Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
795
Views
0
Helpful
4
Replies

8021q port configuration with 802.1x multi-auth with web redirection

nhedhili
Level 1
Level 1

‎03-26-2019 01:08 PM

Hello Gents,

we need to configure 802.1x feature on a truck port ( 802.1q) of a catalyst switch , does this work without any trouble 

with the two features on the same port. 

this scenario is required because we have a third party access point with 802.1q port with multiple vlans and per vlan ssid connected to the switch for which we need to do 802.1x authentication for the clients and fo which we will do later web redirection to ise hotspot.

-access point used is ubiquity 

-switches used are catalyst 2960 and 3560

 

Thanks for your help and assistance 

0 Helpful
4 Replies 4

Arne Bier
VIP
VIP

‎03-26-2019 02:49 PM

Hi

 

BTW: It's not just "gents" on these forums ;-)

 

Enabling 802.1X on a switch port enables 802.1X between the switch and the attached device. In this case it would allow the AP to authenticate itself (not its clients) to the switch.  E.g. Cisco AP's can be configured to join an access switch via EAP-FAST.  This means that enabling 802.1X on a switch port talks only to the directly attached devices.

Don't get confused between the 802.1X that then later runs on the Enterprise WPA SSID serving your clients!  This all happens in the AP (or the WLC) and the wireless network becomes the Authenticator (not the access switch).  When a wireless client associates to an Enterprise SSID, then it will talk 802.1X to the AP/WLC, and not to the switch.  Once association is complete, the client will be dropped into a VLAN.  Now trunking comes into the picture (in the case of FlexConnect)

 

0 Helpful

nhedhili
Level 1
Level 1
In response to Arne Bier

‎03-28-2019 01:39 AM

Thank you for your reply , since we have a third party access point connected to the port of the switch ( ubiquity unify )  and not a cisco AP  what is your recommandation for doing web redirection to our ise hotspot for the clients connected from the wireless network :

the way we thinked to do is to make the switch port as multi-auth and configure MAB on it for the aothentication method without configuraation of the mac address in the ISE than definig a rule for all unknown mac devie to be redirected to the guest web hotspot 

0 Helpful

Arne Bier
VIP
VIP
In response to nhedhili

‎03-28-2019 04:23 PM

That might work.  I can't say for sure because I have only dealt with enterprise gear like Cisco and Aruba APs.  But I still wonder what the switch auth has to do with your client auths on the SSID?  Is the SSID bridged to the switch port?  In my experience the SSID terminates on the AP itself and the AP becomes the authenticator - not the switch.

 

I haven't a clue.

0 Helpful

nhedhili
Level 1
Level 1
In response to Arne Bier

‎03-29-2019 10:11 AM

Thank you for your reply , I will try that I let you know.

We think about this methodology as an escape because we have behind an ubiquity switch and I have searched for the ubiquity radius  disctionary , there is no informations on it and the few information that I have lets me think it does not seem to be reach enough

thanks and regards

0 Helpful
Customers Also Viewed These Support Documents