Cisco Wireless- Central Authentication using PEAP with the vWLC as the AAA server

By | December 22, 2015

In this Step-by-Step guide we will set-up central authentication on the vWLC using PEAP – Protected Extensible Authentication Protocol, this type of authentication uses a certificate on the server side, which we validate – this must be from a valid CA on our PKI, however in this example we will use a self signed certificate issued by the vWLC. The supplicant will use a username and pw for the AAA server to validate the user, therefore we will use mutual authentication.

The WLC will act as the AAA Server, we will create a local EAP profile to authenticate a local user. check out “Setting up Central Authentication using PEAP with the vWLC as the AAA server” for more information on the EAP types.

Configure the networking

Make sure all the networking in the background is working, the vWLC management interface and the AP must be connected to a trunk port on the switch, this is to support VLANs. Also a DHCP Server must be available to service clients with IP addresses from the relevant VLANs.

Create a Local EAP profile for PEAP

1. Login to the Wireless LAN Controller, and click “Security” – “Local EAP” – “Profiles”“New”


2.  Give the new profile a name and click “Apply”, in this example we have used “Local-PEAP”


3. Tick the “PEAP” box to allow the profile to use PEAP as its authentication method, and click “Apply”


4. From the left hand menu select “Authentication Priority” and verify “LOCAL” is selected in the “Order used for Authentication” box.








Create a local user

1. Under “Security” “AAA” select “Local Net Users” and click “New”. Create a new user for authentication and click “Apply”.









Create the WLAN

1. Navigate to “WLANs” select “Create New” and hit “Go”. Give the profile and SSID a name. in this example we have used “Local-PEAP” the profile name & SSID can be anything you like. Click “Apply”






2. From the “General” tab enable the WLAN and select an interface to map to the SSID, this can be any available VLAN on the network which we want users to be connected to upon successful authentication, DHCP will also issue an IP address from this range so the interface must be correctly configured.


3. Click the “Security” tab and verify that under layer 2 we have the following selected “WPA+WPA2”, “WPA2 Policy” and “802.1X”















4. Click the “AAA Servers” tab, scroll down and tick the “Local EAP Authentication” enabled tick box. From the drop down menu select the profile we created earlier “Local PEAP” and make sure that “LOCAL” is set at the top in the “Order used for Authentication”, finally click “Apply”


Client Testing 

Using the client device perform the following tests:

1. Check to make sure the SSID is being broadcast








2. Select the SSID and connect to it providing the credentials of the user created earlier.





The user will be prompted with a certificate warning, if a trusted certificated is used from a valid CA the certificate will be shown as trusted, in this example we have used a self signed certificate by the vWLC therefore its appearing as not verified. click “More Details” to view the certificate properties.














Once we are happy the certificate is from a trusted source click “Accept” to continue and connect

3. Verify the connection is successful








4. Verify the  correct IP address is being obtained by the client when connected to the relevant VLAN, in this case we used VLAN 20.











5. On the WLC, verify the connected client is visible and that central authentication is being performed, navigate to “Monitor” – “Clients”


Click on the “Client MAC Addr” and view the details of the client. from the details we can see that the client is connected to the “Local-PEAP” SSID using the local user account “Jay” and the authentication is being handled centrally at the WLC.


If we scroll down to the “Security Information” we can see that we are using “802.1x” along with “PEAP” as our authentication method.







Leave a Reply