Local EAP is an authentication method that allows users and wireless clients to be authenticated locally to WLC. This is useful for a remote branch where it does not have a external RADIUS on-site or do not want to rely on the WAN to connect back to main office RADIUS or even that RADIUS server is gone down. Local EAP supports LEAP, EAP-FAST, EAP-TLS, PEAPv0/MSCHAPv2 and PEAPv1/GTC authentication between the WLC & wireless clients.
If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless client using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers found (timed out or no RADIUS configured). You can disable RADIUS authentication for a given WLAN by using “config wlan radius_server auth disable wlan_id” CLI command.
You can create network users on WLC either via GUI or CLI. Here shows the CLI method to define two type of users (Permenant & Guest). If you specify the WLAN ID as “0” that users will allow to any WLAN. For a guest user you can specify the lifetime (4 hrs in my example)
config netuser add wlc3-user1 wlc3-user1 wlan 0 userType permanent config netuser add wlc3-user2 wlc3-user2 wlan 0 userType permanent config netuser add wlc3-user3 wlc3-user3 wlan 0 userType permanent config netuser add wlc3-guest1 wlc3-guest1 wlan 0 userType guest lifetime 14400
In GUI you have to go to “Security -> Local NetUser” section for this.
You have to create a local EAP profile which specifies the EAP authentication types that are supported on the wireless clients. You can do this via “Secuirty -> Local EAP > Profile” section.I have created a profile named “wlc3-local-eap” & enabe EAP-FAST, EAP-TLS & PEAP as allowed protocol. Once you clicked on the defined profile you can change any settings under that (shown in the highlighted area in the below)
If you want to WLC to use device certificate on the controller to authenticate EAP-FAST clients, you have to select “Local Certificate Required” check box. If you leave this un-ticked EAP-FAST will use PAC instead of certificates. If you want EAP-FAST client devices to send their certificate select “Client Certificate Required” option.
EAP-FAST parameters can be changed via “Security -> Local EAP -> EAP-FAST Parameters” section as shown below.
Finally will configure a WLAN in the controllers & specify Local EAP as authentication mechanism. Note that Radius authentication is disabled & only Local EAP selected.
Here is the successful client authentication via PEAP
I have not installed Root Certificate on my WLC & cannot test EAP-TLS method.