Access Point as 802.1x Supplicant

whistleblower14 · ‎03-31-2020

Hi all,

I´d like to get a better understanding of 802.1X and therefore I`d like to know if it`s a common scenario to use 802.1X to authenticate an Access-Point (probably in a deployment where the AP can be physically accessed by guests or so...) and afterwards provide also 802.1X authentication for WLAN Clients?!

Maybe someone can tell me/explain how I´d have to configure the switch and AP in such a case?

thank you in advance!

Cristian Matei · ‎04-01-2020

Hi,

If you ask about UWN, find below two guides on how to configure the LAP as 802.1x supplicant. On the switch side, the "host-mode" depends if you run FlexConnect or not; with FlexConnet you'll be running "multi-host" mode, without FlexConnect you'll be running "single-host" mode.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-fixed/107946-LAP-802-1x.html

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_802_1x_eap_supplicant_on_cos_ap.html

Regards,

Cristian Matei.

whistleblower14 · ‎04-02-2020

Hi Cristian,

thanks for your reply! In that context I`d like also to thank you - your INE trainings helped me a lot in preparation for my re-certification, huge fan so it's a pleasure for me! :)

The deployment is a Wireless LAN Controller with AP`s acting with no FlexConnect!

Unfortunatly I´m struggling with my understanding... "single-host" mode means switchports with only one "client" attached to, or? So how would it work that it`s also possible to authenticate Clients likewise?

So first authentication of the AP itself and if that`s OK - Clients as well probably with different SSID`s (= mapped to L2 VLANs)

Cristian Matei · ‎04-02-2020

Hi,

If you don't use FlexConnect, it means all users traffic is tunnelled from the LAP to the WLC via the DTLS CAPWAP tunnel, built between the IP of the LAP and the IP of the WLC. So the switch where your LAP is connected to, will always see ingress traffic from a single MAC address (and one IP, the IP matters for IPDT), the MAC address of the LAP. Thus, "single-host", a single MAC address in the DATA domain is what you need as the host-mode.

I'm more than happy to hear i was able to help another engineer. If you enjoyed my trainings, stay tuned this year, for what's yet to come, on my own platform this time.

Regards,

Cristian Matei.

Regards,

Cristian Matei.

whistleblower14 · ‎04-06-2020

If you don't use FlexConnect, it means all users traffic is tunnelled from the LAP to the WLC via the DTLS CAPWAP tunnel, built between the IP of the LAP and the IP of the WLC.
--> so not the LAP but the WLC will act as the Authenticator and all successful client auth-bindings could be seen on that device and not the switch, correct?

So the switch where your LAP is connected to, will always see ingress traffic from a single MAC address (and one IP, the IP matters for IPDT), the MAC address of the LAP. Thus, "single-host", a single MAC address in the DATA domain is what you need as the host-mode.
--> Because of that, Authentication for SSID`s can therefore be used at the same time, correct?

To authenticate the LAP AND the users is this a basic design approach which is used in practice? Or is a requirement better solved in another ways?

Cristian Matei · ‎04-08-2020

Hi,

None of them are required (LAP or user WiFi authentication), both are optional :) But yes, i would configure a sort of authentication and encryption for WiFi and, if i already have 802.1x deployed, why not secure all ports, thus also the one where i have LAP's attached.

The answer to both of your questions is yes. Without Flexconnect, the MAC address of the WiFi clients is only visible on the switchport where your WLC is connected.

Regards,

Cristian Matei,

Regards

Cristian Matei.