When you upload the certificate on the master, it asks for a certificate name.  When it is uploaded and you click save config, it should propagate that "name" to the local.  When you go to upload  the server cert  on the local , you should be able to select the propagated name from the master and assign the cert to that.

I don't understand what you mean about propagating the name from the Master. When I upload the cert on the Local, I have the option of giving it any name. Let's say I give it a different name than what the Master's server cert has been given on the Master. My question is, how do I choose this cert on the Local controller in the dot1x profile when I can't even do any configuration on the Local, i.e. everything is greyed out? Obviously, on the Master which controls the configuration, I can't even select the Local's server cert since I didn't upload it on the Master.

The "reference count" for the trusted CA is 1 but it's 0 for the server cert. That tells me that it's not being used. Even though I have both the trusted CA and the server certs selected in the dot1x profile.

(Controller1) #show crypto-local pki serverCert

Certificates
------------
Name                 Original Filename        Reference Count
--------------       -----------------        ---------------
ServerCert               server.cer               0

(Controller1) #show crypto-local pki trustedCA  

Certificates
------------
Name                    Original Filename  Reference Count
--------------          -----------------  ---------------
TrustedCA_Cert          trusted_ca.cer     1

Hey Guys,

I wanted to open a new threat but it's exactly the same like this one, and I just have a few questions about it.

I followed the guide posted by Colin, and I'm trying to authenticate my users in both ways: using a RADIUS server over a Win 2008 Server R2 and using Termination on the controller.

When I use termination the guide outline that the Server Group should be "Internal", so don't I need to configure any policy in my NPS? How the validation of the User Cert works????  In the other hand, when I deactive Termination, Colin mentioned that I just have to configure a policy in the NPS that has "Smartcard or other Certificate", do you have any guide to configure such remote access policy???

Thanks in advance for your help,

César 

When termination is enabled on the controller, the controller will validate that the client has a certificate that is signed by the same Trusted CA cert configured in the dot1x profile.  The client will verify that the controller has a server cert that is signed by a trusted CA cert installed on the client.  Basically, the client and controller verify each other's certs.  The NPS server is NOT involved (unless you check the "check common name in cert against RADIUS (or something close to that)" button.  Then, the controller will pass the name of the user or machine cert to the configured RADIUS server for an authorize only transaction.  If it passes, the user is authenticated.  If it fails, the user is denied WLAN access.

If termination is not enabled, the entire EAP conversation is sent to the configured RADIUS server and the certificates are validated between the RADIUS server and the client.

Does that make sense?

The controller may be able to handle more certificate validations than your NPS server, depending on the resources you have avalable.

Thanks for the explanation olino, now it makes sense... I'm following the guide posted by Colin (File attached - EAP-TLS Termination), the CA issued a certificate for my Win 7 client and the user is in the Domain. In the other hand, my WLAN controller has a valid certificate issued for the trusted CA as well after the CSR request and the TrustedCA cert and IntermediateCA cert (Image attached - Certificates WLAN.jpg), all of the others steps are according to the guide (Termination, dot1x profile, server group, etc), and finally the configuration of my client is attached as well.

May you indicate me where's my mistake??? In the user says: You need a valid digital certificate to join this network...

Thanks in advance,

César

It sounds like your Windows user certificate is not correct.  The setup for the WLAN looks right. 

You might try to turn off machine authentication (set it to user only) and see if it's an issue with not having a machine certificate.

Hi guys,

Actually I have to perform machine authentication, the CA generated a digital certificate not to the user but to the machine, so do I have to install the machine certificate on each new user that's gonna use the tablet? and do you have any guideline on how to configurate the client to work with digital certificates?

César