In this post we will see how to configure EAP-TLS on a wireless controller.It is assumed that you have a PC which has already installed certificates(User Certifcate & Root CA Certificate). You can learn how to do this by following youtube video from Jerome.(It is one of 7 part series talking all about EAP TLS in clients, WLC, ACS & you should not miss these)
EAP-TLC configuration on wireless client
As you aware for EAP-TLS to work, WLC should have two certificates install on it.
1. Device Certificate issue to WLC
2. Root Certificate of a CA
Since WLC cannot generate CSR (Certificate Signing Request) by himself, a 3rd party software (Called OpenSSL) has to use to do this. Again finding out a correct version of OpenSSL that works well for this a challenge itself. After few trial & errors & reading few forum discussions I found OpenSSL 0_9_8y version works well with my WLC. You can download it from this link.
Here is the installation steps I have followed to get this working. 
Once installation completed you can open a Command prompt (Run as Administrator) & run this OpenSSL application. Cisco document (Doc ID#75584) describe the below process with respect to CSR for Authentication of a WLC.
C:\Windows\system32>cd.. C:\Windows>cd.. C:\>cd /OpenSSL/bin C:\OpenSSL\bin>openssl OpenSSL> OpenSSL> req -new -newkey rsa:1024 -nodes -keyout wlc1key.pem -out wlc1req.pem Loading 'screen' into random state - done Generating a 1024 bit RSA private key ............................................................................... +++++ ..............++++++ writing new private key to 'wlc1key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]:VIC Locality Name (eg, city) []:MEL Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:WLC1.mrn.com Email Address []:mrncciew@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:cisco123 An optional company name []: OpenSSL>
I have given my WLC name as Common Name. If you are doing this for Web Authentication you have to give DNS name for WLC virtual IP. This will create two files in OpenSSL bin folder with named “wlc1key.pem” & “wlc1req.pem”. You have to open “wlc1req.pem” on to notepad & use that to make CSR via your Certifcate Authority.
I have use Microsoft PKI as my CA installed on a windows 2008 server. You have to use Administrator account of that server to do this & URL for accessing it is “192.168.200.1/certsrv” where 192.168.200.1 is server IP. You will see a page like this.
Then You have to click on submit an Advanced Certificate Request as shown in the below.
Then you need to paste notepad output of “wlc1req.pem”& select the template type as “Web Server” & hit the submit button as shown below.
Then you can download the file. Ensure you selected “Base 64 encoded” option. I have named it as “wlc1ca.cer” & put it in the same bin folder where “wlc1key.pem” in.
Now by using the following Open SSL commands you can merge these wlc1key file & wlc1ca file. Also you have to make the final file as .pem prior to upload it onto WLC. Note that we have given password “mrncciew” & you need to configure this on WLC when downloading this onto WLC.
OpenSSL> pkcs12 -export -in wlc1ca.cer -inkey wlc1key.pem -out wlc1ca.p12 -clcerts -passin pass:mrncciew -passout pass:mrncciew Loading 'screen' into random state - done OpenSSL> pkcs12 -in wlc1ca.p12 -out wlc1ca.pem -passin pass:mrncciew -passout pass:mrncciew MAC verified OK OpenSSL>
Then you can download this file “wlc1ca.pem” file onto WLC.
(WLC1) >transfer download datatype eapdevcert (WLC1) >transfer download path . (WLC1) >transfer download filename wlc1ca.pem (WLC1) >transfer download certpassword mrncciew Setting password to <mrncciew> (WLC1) >transfer download serverip 192.168.178.52 (WLC1) >transfer download start Mode............................................. TFTP Data Type........................................ Vendor Dev Cert TFTP Server IP................................... 192.168.178.52 TFTP Packet Timeout.............................. 6 TFTP Max Retries................................. 10 TFTP Path........................................ ./ TFTP Filename.................................... wlc1ca.pem This may take some time. Are you sure you want to start? (y/N) y TFTP EAP Dev cert transfer starting. Certificate installed. Reboot the switch to use new certificate. (WLC1) >reset system
Now you need to install Root CA certificate for WLC. Since you have already installed Root CA on your client you can export by using firefox onto your TFTP folder. Then you can download this to your WLC. see below firefox screen captures how to do this.
Now you can download this Root CA to your controller as follows. You can use WLC GUI as well.
(WLC1) >transfer download mode tftp (WLC1) >transfer download filename mrn-W2K8-CA.pem (WLC1) >transfer download datatype eapcacert (WLC1) >transfer download path . (WLC1) >transfer download serverip 192.168.178.52 (WLC1) >transfer download start Mode............................................. TFTP Data Type........................................ Vendor CA Cert TFTP Server IP................................... 192.168.178.52 TFTP Packet Timeout.............................. 6 TFTP Max Retries................................. 10 TFTP Path........................................ ./ TFTP Filename.................................... mrn-W2K8-CA.pem This may take some time. Are you sure you want to start? (y/N) y TFTP EAP CA cert transfer starting. Certificate installed. Reboot the switch to use new certificate. (WLC1) >reset system
We Will configure a SSID with authentication via WLC local EAP. Here is the Local EAP Profile settings. Note that Certificate issuer select as “Vendor”.
Here is the WLAN Settings
Now it is ready to test client. Here is the successful user Authentication using Local EAP profile configured for EAP-TLS
These two video from Jerome explain how to configure this & I referred that to make this post.
1. EAP-TLS on a WLC – Part 1
2. EAP-TLS on a WLC – Part 2
In a future post we will see how to configure this on ACS 5.2.
Related Post
1. Configuring Local EAP on WLC
2. Configuring EAP-TLC on WLC
3. Configuring EAP-TLS on ACS
4. Configuring RADIUS on WLC
5. Configuring TACACS on WLC
mrn-cciew 
Your blog is really fantastic, Rasika! Thank you for sharing your study!
In the lab equipment there are no Open ssl soft. How we supposed to configure certificates there?
Thanks for the feedback about my blog.. really appreciated.
Regarding the EAP-TLS certs during exam, These are pre-loaded & you do not expect to install certificates during the lab exam.
HTH
Rasika
Hi Rasika,
Can WLC use PAP to authenticate cliets using 802.1x.
Eg. onelogin cloud radius uses PAP and WLC send eap which it doesn’t understands,
It expects PAP on port 1645
https://onelogin.zendesk.com/hc/en-us/articles/201174374-RADIUS-Server-Interface
Is it possible to make it work?
should I repeat these steps for each client ??
Hi Nayarasi,
just wondering if you have some documentation for this that will be using for a client like Wireless Cisco IP phone.
As I am trying to develop a new authentication for our client like Wireless Cisco IP phone and hopefully I can use EAP-TLS for this.
I tried this and it is not working. Where do we need to have this OPENssl installed? On the Client machine or the ACS?
I am getting the error – “12516 EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain”
In this post, no ACS involved. WLC acting as RADIUS server & hence cert installed on WLC itself.
OpenSSL installed on a PC in order to generate cert request on behalf of WLC.
If you are using ACS, then those certs needs to be installed on ACS
HTH
Rasika
On a WLC running 7.6x code can sha2 certs be used for eap-tls?
Hi Phil,
I think it may added in 8.0.x . Here is a useful page for you to keep as reference
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201007-AireOS-feature-list-per-release.html
HTH
Rasika
Thanks Rasika. I was thinking more if the WLC is acting as the AS in the auth process, does it matter if the certs are sha2? The WLC may start supporting sha2 on 8.x version code for sha2 related WLC operations but does that matter for the eap-tls auth process between supplicant and AS?