Setting Up EAP-TLS WPA2-Enterprise with Cisco Wireless LAN Controller

Introduction

Passwords are inherently unsafe when it comes to securing your network as they can be stolen over-the-air for malicious purposes. Organizations like Microsoft and Google have been advocating for passwordless authentication methods like digital certificates for a while now. Certificate-based authentication goes beyond simply preventing a range of attacks; it also prevents password-related disconnects resulting from password resets or mismanagement, resulting in a smoother user experience. Furthermore, certificates provide greater identity context on a network so that you know who and what is connecting to your network for consistent and accurate RADIUS accounting.

In the EAP-TLS protocol, digital certificates are used to verify both end-users and the RADIUS servers they authenticate to in a mutual authentication process. Not only does this prevent over-the-air credential theft (since users aren’t trasmitting passwords over-the-air to connect), but it ensures they aren’t connecting to rogue Access Points (APs) imitating your secure network. EAP-TLS uses a mutual authentication process with a RADIUS AAA (Authentication, Authorization and Accounting) server based on digital certificates.

SecureW2’s Cloud-based managed PKI and RADIUS solution makes certificate management easier and integrates with your existing CISCO infrastructure through a simple configuration process for a cost-effective deployment. Our Cloud RADIUS is easy to integrate with your existing infrastructure and identity providers like Google, OKTA and Azure AD .

Tech Overview

  1. Configure SecureW2 PKI Services
    • Setting up a PKI is no simple task, so SecureW2 does it for you. Our Getting Started Wizard allows you to create everything required for EAP-TLS configuration and management (Certificate Authorities, CRL, Management Software, etc.).
  2. Integrate with your Identity Provider
    • Authenticating users is much easier since SecureW2 integrates with every major LDAP and SAML IDP. Here are just a few of our integration guides
      • Active Directory / LDAP
      • Google Apps
      • Active Directory Federation Services
      • Okta
  3. Enroll Users for Certificates
    • Set up Onboarding SSID for BYOD Self-Service Certificate Enrollment
      • SecureW2’s best-in-class onboarding software, the JoinNow Suite, allows end users to enroll in certificates and configure their devices from anywhere. Users can also access the JoinNow Suite by configuring an Open SSID.
    • Using Gateway APIs to Auto-Enroll Managed Devices for Certificates
      • Instead of manually enrolling every managed device for a certificate, our Managed Device Gateway APIs can automatically enroll all your managed devices, for machine and/or user certificates through any major MDM software.
  4. Configuring the RADIUS (AAA) Server
    • Integrating SecureW2 PKI Services with a RADIUS Server
      • Our PKI services integrate cleanly with all major RADIUS servers. We can work with your existing infrastructure to make implementation painless. No RADIUS infrastructure? No problem. SecureW2 comes built in with our Cloud RADIUS. Click here to read more about our RADIUS Access Solutions.
    • Integrating Cisco WLC with a RADIUS Server
      • Once you’ve figured out your RADIUS set up, the SecureW2 JoinNow Suite can configure your RADIUS server to integrate seamlessly with Cisco WLC. Below is a step-by-step guide.
    • To complete this setup, you will need the following:
      • A SecureW2 Network Profile configured for EAP-TLS
      • An Identity Provider
      • A Cisco WLC setup with Access Points

Onboarding Users for WPA2-Enterprise

An onboarding SSID is an open SSID users connect to initially to configure their devices for wireless access. The onboarding SSID redirects the user to the SecureW2 landing page, where they can enroll for a certificate. From here, the OS of the user’s device is detected, and a client is deployed that is specific to that device’s OS is deployed. The client then configures the device by installing the Wi-Fi certificate, RADIUS server certificate for server certificate validation, and appropriate network settings required to authenticate via EAP-TLS.

  1. Login to the Cisco Dashboard
  2. In the WLAN tab, click Go next to the Create New dropdown menu
  3. Enter a Profile Name and SSID, and then click Apply
  4. Click the Security tab, and in the Layer 2 Security dropdown menu, select None
  5. Click the Layer 3 tab, and in the Layer 3 Security dropdown menu, select Web Policy

Configuring the Onboarding SSID

Here you would select your Walled Garden configuration or Access Control List (ACL) from the IPv4 dropdown menu. We are going to go through a quick setup for those who do not have one configured before starting this guide.

