Authentication Method to Microsoft Smart Card or other certificate > Properties > In here you can choose to verify the NAP server via its certificate, if you do then locate and tick your CA server cert in the list (as shown). Though I do not ‘verify the servers identity…’ So I would untick this option (your choice) > OK > OK > Close the Policy Editor.

Then either wait fo the policy to apply for force it.

Windows – Forcing Domain Group Policy

Troubleshooting RADIUS Authentication

On the NAP server in C:\Windows\System32\Logfiles you can find the RADIUS logs they look like INI{number}

You can also use the Event Log (Security Log) and there’s a dedicated logging section under Windows Logs. In extreme cases install Wireshark on the NAP server and scan for traffic from your WLC

Related Articles, References, Credits, or External Links

Configure Wireless Network Stings via Group Policy

Deploying Certificates via ‘Auto Enrollment’

KB ID 0000919

Problem

SHA CERTIFICATE WARNING: Note This article was written some time ago, ensure your CA environment does NOT use SHA1 for your certificates, if it does, Please visit the following link for migration instructions;

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

I need to setup wireless authentication based on computer certificates, I’ve done similar jobs before by manually issuing certificates for Cisco AnyConnect, but this will be for NAP/RADIUS authentication to MSM. I’ll be working with Server 2008 R2 and Windows 7 clients. So task one was getting my head round ‘auto enrollment’. As stated I’m deploying Computer certificates but the process is practically the same for issuing User certificates (I’ll point out the differences where applicable).

Solution

Prerequisites: A Windows domain environment, with working DNS.

Setup a Certification Authority

1. Launch Server Manager (Servermanager.msc) Roles > Add Roles > Active Directory Certificate Services > Next > I’m going to accept all the defaults.

2. The only thing I’m going to change is the lifetime, I usually change that from 5 to 10 years (force of habit, after 5 years it will probably still be my problem, in 10 years it will be replaced, or in a skip!)

Create a Computer Certificate Template and Issue it.

3. Start > Administrative Tools > Certification Authority > Certificate Templates > Manage.

4. Locate and make a copy of the Workstation Authentication template. If you were using User certificates the you would copy the User template.

Note: I got an email a few months ago form someone who had an argument about whether to make copies or edit the originals, and was asking what I thought was best practice. Well I would ALWAYS copy a template and edit that copy. Then if you ‘stuff it up’ you still have the original. It’s always best practice to avoid looking like a cretin!

5. If you still have Server 2003 servers choose the default, if not pick 2008 > OK.

6. General Tab > Give the template a sensible name.

7. Subject Name Tab: Tick User principle name (UPN).

8. Security Tab: Ensure Domain Computers have the rights to Read and Autoenroll > OK > Close the template console.

9. Certificate templates > New > Certificate Template to Issue.

10. Pick the one you just created > OK.

11. Make sure it’s listed > Close the Certificate Authority management console.

Deploy Auto-enrolled Certificates via Group Policy

Note: You could just add this to the to the default domain group policy, and all computers would get a certificate, but for this exercise I’ve created an OU, and I’m going to create a new policy and link it there.

12. Select an OU or container that contains the computer objects you want to send certificates to.

Note: Obviously if you are sending out User certificates then link it to a user OU, (you would be surprised!)

13. Navigate to;

[box]

Computer Certificate Auto-Enrollment

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment

User Certificate Auto-Enrollment

User Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

WARNING: If deploying user certificates read this article.

14. Enable the policy > Select the two options available > Apply > OK > Close the GPO management editor.

Test Windows Certificate Auto-Enrollment

15. Before we do anything else, you can see there are no certificates on the Windows 7 client machine, and there are no certificates ‘issued’ from the server.

Note: To see a computers certificates, you need to be logged in with administrative rights, run mmc and add in the certificates snap-in for ‘local computer’.

16. Now if I move this machine into the OU that I’ve linked the GPO to.

17. And then force that client to refresh its group policies, (or reboot it).

18. Now when you check, you can see it has received a certificate, and the server is now showing one certificate issued.

Now I’ve got to work out NAP and RADIUS and force them to use the certificates, but I’ve got a headache and I need a brew, watch this space….

Related Articles, References, Credits, or External Links

Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’