Recently I had to work on a task that requirea a wired device needs to “eduroam” SSID which is configured with 802.1X. In this post I will share how I configured it.
In my testing setup Cisco ISE (v 2.2.x) is RADIUS server & 3702-1 managed by WLC (AireOS 8.5.120.0) to advertise 802.1X SSID (eduroam2). Another 3702 running on Autonomous mode [v 15.3(3)JF5 ] configured as WGB. Below shows my topology for this post.
Image may be NSFW.
Clik here to view.
If you refer my previous posts you can find many posts on WGB configured with WPA2-PSK. Basic config is similar to below.
hostname WGB ! dot11 ssid ABC24 authentication open authentication key-management wpa version 2 wpa-psk ascii Cisco123 infrastructure-ssid ! interface Dot11Radio1 encryption mode ciphers aes-ccm ssid ABC24 station-role workgroup-bridge bridge-group 1 ! interface GigabitEthernet0 bridge-group 1 ! interface BVI1 ip address dhcp
Let’s see how we can configure it to use EAP-PEAP.
Any EAP method, certificates trust will be used to create secure tunnel (TLS) prior to EAP exchange occur in secure manner. In order to achieve that, given RADIUS server (ISE in my topology) need to have trusted certificate installed that can be used for supplicants EAP authentication. Once supplicant request to establish secure connection with ISE, it will prompt EAP certificate that clients need to be accept. Refer “How to implement ISE server side cert” cisco doc for more details (below diagram from that)
Image may be NSFW.
Clik here to view.
In PEAP, server does not require to verify client certificate, hence you do not require to install valid cert unique to that client (this is required for EAP-TLS). However to verify the server certificate present to a supplicant (WGB in our scenario), you require to install root certificate of the EAP cert that you installed in ISE.
First you need to define a trust-point with enrollment type as “terminal”
crypto pki trustpoint MRN-TRUST enrollment terminal subject-name CN=WGB-02 revocation-check none rsakeypair WGB 2048
Then you can install the root CA cert by manual copy-paste using “crypto pki authenticate <trust_point_name>” command.
WGB1(config)#crypto pki authenticate MRN-TRUST Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- . . -----END CERTIFICATE----- quit Certificate has the following attributes: Fingerprint MD5: 5E397BDD F8BAEC82 E9AC62BA 0C54002B Fingerprint SHA1: CA3AFBCF 1240364B 44B21620 88804839 19937CF7 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported
Once installed you can verify your installed cert details using “show crypto pki certificates” CLI command as shown below.
WGB#sh crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): xxxx
Certificate Usage: Signature
.
.
Validity Date:
start date: 18:27:00 UTC Nov 24 20xx
end date: 18:23:33 UTC Nov 24 20xx
Associated Trustpoints: MRN-TRUST
It is always recommended to have correct time when you dealing with certificates. You can set clock manually to begin with and then sync with a NTP server (as long as WGB is associated to network). In case AP power cycle & loose your clock setting, you can use “clock save interval <hrs>” command. In that way at least AP will get last known time as current time which is good enough for cert validation.
WGB#clock set 16:11:00 25 May 2018 q WGB(config)#clock timezone AEST 10 0 WGB(config)#clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00 WGB(config)#clock save interval 8 WGB(config)#sntp server x.x.4.103 WGB(config)#sntp server x.x.4.104
In order to use it for EAP Authentication, you need to configure dot1x credential & EAP profile & associate to the SSID.
WGB(config)#eap profile PEAP-PRO WGB(config-eap-profile)#method ? fast EAP-FAST method allowed gtc EAP-GTC method allowed leap EAP-LEAP method allowed md5 EAP-MD5 method allowed mschapv2 EAP-MSCHAPV2 method allowed peap EAP-PEAP method allowed tls EAP-TLS method allowed WGB(config-eap-profile)#method peap
dot1x credentials profile can be configured as shown below. You have to use pki-trust point you defined earlier.
WGB(config)#dot1x credentials PEAP-CRD WGB(config-dot1x-creden)#username xxx@xxx.edu.au WGB(config-dot1x-creden)# password xxxx WGB(config-dot1x-creden)# pki-trustpoint MRN-TRUST !
Then you can configure your SSID with configured dot1X profiles. You need to choose authentication method to “eap”
dot11 ssid eduroam2 authentication open eap PEAP authentication key-management wpa version 2 dot1x credentials PEAP-CRD dot1x eap profile PEAP-PRO infrastructure-ssid ! interface Dot11Radio1 encryption mode ciphers aes-ccm ssid eduroam2 station-role workgroup-bridge bridge-group 1
In WLC, you need to configure eduroam2 SSID with 802.1X security & ISE as RADIUS servers . You should be good with default settings of a 802.1X SSID on WLC. (ensure Airenet IE is enabled under WLAN advanced).
