WGB with PEAP

Tags

, ,

Recently I had to work on a task that requirea a wired device needs to “eduroam” SSID which is configured with 802.1X. In this post I will share how I configured it.

In my testing setup Cisco ISE (v 2.2.x) is RADIUS server & 3702-1 managed by WLC (AireOS 8.5.120.0) to advertise 802.1X SSID (eduroam2). Another 3702 running on Autonomous mode [v 15.3(3)JF5 ] configured as WGB. Below shows my topology for this post.

WGB-PEAP-01

If you refer my previous posts you can find many posts on WGB configured with WPA2-PSK. Basic config  is similar to below.

hostname WGB
!
dot11 ssid ABC24
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii Cisco123 
 infrastructure-ssid 
!
interface Dot11Radio1
 encryption mode ciphers aes-ccm 
 ssid ABC24
 station-role workgroup-bridge
 bridge-group 1 
!
interface GigabitEthernet0
 bridge-group 1
! 
interface BVI1
 ip address dhcp

Let’s see how we can configure it to use EAP-PEAP.

Any EAP method, certificates trust will be used to create secure tunnel (TLS) prior to EAP exchange occur in secure manner.  In order to achieve that, given RADIUS server (ISE in my topology) need to have trusted certificate installed that can be used for supplicants EAP authentication. Once supplicant request to establish secure connection with ISE, it will prompt EAP certificate that clients need to be accept. Refer “How to implement ISE server side cert” cisco doc for more details (below diagram from that)

WGB-PEAP-02

In PEAP, server does not require to verify client certificate, hence you do not require to install valid cert unique to that client (this is required for EAP-TLS). However to verify the server certificate present to a supplicant (WGB in our scenario), you require to install root certificate of the EAP cert that you installed in ISE.

First you need to define a trust-point with enrollment type as “terminal”

crypto pki trustpoint MRN-TRUST
 enrollment terminal
 subject-name CN=WGB-02
 revocation-check none
 rsakeypair WGB 2048

Then you can install the root CA cert by manual copy-paste using “crypto pki authenticate <trust_point_name>” command.

WGB1(config)#crypto pki authenticate MRN-TRUST

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
.
.
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: 5E397BDD F8BAEC82 E9AC62BA 0C54002B
Fingerprint SHA1: CA3AFBCF 1240364B 44B21620 88804839 19937CF7
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

Once installed you can verify your installed cert details using “show crypto pki certificates” CLI command as shown below.

WGB#sh crypto pki certificates 
CA Certificate
 Status: Available
 Certificate Serial Number (hex): xxxx
 Certificate Usage: Signature
 .
 .
 Validity Date: 
 start date: 18:27:00 UTC Nov 24 20xx
 end date: 18:23:33 UTC Nov 24 20xx
 Associated Trustpoints: MRN-TRUST

It is always recommended to have correct time when you dealing with certificates.  You can set clock manually to begin with and then sync with a NTP server (as long as WGB is associated to network). In case AP power cycle & loose your clock setting, you can use “clock save interval <hrs>” command. In that way at least AP will get last known time as current time which is good enough for cert validation.

WGB#clock set 16:11:00 25 May 2018 q
WGB(config)#clock timezone AEST 10 0
WGB(config)#clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
WGB(config)#clock save interval 8

WGB(config)#sntp server x.x.4.103
WGB(config)#sntp server x.x.4.104

In order to use it for EAP Authentication, you need to configure dot1x credential & EAP profile & associate to the SSID.

WGB(config)#eap profile PEAP-PRO
WGB(config-eap-profile)#method ? 
 fast EAP-FAST method allowed
 gtc EAP-GTC method allowed
 leap EAP-LEAP method allowed
 md5 EAP-MD5 method allowed
 mschapv2 EAP-MSCHAPV2 method allowed
 peap EAP-PEAP method allowed
 tls EAP-TLS method allowed

WGB(config-eap-profile)#method peap

dot1x credentials profile can be configured as shown below. You have to use pki-trust point you defined earlier.

WGB(config)#dot1x credentials PEAP-CRD 
WGB(config-dot1x-creden)#username xxx@xxx.edu.au
WGB(config-dot1x-creden)# password xxxx
WGB(config-dot1x-creden)# pki-trustpoint MRN-TRUST
!

Then you can configure your  SSID with configured dot1X profiles. You need to choose authentication  method to “eap”

dot11 ssid eduroam2
 authentication open eap PEAP 
 authentication key-management wpa version 2
 dot1x credentials PEAP-CRD
 dot1x eap profile PEAP-PRO
 infrastructure-ssid
!
interface Dot11Radio1
 encryption mode ciphers aes-ccm 
 ssid eduroam2
 station-role workgroup-bridge
 bridge-group 1 

In WLC, you need to configure eduroam2 SSID with 802.1X security & ISE as RADIUS servers . You should be good with default settings of a 802.1X SSID on WLC. (ensure Airenet IE is enabled under WLAN advanced).

