Local EAP is an authentication method that allows users and wireless clients to be authenticated locally to WLC. This is useful for a remote branch where it does not have a external RADIUS on-site or do not want to rely on the WAN to connect back to main office RADIUS  or even that RADIUS server is gone down. Local EAP supports LEAP, EAP-FAST, EAP-TLS, PEAPv0/MSCHAPv2 and PEAPv1/GTC authentication between the WLC & wireless clients.

If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless client using the RADIUS servers  first. Local EAP is attempted only if no RADIUS servers found (timed out or no RADIUS configured). You can disable RADIUS authentication for a given WLAN by using “config wlan radius_server auth disable wlan_id” CLI command.

You can create network users on WLC either via GUI or CLI. Here shows the CLI method to define two type of users (Permenant & Guest). If you specify the WLAN ID as “0” that users will allow to any WLAN. For a guest user you can specify the lifetime (4 hrs in my example)

config netuser add wlc3-user1 wlc3-user1 wlan 0 userType permanent
config netuser add wlc3-user2 wlc3-user2 wlan 0 userType permanent
config netuser add wlc3-user3 wlc3-user3 wlan 0 userType permanent

config netuser add wlc3-guest1 wlc3-guest1 wlan 0 userType guest lifetime 14400

In GUI you have to go to “Security -> Local NetUser” section for this.

You can configure Local EAP settings under “Security -> Local EAP” section. Here is the default settings under General tab.

You have to create a local EAP profile which specifies the EAP authentication types that are supported on the wireless clients. You can do this via “Secuirty -> Local EAP > Profile” section.I have created a profile named “wlc3-local-eap” & enabe EAP-FAST, EAP-TLS & PEAP as allowed protocol. Once you clicked on the defined profile you can change any settings under that (shown in the highlighted area in the below)

If you want to WLC to use device certificate on the controller to authenticate EAP-FAST clients, you have to select “Local Certificate Required” check box. If you leave this un-ticked EAP-FAST will use PAC instead of certificates. If you want EAP-FAST client devices to send their certificate select “Client Certificate Required” option.

EAP-FAST parameters can be changed via “Security -> Local EAP -> EAP-FAST Parameters” section as shown below.

Finally will configure a WLAN in the controllers & specify Local EAP as authentication mechanism. Note that Radius authentication is disabled & only Local EAP selected.

Here is the successful client association using EAP-FAST

Here is the successful client authentication via PEAP

I have not installed Root Certificate on my WLC & cannot test EAP-TLS method.