  1. Click the Security tab on the top menu, and click Access Control Lists
  2. Click New, enter a name in the Access Control List Name text box, and click Apply
  3. In the list that appears, click the ACL you just created and click Add New Rule
    • Here you will see the information that can be populated into a new rule

Configuring Access Control List settings

  1. Navigate to the SecureW2 Management Portal, click Documentation, and click SecureW2 JoinNow Deployment Guide
  2. Scroll to the section in the guide called Chapter 2: Firewall Rules
  3. Here you will find an array of resources you need to allow through the Open SSID
    • For more details, check out our Onboarding SSID video in the Management Portal
  4. For testing purposes, the following are the IP Addresses that need to be allowed:

The required IP addresses to allow on the Open SSID

  1. Copy the first IP Address on the list and navigate to the Cisco dashboard
  2. In the new rules list for the ACL, type 1 in the Sequence textbox
  3. Select IP Address in the dropdown box for Source and paste the IP Address we copied from the guide into the IP Address textbox
  4. In the Netmask textbox, enter 255.255.255
  5. In the Action dropdown box, select Permit and click Apply
  6. Resuming our WLAN configuration, select the ACL List we created from the IPv4 dropdown box
  7. Click the checkbox next to Over-ride Global Config to enable it
  8. In the Web Auth Type dropdown box, select External (Re-direct to external server)
  9. Navigate to the SecureW2 Management Portal, click Network Profiles, and click View for the network profile you’ve configured for this guide
  10. Copy the URL of the landing page that opens and paste it in the URL textbox in the ACL List Configuration
  11. Click Apply
  12. In the General tab, check the box next to Status labelled Enable, and click Apply

Configuring the settings of the Open SSID

Integrating the SecureW2 Cloud RADIUS

First, we need to add the SecureW2 Cloud RADIUS Server into Cisco, so starting in the SecureW2 Management Portal:

  1. Under the heading AAA Management, click AAA Configuration
  2. Navigate to the Cisco dashboard and click Security
  3. Click Authentication beneath the heading RADIUS, and click New
  4. The following is the information from SecureW2 that you will enter in the Cisco RADIUS
    • Shared Secret
    • Primary IP Address (enter in the textbox called Server IP Address in Cisco)
    • Port
  5. After you have entered this information, click Apply

Information needed from SecureW2 to configure the RADIUS Server

Configuring an SSID for EAP-TLS Authentication

Now that we’ve configured the onboarding SSID to enroll users for a certificate, we need to setup the secure SSID. This SSID needs to be configured for EAP-TLS WPA2-Enterprise Authentication. It also needs to be integrated with a RADIUS server (in this case, the SecureW2 RADIUS) that will authenticate the users’ certificates and authorize them for network access.

  1. Click Network Profiles under the heading Device Onboarding
  2. Click Edit that applies to the network profile you created for this WPA2-Enterprise Authentication and copy the name of the network
  3. Navigate to the Cisco dashboard and click the WLANs tab
  4. Next to the dialog box called Create New, click Go
  5. Paste the name of the network into the Profile Name and SSID textboxes, and click Apply
  6. Click the Security tab and click AAA Servers
  7. In the Server 1 dialog box, select the server we created earlier, and click Apply

Configuring the Secure SSID to communicate with the SecureW2 RADIUS server

  1. Under the General tab, click the check box to Enabled and click Apply

With the final click of Apply, you have set up an Onboarding and Secure SSID on your Cisco WLC, allowing you to begin enrolling for certificates.

Deploy SecureW2’s PKI & Cloud RADIUS For Seamless EAP-TLS Certificate-Based Network Security

Passwords are cumbersome to manage and they need regular resets, leading to frequent disconnects. They can also be targeted in a range of attacks that aren’t even difficult to orchestrate, such as Man-in-the-Middle attacks. In other words, tying your Wi-Fi security to passwords is an unnecessary risk. Digital certificates need a one-time installation elimination the need for any password changes or raising IT tickets for password-related issues.

Deploying digital certificates requires a Public Key Infrastructure (PKI) that can be expensive and need weeks to setup. However, with SecureW2’s Managed PKI service, that’s a thing of the past now. Our platform makes it easy to set up a CA server and CA certificate for issuing certificates to your end-user devices. Setting up a passwordless solution with EAP-TLS secures your network and makes it more secure and rebust. Its integrates with your existing CISCO infrastructure without the need for major upgrades and offers an easy, straightforward setup so that you can make a smoother transition to passwordless security system right away. SecureW2’s Cloud RADIUS lets you leverage EAP-TLS for a digital certificate-based authentication for a secure, user-friendly, efficient network.

Check out our pricing page to see how much you can impact your Security ROI.

Frequently Asked Questions

What Are The Basic Parameters To Configure On A Wireless Access Point?

To configure a wireless access point, you should set a unique Service Set Identifier (SSID) that differentiates it from the other network names. Next, choose we recommend WPA2-Enterprise to enable RADIUS-based authentication and select the EAP-TLS protocol for digital certificate-based network authentication.

