Home > Wireless LAN > Encryption and Authentication > RADIUS: WPA2-Enterprise With EAP-TLS Using Microsoft NPS

RADIUS: WPA2-Enterprise With EAP-TLS Using Microsoft NPS

Table of contents
No headers

WPA2-Enterprise with 802.1x authentication can be used to authenticate users or computers in an Active Directory domain. The supplicant (wireless client) authenticates against the RADIUS server (authentication server) using an EAP method configured on the RADIUS server. The gateway APs (authenticator) role is to send authentication messages between the supplicant and authentication server. This mean the RADIUS server is responsible for authenticating users.

APs perform EAPOL exchanges between the supplicant and convert these to RADIUS Access-requests messages which are sent to the RADIUS servers IP address and UDP port specified in Dashboard. Gateway APs need to receive a RADIUS Access-accept message from the RADIUS server in order to grant the supplicant access to the network. For best performance, it is recommended to have the RADIUS server and gateway APs located within the same layer-2 broadcast domain to avoid firewall, routing, or authentication delays. Keep in mind the AP is not responsible for authenticating wireless clients and acts as an intermediary between clients and the RADIUS server. Below is an EAP-TLS exchange,

 

EAP-TLS authentication

Wireless, LAN (WLAN), EAP-TLS Deployment Guide for Wireless LAN Networks, 

Courtesy of Cisco Systems Inc.

 

EAP-TLS authentication details

 

Wireless, LAN (WLAN), EAP-TLS Deployment Guide for Wireless LAN Networks, 

Courtesy of Cisco Systems Inc.

 

Note: Using EAP-TLS as the EAP method will consistently cause the RADIUS test in Dashboard to fail. When troubleshooting this configuration, please refer to packet captures and logs for specific information.

 

EAP-TLS is an involved configuration, please refer to your RADIUS vendor documentation for configuration specifics. Once RADIUS has been configured appropriately, please refer to our documentation for instructions on configuring an SSID for WPA2-Enterprise with RADIUS.

You must to post a comment.
Last modified
15:06, 23 Jul 2015

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1868

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case