Cisco WLC: EAP-TLS Secured Wireless with Certificate Services

KB ID 0001420

Problem

Ah certificates! If I had a pound for every time I’ve heard “I don’t like certificates”, I could retire! The following run through is broken down into the following parts;

Note: If you are scared of certificates, sometimes it’s easier to setup password (PEAP) Authentication, get that working then migrate to EAP-TLS, but I’ll leave that to you.

 

Setup The Cisco WLC (WLAN)

I’m assuming your WLC is deployed, and working, and all your AP’s are properly configured, we are simply going to add a RADIUS Server and configure a new wireless LAN to use that RADIUS server for authentication.

WLC RADIUS Setup

Log into the WLC web console > Security > AAA > RADIUS > authentication > New.

Specify the IP address of the RADIUS server and a shared secret (you will need to enter this on the Windows RADIUS server, so write it down!) > Apply.

WLC WLAN Setup

WLAN > Create New > Go.

Specify a profile name, and SSID for the new WLAN  > Apply

Edit your new WLAN > Select  enabled. If your WLC has many VLANs/Interfaces select the one you want your wireless clients to egress on. Note: you can also turn off SSID broadcast if you wish, remember your GPO will need an additional setting if you do this.

Security > Layer 2  >Set the following;

  • Layer 2 Security: WPA+WPA2
  • WPA +WPA2 Parameters: WPA2 Policy-AES
  • Authentication Key Management: 802.1x

 

Security Tab > AAA Servers.

  • Authentication Servers: Enabled
  • Server1: {Your RADIUS Server}
  • EAP Parameters: Enable

Note: You may wish to scroll down, and remove Local and LDAP authentication methods, but you dont have to.

Click APPLY.

 

Save Configuration > OK > OK.

SETUP Windows NAP (RADIUS)

Network Access Protection is a server ‘Role‘, Launch Server Manager > Local Server > Manage >Add Roles and Features > If you get an initial welcome page, tick the box to ‘skip’ > Next > Accept the ‘Role based or feature based installation’ > Next > Next > Add ‘Network Policy and Access Server’ > Next > Add Features > Next > Next > Network Policy Server > Next Install.

Go and have a coffee, when complete  open administrative tools ‘Network Policy Server.’ Right click NPS > Register server in Active Directory.

Radius Clients > New > Enter a friendly name >Enter the IP address of the WLC > Enter, and confirm the shared secret you used above > OK.

Note: This may be a different IP to the management IP of the WLC, ensure you enter the correct IP that the AAA requests will be coming from.

Connection Request Policies > New > Give it a sensible name > Next.

Add > NAS Port Type > Wireless- IEEE 802.11 > Wireless Other > OK > OK.

Note: You don’t actually need ‘Wireless other’, I usually add it for Meraki and it’s force of habit.

Next > Next > Next.

Next > Finish.

Network Polices> New > Give it a sensible name > Next

Add > NAS Port Type > Wireless- IEEE 802.11 > Wireless Other > OK > OK.

Note: You don’t actually need ‘Wireless other’, I usually add it for Meraki and it’s force of habit.

Next > Access granted > Next.

Add > Microsoft Smart Card or Other certificate > OK

Note: If you wanted to use PEAP then then you would add this here instead!

Untick all the bottom options, (unless you are using PEAP, which would need MS-CHAP-v2) > Next.

Edit > Ensure the certificate information for the NAP server is correct > OK > Next.

Next > Nap Enforcement > Untick ‘Enable auto remediation…’ > Next.

Finish.

Setup Certificate Auto Enrolment

Again I’m assuming you have a domain PKI/Certificate Services deployment already, if not, then follow the instructions in the post below;

Microsoft PKI Planning and Deploying Certificate Services

So rather than reinvent the wheel, I’ve already covered computer certificate auto enrolment, see the following article, then come back here when you are finished.

Deploying Certificates via ‘Auto Enrolment’

At this point: You might want to connect to the WLAN manually to make sure everything is OK before deploying the settings via GPO!

Deploy Wireless Settings via Group Policy

Remember this is a Computer Policy, so it needs to link to an OU that has computer (not user) in it, create and link a new GPO > then give it a sensible name. 

Edit the GPO.

Navigate to: Computer Configuration > Policies > Window Settings > Security Settings > Wireless Network (IEEE 802.11) Policies > Create A New Wireless Network Policy for Windows Vista and Later Releases.

Give it a name > Add > Infrastructure > Supply the Profile name and SSID, (I keep them the same to avoid confusion).

Note: As mentioned above, if you are not Broadcasting the SSID, then also tick the bottom option also.

