Description:
This document describes how you configure a certificate-based WLAN connection with 802.1X authentication in a LANCOM WLC scenario.


Requirements:


Scenario:
1) A company manages their WLAN infrastructure with a LANCOM WLAN-Controller.
  • The WLAN-Controller is integrated in the local network and has a working Internet connection.
  • The LANCOM access points are also connected to the local network and are managed by the WLAN-Controller.
2) The existing scenario is to be extended with an additional WLAN network that requires the clients to authenticate themselves by 802.1X.
3) This configuration example uses the internal RADIUS server on the WLAN-Controller as the authentication server. In other words, the WLAN-Controller is both authenticator and authentication server.
Scenario graphic for certificate-based RADIUS authentication with a WLAN-Controller
 


Procedure:
1) Create the certificates for 802.1X authentication:
1.1) To create the certificates, follow the procedure described in the following Knowledge Base article:
LANCOM Smart Certificate: Creating certificates for 802.1x authentication

1.2) Once this step of the configuration is complete, you should have two certificate files in the *.p12 file format; one for the WLAN-Controller (TLS server) and one for the WLAN client (TLS client).



2) Upload the certificate file to the WLAN-Controller:

2.1) Select the WLAN-Controller in LANconfig, perform a rightclick and, in the context menu select the option Configuration Management → Upload Certificate or File.

As an alternative, the certificate can also be uploaded to the WLAN-Controller via the WEBconfig menu Extras → File management → Upload Certificate or File.

Upload the certificate to the WLAN-Controller via LANconfig

2.2) Select the certificate file for the WLAN-Controller and as Certificate type select the option EAP/TLS - Container as PKCS#12 File. Enter the password used fo the certificate creation as the Cert. password afterwards.

Finally, click Open to upload the certificate.



3) Manual configuration steps on the WLAN-Controller:

3.1) Configuring the 802.1X WLAN network on the WLAN-Controller

3.1.1) Open the configuration of the WLAN-Controller in LANconfig and navigate to the menu WLAN-Controller → Profiles → Logical WLAN networks (SSIDs).

Open the menu Logical WLAN networks (SSIDs) in LANconfig

3.1.2) Click Add to create a new logical WLAN network.

Add a new logical WLAN network

3.1.3) Modify the following parameters:

  • Name: Enter a descriptive profile name (in this example EAP-TLS).
  • Network name (SSID): Enter a name for the SSID (in this example WLAN_802.1X).
  • Encryption: In the dropdown menu select the option 802.11i (WPA)-802.1x.

If necessary, you can also enter a VLAN for this profile, so that a separate network is used for it.

Enter the parameters for the logical WLAN network 

3.1.4) Go to the menu WLAN-Controller → Profiles → WLAN profiles.

Open the menu WLAN profiles

3.1.5) Select the existing WLAN profile and click Edit.

Modify the existing WLAN profile

3.1.6) Click on Select next to the WLAN network list.

Open the selection menu for the WLAN network list

3.1.7) Select the logical WLAN profile created in step 3.1.3.

Select the newly created logical WLAN profile


3.2) Configuring the RADIUS server on the WLAN-Controller:

3.2.1) Go to the menu RADIUS → Server and activate the checkbox RADIUS authentication active.

Activate the RADIUS server

3.2.2) Go to the menu RADIUS → Server → RADIUS services ports.

Open the menu RADIUS services ports

3.2.3) Make sure, that the port 1812 is used as the Authentication port.

Check for the correct authentication port

3.2.4) Go to the menu RADIUS → Server → EAP.

Open the menu EAP in the RADIUS server

3.2.5) For the Default method select the option TLS in the dropdown menu.

Select the default method for EAP authentication

3.2.6) This concludes the manual configuration steps on the WLAN-Controller. Write the configuration back to the device.



4) Configuration steps on a Wi-Fi client with Windows 10 / Windows 11:

4.1) Importing the certificate in Windows:

4.1.1) Perform a doubleclick on the client certificate. Select the store location for the certificate in the Certificate Import Wizard and click Next.

Select the store location for the certificate

4.1.2) Use the preset path to the client certificate and click Next.

Accept the file path to the certificate

4.1.3) Enter the password used for the certificate creation in step 1. Click Next afterwards.

Enter the password for the certificate

4.1.4) Leave the setting on Automatically select the certificate store based on the type of certificate and click Next.

Let the certificate import wizard automatically select the certificate store

4.1.5) Click Finish to finalize the certificate import.

If you encounter a warning message, acknowledge it by clicking Yes.

Finish the certificate import

4.1.6) The successful certificate import is signaled by the following message. Click OK to close the message.

Successful certificate import


4.2) Configuring the WLAN network in the Windows client:

4.2.1) Navigate to the menu Control panel → Network and Internet → Network and Sharing Center and click on Set up a new connection or network.

Create a new network in the Network and Internet Sharing Center

4.2.2) Select the option Manually connect to a wireless network and click Next.

Create a new wireless network

4.2.3) Modify the following parameters and click Next:

  • Network name: Enter the SSID name entered in step 3.1.3 in the WLAN-Controller (in this example WLAN_802.1X).
  • Security type: In the dropdown menu select the option WPA2-Enterprise.

Set the Wi-Fi name and the encryption method for the wireless network

4.2.4) Click on Change connection settings to gain access to the extended settings.

Open the extended settings for the wireless network

4.2.5) Switch to the tab Security and modify the following parameters:

  • Security type: In the dropdown menu select the option WPA2-Enterprise.
  • Encryption type: In the dropdown menu select the option AES.

Modify the encryption settings for the wireless network

4.2.6) In the dropdown menu under Choose a network authentication method select the option Microsoft: Smart Card or other certificate. Click on Settings afterwards.

Activate authentication via certificate and open additional settings

4.2.7) Select the Certification Authority of the client certificate created in step 1 (in this example LANCOM CA). Afterwards, click OK.

Select the Certification Authority of the imported certificate

4.2.8) Click OK to save the settings.

Save the settings

4.2.9) Finally, click on Close. This concludes the configuration steps on the Windows client.

Close the setup wizard

When establishing the Wi-Fi connection, the correct certificate for authentication must be selected in the Windows client.

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2025 LANCOM Systems GmbH