Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE 17.15.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: August 14, 2024

Chapter: Local Extensible Authentication Protocol

Local Extensible Authentication Protocol
Information About Local EAP
Restrictions for Local EAP
Configuring Local EAP Profile (CLI)
Configuring Local EAP profile (GUI)
Configuring AAA Authentication (GUI)
Configuring AAA Authorization Method (GUI)
Configuring AAA Authorization Method (CLI)
Configuring Local Advanced Methods (GUI)
Configuring WLAN (GUI)
Configuring WLAN (CLI)
Creating a User Account (CLI)
Attaching a Policy Profile to a WLAN Interface (GUI)
Deploy Policy Tag to Access Points (GUI)

Local Extensible Authentication Protocol

Information About Local EAP

Local Extensible Authentication Protocol (EAP) feature refers to the controller that acts as authenticator and authentication server. Local EAP allows 802.1x authentication on WPA Enterprise wireless clients without the use of any RADIUS server. The Local EAP refers to the EAP authentication server activity and not necessarily tied to the user credentials validation (for example) that can be delegated to an external LDAP database.

Feature Scenarios

Local EAP is designed to allow administrators to use Enterprise-grade 802.1x authentication for a limited number of users in situations and branches where an external dedicated RADIUS server may not be available. It can also work as an emergency backup in case the RADIUS server is not available.

Use Cases

You can implement Local EAP either with users local to the controller or use an external LDAP database to store the user credentials.

Restrictions for Local EAP

It is not possible to configure AAA attributes, such as per-user ACL or per-user session timeout using local EAP.
Local EAP only allows user database either locally on the controller or on an external LDAP database.
Local EAP supports TLS 1.2 as of 17.1 and later software release.
Local EAP uses the trustpoint of your choice on the controller. You will either need to install a publicly trusted certificate on the controller or import it on the clients for the EAP session to be trusted by the client.

Local EAP supports EAP-FAST, EAP-TLS, and PEAP as EAP authentication methods.

Note

PEAP-mschapv2 does not work when using certain external LDAP databases that only support clear text passwords.

Configuring Local EAP Profile (CLI)

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 2	eap profile `name` Example: `Device(config)# eap profile mylocapeap`	Creates an EAP profile.
Step 3	method peap Example: `Device(config-eap-profile)# method peap`	Configures the PEAP method on the profile.
Step 4	pki-trustpoint `name` Example: `Device(config-eap-profile)# pki-trustpoint admincert`	Configures the PKI trustpoint on the profile.

Configuring Local EAP profile (GUI)

Procedure

Step 1

Choose Configuration > Security > Local EAP.

Step 2

Click Add.

Step 3

In the Create Local EAP Profiles page, enter a profile name.

Note

It is not advised to use LEAP EAP method due to its weak security. You can use any of the following EAP methods to configure a trustpoint:

EAP-FAST
EAP-TLS
PEAP

Clients do not trust the default controller certificate, so you need to deactivate the server certificate validation on the client side or install a certificate trustpoint on the controller.

Step 4

Click Apply to Device.

Configuring AAA Authentication (GUI)

Procedure

Step 1	Choose Configuration > Security > AAA, and navigate to the AAA Method List > Authentication tabs.
Step 2	Click Add.
Step 3	Choose dot1x as the Type and local as the Group Type.
Step 4	Click Apply to Device.

Configuring AAA Authorization Method (GUI)

Procedure

Step 1

Navigate to Authorization sub-tab.

Step 2

Create a new method for credential-download type and point it to local.

Note

Perform the same for network authorization type.

Configuring AAA Authorization Method (CLI)

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 2	aaa new-model Example: `Device(config)# aaa new-model`	Creates a AAA authentication model.
Step 3	aaa authentication dot1x default local Example: `Device(config)# aaa authentication dot1x default local`	Configures the default local RADIUS server.
Step 4	aaa authorization credential-download default local Example: `Device(config)# aaa authorization credential-download default local`	Configures default database to download credentials from local server.
Step 5	aaa local authentication default authorization default Example: `Device(config)# aaa local authentication default authorization default`	Configures the local authentication method list.
Step 6	aaa authorization network default local Example: `Device(config)# aaa authorization network default local`	Configures authorization for network services.

Configuring Local Advanced Methods (GUI)

Procedure

Step 1

In the Configuration > Security > AAA window, perform the following:

Navigate to AAA Advanced tab.
From the Local Authentication drop-down list, choose a default local authentication.
From the Local Authorization drop-down list, choose a default local authorization.

Step 2

Click Apply.

Configuring WLAN (GUI)

Procedure

Step 1	Choose Configuration > Tags & Profiles > WLANs.
Step 2	In the WLANs window, click the name of the WLAN or click Add to create a new one.
Step 3	In the Add/Edit WLAN window that is displayed, click the General tab to configure the following parameters. In the Profile Name field, enter or edit the name of the profile. In the SSID field, enter or edit the SSID name. The SSID name can be alphanumeric, and up to 32 characters in length. In the WLAN ID field, enter or edit the ID number. The valid range is between 1 and 512. From the Radio Policy drop-down list, choose the 802.11 radio band. Using the Broadcast SSID toggle button, change the status to either Enabled or Disabled. Using the Status toggle button, change the status to either Enabled or Disabled.
Step 4	In the AAA tab, you can configure the following: Choose an authentication list from the drop-down. Check the Local EAP Authentication check box to enable local EAP authentication on the WLAN. Also, choose the required EAP Profile Name from the drop-down list.
Step 5	Click Save & Apply to Device.

Configuring WLAN (CLI)

Procedure

Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan localpeapssid 1 localpeapssid

Enters the WLAN configuration sub-mode.

wlan-name —Is the name of the configured WLAN.

wlan-id —Is the wireless LAN identifier. The range is 1 to 512.

SSID-name —Is the SSID name which can contain 32 alphanumeric characters.

Note

If you have already configured this command, enter wlan wlan-name command.

Step 3

security dot1x authentication-list auth-list-name

Example:

Device(config-wlan)# security dot1x authentication-list default

Enables security authentication list for dot1x security. The configuration is similar for all dot1x security WLANs.

Step 4

local-auth profile name

Example:

Device(config-wlan)# local-auth mylocaleap

Sets EAP Profile on an WLAN.

profile name —Is the EAP profile on an WLAN.

Creating a User Account (CLI)

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 2	user-name `user-name` Example: `Device(config)# user-name 1xuser`	Creates a user account.
Step 3	creation-time `time` Example: `Device(config)# creation-time 1572730075`	Creation time of the user account.
Step 4	description `user-name` Example: `Device(config)# description 1xuser`	Adds a user-defined description to the new user account.
Step 5	password 0 `password` Example: `Device(config)# password 0 Cisco123`	Creates a password for the user account.
Step 6	type network-user description `user-name` Example: `Device(config)# type network-user description 1xuser`	Specifies the type of user account.

Attaching a Policy Profile to a WLAN Interface (GUI)

Procedure

Step 1	Choose Configuration > Tags & Profiles > Tags.
Step 2	On the Manage Tags page, click Policy tab.
Step 3	Click Add to view the Add Policy Tag window.
Step 4	Enter a name and description for the policy tag.
Step 5	Click Add to map the WLAN and policy.
Step 6	Choose the WLAN profile to map with the appropriate policy profile, and click the tick icon.
Step 7	Click Save & Apply to Device.

Deploy Policy Tag to Access Points (GUI)

Procedure

Step 1

Choose Configuration > Wireless > Access Points.

Step 2

On the All Access Points page, click the access point you want to configure.

Make sure that the tags assigned are the ones you configured.

Step 3

Click Apply.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)