Security Tab: Authentication = WPA2 Enterprise > Encryption = AES > Change Authentication Method to Microsoft Smart Card or other certificate > Properties > In here you can choose to verify the NAP server via its certificate, if you do then locate and tick your CA server cert in the list (as shown). Though I do not ‘verify the servers identity…’ So I would untick this option (your choice) > OK > OK > Close the Policy Editor.

Then either wait fo the policy to apply for force it.

Windows – Forcing Domain Group Policy

Troubleshooting RADIUS Authentication

On the NAP server in C:\Windows\System32\Logfiles you can find the RADIUS logs they look like INI{number}

You can also use the Event Log (Security Log) and there’s a dedicated logging section under Windows Logs. In extreme cases install Wireshark on the NAP server and scan for traffic from your WLC

Related Articles, References, Credits, or External Links

Configure Wireless Network Stings via Group Policy

Cisco ISE – Replace the Self Signed Certificate

KB ID 0001068 

Problem

Cisco ISE arms itself with a self generated certificate out of the box, (well the NFR appliance does anyway). To replace that cert with one signed by your own CA, this is the procedure. (Note: I’m using Microsoft Certificate Services on Server 2012 R2).

Solution

Step 1: Import the CA Certificate into ISE

Note: If you have a lot issuing servers it’s a good idea the repeat this procedure for EVERY issuing server you have in your PKI environment. Assuming you have an off-line root that would be every SubCA (to use Microsoft terminology). On my test network I only have one so that’s not a problem.

1. Connect to the web enrollment portal of your Certificate services folder > Download a CA Certificate, certificate chain, or CRL.

2. Select DER encoding > Download CA Certificate.

3. Save the certificate where you can find it, with a sensible name.

4. Log into ISE > Administration > System > Certificates > Certificate Store > Import.

5. Import the certificate you just saved and tick the ‘Trust for client authentication or secure Syslog services’ option > Submit.

Step 2: Generate a New Certificate for Cisco ISE

6. Whilst still in the certificate section > Local Certificates > Add > Generate Certificate Signing Request.

7. Enter the FQDN of the ISE appliance > Submit.

8. Certificates > Certificate Signing Requests > Export.

9. Again save it somewhere you can find it easily.

10. Open the PEM file you just created, and copy all the text to the clipboard.

11. Back at you web enrollment portal > Request a certificate.

12. Advanced certificate request.

13. Submit a certificate request by using…

14. Paste in your copied text (make sure no spaces get added to the end, this usually happens, be careful) > Set the template to Web Server (of your own template, if you are not using the default one) > Submit.

15. Select DER encoded > Download certificate > Save it with a name that is recognizable as the ISE appliance.

16. On the ISE web portal > Local Certificates > Add > Bind CA Signed Certificate.

17. Browse to the new cert > Select EAP and HTTPS > Submit.

18. Now remember to connect to the ISE appliance using its FQDN (you did remember to create a record in DNS for it didn’t you?)

At this point if you get an error either the URL is wrong, or you didn’t create a DNS record, or the machine you are on does not trust your issuing servers root certificate.</p?

Related Articles, References, Credits, or External Links

NA

Cisco ISE – Basic 802.1x With WindowsPart Four – Configuring The Windows Clients (Supplicants)

KB ID 0001083 

Problem

Back in Part Three we setup the switches ready to plug in our clients. I’m going to configure the Windows clients by Group Policy. But I suggest you carry out tests using single Windows clients and LOCAL policy until you know you have everything setup correctly.

WARNING: Rolling this out without adequate testing, can resolve in all your Windows clients falling off the network

Solution

1. On a DC or a machine with the AD management tools installed, open the group management console. Either edit an existing policy or create and link a policy to the OU that contains your client computers.

2. Navigate to;

[box]Computer Configuration > Policies > Windows Settings > Security Settings > Wired Network (IEEE 802.1x) Policies[/box]

Create A New Wired Network Policy for Windows Vista and Later Releases.

3. Configure the following;

General Tab

  • Policy Name: Give the policy a name
  • Description: Optional
  • Use Windows Wired Auto Config service for clients. (Ticked)

Security Tab

  • Enable use of IEEE 802.1X authentication for network access. (Ticked)
  • Select a network authentication method: Microsoft Protected EAP (PEAP)
  • Authentication Mode: User or computer authentication
  • Properties (optional in case you ever use TLS) Add in your Root CA Cert

4. Navigate to;

[box]Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Wired AutoConfig[/box]

Define the policy and set the startup type to ‘Automatic’.

5. Now when you connect a client to a properley configured switch port it will authenticate before if is allowed to join the network. If the machine is not a domain PC, or 802.1x fails then it will get an authentication failed remark on its network card.

6. OPTIONAL: We have setup 802.1x now, but it is also worth adding RADIUS to the ISE profiling configuration.

Related Articles, References, Credits, or External Links

NA