Configure the RADIUS server by providing its IP address and a shared secret key to communicate between the RADIUS server and the Access Point. Configure the general settings, such as the WLAN name that the employees can access, SSID and related access points, and traffic mode.

Now, specify the VLAN for users in the Employee SSID and set up the Firewall access. Enable MAC address filtering and disable remote administration. Enable Access Control Lists and guest portal. Set “Network Access” to open and select “Click-Through” under the Splash Page to redirect to a landing page. Now your Enterprise Network is configured for a secure Wireless connection.

What are the Parameters of EAP in Cisco WLC?

The parameters for implementing EAP in CISCO Wireless LAN Controller (WLC) are to set up a Profile name and SSID by setting a unique name for the WLAN and Service Set Identifier (SSID). Change the Layer 2 Security settings to “None” and the Layer 3 Security settings to “Web Policy.” Configure the RADIUS Server with a shared secret key, Primary IP address, and port number for communication. From the IPv4 menu, select the Walled Garden or the Access Control List (ACL).

Navigate to the AAA Section and configure the RADIUS authentication in the CISCO dashboard. Configure the SSID for user enrollment. This SSID should now be configured for EAP-TLS authentication. Integrate the SSID with the RADIUS server. Your network is now configured for secure EAP-TLS authentication in a Cisco WLC.

How Do I Set RADIUS Authentication on a Cisco Router?

Remote Dial-In User Service (RADIUS) is a networking protocol that uses account information to authorize users and devices to a network. A RADIUS server authenticates users before they can use a network. The RADIUS also accounts for every user or device login to see who and what has been on the network for how long. Before a user or device can log on to the network, the RADIUS client must be configured to let users access the network.

These are the steps for adding a RADIUS server to a CISCO router for CISCO wireless Radius authentication:

  • Navigate to Configuration>Security>AAA.
  • Under Servers, Click Add +.
  • Enter your RADIUS name in the RADIUS server field.
  • Enter the Primary IP Address from the Management Portal to the Server Adress field.
  • For the Auth Port field, enter the Authentication Port address displayed in the JoinNow portal.
  • For the Acct Port field, enter the Accounting Port address displayed in the JoinNow portal.
  • Click Apply to Device.
  • Add the Server Group by clicking on the server group and adding a Server from the available list of servers.
  • Create a WebAuth parameter to redirect users to the URL and take them to the landing page.
  • Now create an SSID to connect a user to the network before being authenticated for network access.
  • Now you can go ahead to configure user and device access policies for a secure network access for all your endpoints on a Cisco router.
Does Cisco support RadSec?

The RadSec protocol transports RADIUS packets through Transmission Control Protocol (TCP) and Transport Layer Security (TLS) based on mutual certificate authentication for a more secure network. It allows the transfer of RADIUS packets through public networks with TLS for end-to-end data security and uses digital certificates to verify connecting devices.

Cisco Wireless LAN control offers limited support for RadSec as the Cisco hardware does not fully support RadSec implementation.

 

How Do You Configure RADIUS Or A Local Authenticator In A Wireless LAN?

To configure RADIUS on a LAN, navigate to Configuration>WLAN. Click on the + icon to add a new WLAN. Configure general settings by naming the LAN and choosing “Employee” as the primary user group. Select the Access Point that broadcasts the SSID and the correct mode for client traffic. Click “Next.” Specify the VLAN settings.

Next, set the security settings by clicking on “Enterprise.” Select WPA2-Enterprise from the “Key Management” list. Click + in the Auth server section. Select the RADIUS server to configure and click “OK.” Configure the access settings by selecting “Default Role” and clicking “Finish.”

In SecureW2s JoinNow Management Portal, Navigate to “Data and Monitoring> RADIUS Events. If the RADIUS Reply is ACCEPT_ACCEPT, then the RADIUS has been successfully configured.

What is RadSec, and How Does it Work to Improve the Security of Cisco Wireless Networks?

RadSec, also known as RADIUS over TLS, is a protocol that uses TLS to enhance the security of any communication sent over the RADIUS servers. RadSec forms an encrypted tunnel between client and server, thus protecting networks from MITM and other cyber attacks. RADIUS packets are vulnerable to Blast-RADIUS attacks where they can manipulate a network. However, a RadSec based server is safe from Blast-RADIUS attacks. A RadSec server certificate also verifies users and devices to the server in a mutual authentication to prevent access to unauthorized networks.

RadSec improves the security of Cisco Wireless Networks by making it more secure through TLS. It adds a lot of benefits to employees who commute to different locations and roam between networks to secure communication during the transitions.

Free DemoCheck Pricing
CTA Background