Last updated on July 20, 2020
This post will use a typical WiFi in office environment as an example to present related configuration on WLC, Radius (NPS), DHCP Servers.
1.1 Network Topology
- Cisco Wireless Controller 5508 Configuration Step by Step – Part 1 (CLI and GUI) –
- Cisco Wireless Controller 5508 Configuration Step by Step – Part 2 (User/Machine Auth) –
- Cisco Wireless Controller 5508 Configuration Step by Step – Part 3 (Certs Auth and Other Settings)
1.2 Device List:
- Cisco AP 1702i
- Radius Server – Microsoft NPS
- DHCP Server
- Cisco WLC5508
1.3 Topology for Wireless Access with Digital Certificate Client Authentication
2. WiFi Access Requirements
This WiFi access is primarily intended for company laptops which already has client certificate installed on the machine through domain group policy. This WiFi network will be on a separate office VLAN from other office VLAN.
Other WiFi connected devices must not be allowed connecting to this office WiFi. They will connect through Company Guest WiFi. Mobile devices such as BYOD, Blackberry or other PDA and smart phones should not be allowed to connect to Office WiFi.
3. NPS Configuration
When using WPA2-Enterprise with 802.1x authentication EAP-TLS can be specified as an authentication method. When EAP-TLS is the chosen authentication method both the wireless client and the RADIUS server use certificates to verify their identities to each other and perform mutual authentication. Below are the steps for configuring policy in Windows Network Policy Server to support EAP-TLS.
Here are screenshots for NPS Policy:
4. WLC Configuration
5. DHCP Option 43 configuration
When you are installing a Layer 3 access point on a different subnet than the Cisco wireless LAN controller, be sure that a DHCP server is reachable from the subnet on which you will be installing the access point, and that the subnet has a route back to the Cisco wireless LAN controller. Also be sure that the route back to the Cisco wireless LAN controller has destination UDP ports 5246 and 5247 open for CAPWAP communications. Ensure that the route back to the primary, secondary, and tertiary wireless LAN controller allows IP packet fragments. Finally, be sure that if address translation is used, that the access point and the Cisco wireless LAN controller have a static 1-to-1 NAT to an outside address. (Port Address Translation is not supported.)
The access point must be able to find the IP address of the controller. This can be resolved by DHCP Option 43’s configuration.
IP Address to Hex Converter has a online converter to help you to convert IP address to Hex.
- 1. Cisco WLC DHCP Option 43
- 2. WiFi Certificate Based Authentication
- 3. EAP-TLS-based Authenticated Wireless Access Design
- 4. RADIUS: Creating a Policy in NPS to support EAP-TLS authentication
- 5. Microsoft NPS as a RADIUS Server for WiFi Networks: Dynamic VLAN Assignment
- 6. Inexpensive 802.1x Solutions
- 7. Configuring NPS on Server 2012 with Cisco WLC: Part 1
- 8. IP Address to Hex Converter
- 9. 亁颐堂现任明教教主融合网络CCNA.第一天.融合网络概述.1