You will see your WGB will associates to “eduroam2” SSID advertised via 3702-1
WGB#show dot11 associations
802.11 Client Stations on Dot11Radio1:
SSID [eduroam2] :
MAC Address IP address IPV6 address Device Name Parent State
a89d.21a2.c37e 10.10.0.100 :: LWAPP-Parent AP-3702-1 - Assoc
WGB#show dot11 associations a89d.21a2.c37e
Address : a89d.21a2.c37e Name : AP-3702-1
IP Address : 10.10.0.100 IPv6 Address :
Gateway Address : 0.0.0.0
Netmask Address : 0.0.0.0 Interface : Dot11Radio 1
Bridge-group : 0
reap_flags_1 : 0x0 ip_learn_type : 0x0 transient_static_ip : 0x0
Device : LWAPP-Parent Software Version : NONE
CCX Version : 5 Client MFP : On
State : Assoc Parent : -
SSID : eduroam2
VLAN : 0
Hops to Infra : 0 Association Id : 1
Tunnel Address : 0.0.0.0
Key Mgmt type : WPAv2 Encryption : AES-CCMP
Current Rate : a9.3-8 Capability : WMM 11h
Supported Rates : 24.0 36.0 48.0 54.0 m0-4 m1-4 m2-4 m3-4 m4-4 m5-4 m6-4 m7-4 m8-4 m9-4 m10-4 m11-4 m12-4 m13-4 m14-4 m15-4 m16-4 m17-4 m18-4 m19-4 m20-4 m21-4 m22-4 m23-4 a0.1-8 a1.1-8 a2.1-8 a3.1-8 a4.1-8 a5.1-8 a6.1-8 a7.1-8 a8.1-8 a9.1-8 a0.2-8 a1.2-8 a2.2-8 a3.2-8 a4.2-8 a5.2-8 a6.2-8 a7.2-8 a8.2-8 a9.2-8 a0.3-8 a1.3-8 a2.3-8 a3.3-8 a4.3-8 a5.3-8 a6.3-4 a7.3-8 a8.3-8 a9.3-8
Voice Rates : disabled Bandwidth : 80 MHz
Signal Strength : -31 dBm Connected for : 1318 seconds
Signal to Noise : 62 dB Activity Timeout : 15 seconds
Power-save : Off Last Activity : 0 seconds ago
Apsd DE AC(s) : NONE
You can verify connectivity from WLC end as well
(8540-TEST) >show client wlan 101
Number of Clients in WLAN........................ 2
MAC Address AP Name Status Auth Protocol Port Wired Mobility Role Device Type
----------------- ----------------- ------------- ---- ---------------- ---- ----- ----------------------------
00:23:56:5c:56:28 AP-3702-1 Associated No N/A 8 No Local Unknown
a8:9d:21:8d:5a:50 AP-3702-1 Associated Yes 802.11ac(5 GHz) 8 No Local Cisco-AP-Aironet-3700
Below is client detail output for WGB & its connected PC
(8540-TEST) >show client detail a8:9d:21:8d:5a:50 Client MAC Address............................... a8:9d:21:8d:5a:50 Client Username ................................. xxx@xxx.edu.au Hostname: ....................................... WGB Device Type: .................................... Cisco-AP-Aironet-3700 AP MAC Address................................... a8:9d:21:a2:c3:70 AP Name.......................................... AP-3702-1 AP radio slot Id................................. 1 Client State..................................... Associated Client User Group................................ xxx@xxx.edu.au Client NAC OOB State............................. Access Workgroup Bridge................................. 1 client(s) Wireless LAN Id.................................. 101 Wireless LAN Network Name (SSID)................. eduroam2 Wireless LAN Profile Name........................ eduroam2 Hotspot (802.11u)................................ Not Supported BSSID............................................ a8:9d:21:a2:c3:7e Connected For ................................... 231 secs Channel.......................................... 100 IP Address....................................... x.x.127.206 Gateway Address.................................. x.x.127.250 Netmask.......................................... 255.255.240.0 Association Id................................... 1 . Authentication Key Management.................... 802.1x Encryption Cipher................................ CCMP-128 (AES) Protected Management Frame ...................... No Management Frame Protection...................... Yes EAP Type......................................... PEAP (8540-TEST) >show client detail 00:23:56:5c:56:28 Client MAC Address............................... 00:23:56:5c:56:28 Client Username ................................. N/A AP MAC Address................................... a8:9d:21:a2:c3:70 AP Name.......................................... AP-3702-1 AP radio slot Id................................. 1 Client State..................................... Associated Client User Group................................ Client NAC OOB State............................. Access Workgroup Bridge Client.......................... WGB: a8:9d:21:8d:5a:50 Wireless LAN Id.................................. 101 Wireless LAN Network Name (SSID)................. eduroam2 Wireless LAN Profile Name........................ eduroam2 Hotspot (802.11u)................................ Not Supported BSSID............................................ a8:9d:21:a2:c3:7e Connected For ................................... 177 secs Channel.......................................... 100 IP Address....................................... Unknown Gateway Address.................................. Unknown Netmask.......................................... Unknown . Policy Type...................................... WPA2 Authentication Key Management.................... N/A Encryption Cipher................................ None Protected Management Frame ...................... No Management Frame Protection...................... No EAP Type......................................... 0
I have taken a packet capture of 3702-1 connected switchport. You will see the WGB is going through EAP process as shown in below. You can see that those Initial Request (EAPoL-Start), Certificate Exchange & TLS tunnel establishment which we discussed earlier.
Image may be NSFW.
Clik here to view.
Special thanks to @DarchisNicolas from Cisco TAC pointing me to the right direction when I had issues with Certs initially. Also thanks to my ex colleague Gareth who helped me time to time to get it working.
REFERENCES
1. WGB with PEAP Config Example – Cisco DoC#11576
2. WGB with EAP-TLS – Cisco Doc#100864
3. WGB with EAP-TLS (by Thomas Larsen)