You will see your WGB will associates to “eduroam2” SSID advertised via 3702-1

WGB#show dot11 associations
802.11 Client Stations on Dot11Radio1:
SSID [eduroam2] :

MAC Address IP address IPV6 address Device Name Parent State 
a89d.21a2.c37e 10.10.0.100 :: LWAPP-Parent AP-3702-1 - Assoc
WGB#show dot11 associations a89d.21a2.c37e
Address : a89d.21a2.c37e Name : AP-3702-1
IP Address : 10.10.0.100 IPv6 Address : 
Gateway Address : 0.0.0.0 
Netmask Address : 0.0.0.0 Interface : Dot11Radio 1
Bridge-group : 0
reap_flags_1 : 0x0 ip_learn_type : 0x0 transient_static_ip : 0x0 
Device : LWAPP-Parent Software Version : NONE 
CCX Version : 5 Client MFP : On

State : Assoc Parent : - 
SSID : eduroam2 
VLAN : 0
Hops to Infra : 0 Association Id : 1
Tunnel Address : 0.0.0.0
Key Mgmt type : WPAv2 Encryption : AES-CCMP
Current Rate : a9.3-8 Capability : WMM 11h
Supported Rates : 24.0 36.0 48.0 54.0 m0-4 m1-4 m2-4 m3-4 m4-4 m5-4 m6-4 m7-4 m8-4 m9-4 m10-4 m11-4 m12-4 m13-4 m14-4 m15-4 m16-4 m17-4 m18-4 m19-4 m20-4 m21-4 m22-4 m23-4 a0.1-8 a1.1-8 a2.1-8 a3.1-8 a4.1-8 a5.1-8 a6.1-8 a7.1-8 a8.1-8 a9.1-8 a0.2-8 a1.2-8 a2.2-8 a3.2-8 a4.2-8 a5.2-8 a6.2-8 a7.2-8 a8.2-8 a9.2-8 a0.3-8 a1.3-8 a2.3-8 a3.3-8 a4.3-8 a5.3-8 a6.3-4 a7.3-8 a8.3-8 a9.3-8
Voice Rates : disabled Bandwidth : 80 MHz
Signal Strength : -31 dBm Connected for : 1318 seconds
Signal to Noise : 62 dB Activity Timeout : 15 seconds
Power-save : Off Last Activity : 0 seconds ago
Apsd DE AC(s) : NONE

You can verify connectivity from WLC end as well

(8540-TEST) >show client wlan 101
Number of Clients in WLAN........................ 2
MAC Address AP Name Status Auth Protocol Port Wired Mobility Role Device Type
----------------- ----------------- ------------- ---- ---------------- ---- ----- ----------------------------
00:23:56:5c:56:28 AP-3702-1 Associated No N/A 8 No Local Unknown 
a8:9d:21:8d:5a:50 AP-3702-1 Associated Yes 802.11ac(5 GHz) 8 No Local Cisco-AP-Aironet-3700

Below is client detail output for WGB & its connected PC

(8540-TEST) >show client detail a8:9d:21:8d:5a:50
Client MAC Address............................... a8:9d:21:8d:5a:50
Client Username ................................. xxx@xxx.edu.au
Hostname: ....................................... WGB
Device Type: .................................... Cisco-AP-Aironet-3700
AP MAC Address................................... a8:9d:21:a2:c3:70
AP Name.......................................... AP-3702-1 
AP radio slot Id................................. 1 
Client State..................................... Associated 
Client User Group................................ xxx@xxx.edu.au
Client NAC OOB State............................. Access
Workgroup Bridge................................. 1 client(s)
Wireless LAN Id.................................. 101
Wireless LAN Network Name (SSID)................. eduroam2
Wireless LAN Profile Name........................ eduroam2
Hotspot (802.11u)................................ Not Supported
BSSID............................................ a8:9d:21:a2:c3:7e 
Connected For ................................... 231 secs
Channel.......................................... 100
IP Address....................................... x.x.127.206
Gateway Address.................................. x.x.127.250
Netmask.......................................... 255.255.240.0
Association Id................................... 1
.
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP-128 (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... Yes
EAP Type......................................... PEAP

(8540-TEST) >show client detail 00:23:56:5c:56:28
Client MAC Address............................... 00:23:56:5c:56:28
Client Username ................................. N/A
AP MAC Address................................... a8:9d:21:a2:c3:70
AP Name.......................................... AP-3702-1 
AP radio slot Id................................. 1 
Client State..................................... Associated 
Client User Group................................ 
Client NAC OOB State............................. Access
Workgroup Bridge Client.......................... WGB: a8:9d:21:8d:5a:50
Wireless LAN Id.................................. 101
Wireless LAN Network Name (SSID)................. eduroam2
Wireless LAN Profile Name........................ eduroam2
Hotspot (802.11u)................................ Not Supported
BSSID............................................ a8:9d:21:a2:c3:7e 
Connected For ................................... 177 secs
Channel.......................................... 100
IP Address....................................... Unknown
Gateway Address.................................. Unknown
Netmask.......................................... Unknown
.
Policy Type...................................... WPA2
Authentication Key Management.................... N/A
Encryption Cipher................................ None
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... 0

I have taken a packet capture of 3702-1 connected switchport. You will see the WGB is going through EAP process as shown in below. You can see that those Initial Request (EAPoL-Start), Certificate Exchange & TLS tunnel establishment which we discussed earlier.

WGB-PEAP-02

Special thanks to @DarchisNicolas  from Cisco TAC pointing me to the right direction when I had issues with Certs initially. Also thanks to my ex colleague Gareth who helped me time to time to get it working.

REFERENCES
1. WGB with PEAP Config Example – Cisco DoC#11576
2. WGB with EAP-TLS – Cisco Doc#100864
3. WGB with EAP-TLS (by Thomas Larsen)