Chapter 5
Configuring Security Solutions
Note
Step 7
To add an EAP method to a local EAP profile, enter this command:
config local-auth eap-profile method add method profile_name
The supported methods are leap, fast, tls, and peap.
Note
Note
Note
To configure EAP-FAST parameters if you created an EAP-FAST profile, enter this command:
Step 8
config local-auth method fast ?
where ? is one of the following:
•
anon-prov {enable | disable}—Configures the controller to allow anonymous provisioning, which
allows PACs to be sent automatically to clients that do not have one during PAC provisioning.
authority-id auth_id—Specifies the authority identifier of the local EAP-FAST server.
•
•
pac-ttl days—Specifies the number of days for the PAC to remain viable.
•
server-key key—Specifies the server key used to encrypt and decrypt PACs.
Step 9
To configure certificate parameters per profile, enter these commands:
•
config local-auth eap-profile method fast local-cert {enable | disable} profile_name—
Specifies whether the device certificate on the controller is required for authentication.
Note
•
config local-auth eap-profile method fast client-cert {enable | disable} profile_name—
Specifies whether wireless clients are required to send their device certificates to the controller in
order to authenticate.
Note
OL-17037-01
To delete a local EAP profile, enter this command: config local-auth eap-profile delete
profile_name.
If you choose peap, both PEAPv0/MSCHAPv2 or PEAPv1/GTC are enabled on the controller.
You can specify more than one EAP type per profile. However, if you create a profile with
multiple EAP types that use certificates (such as EAP-FAST with certificates, EAP-TLS,
PEAPv0/MSCHAPv2, and PEAPv1/GTC), all of the EAP types must use the same certificate
(from either Cisco or another vendor).
To delete an EAP method from a local EAP profile, enter this command: config local-auth
eap-profile method delete method profile_name.
This command applies only to EAP-FAST because device certificates are not used with
LEAP and are mandatory for EAP-TLS and PEAP.
This command applies only to EAP-FAST because client certificates are not used with
LEAP or PEAP and are mandatory for EAP-TLS.
Cisco Wireless LAN Controller Configuration Guide
Configuring Local EAP
5-47