Wireless AP with 802.1x

humphrey.j · ‎12-07-2010

Does anyone have experience, and is willing to share, on setting up access points where the connected users are authenticated through 802.1x?

Here is my setup. Cisco 1240AG and 1131AG connected to an 802.1x enabled switch. The switch gets puts users on different VLANS depending on access (wired authentication already works). MS Server 2008 acting as RADIUS.

My goal is to have one SSID. When guests connects, they do not authenticate and are put on a guest VLAN. Authenticated users are put on a different VLAN.

Thank you in advance for any help on this subject.

Sebastian Helmer · ‎12-09-2010

HI Joshua,

I prefer one SSID for corporate user and one for guest. If you want I can share a example config. If you want to use just one SSID I need to cehck if I could help you. let me know I think I will have a moment today to share some things with you.

- Sebastian

humphrey.j · ‎12-09-2010

Sebastian,

I can get by with 1 ssid for corporate and 1 for guests. The biggest thing is just having one route for guests and one route for authenticated users.

Any example files you have would be great.

Sebastian Helmer · ‎12-14-2010

sorry but I was ill, tomorrow I will give you

some information if they are still necessary.

humphrey.j · ‎12-14-2010

That would be great. Thank you.

Sebastian Helmer · ‎12-15-2010

Hey Joshua,

attached you find an example config, wiht not our real vlans.

vlan 3 is management vlan for the ap and this ip is configured as rad client in the nps.

we use @corporate wpa2 enterprise with ms-chap v2 authentication.

hope tha helps.

Sebastian

Ivaylo Terziyski · ‎03-14-2011

Hi,

I am trying to implement 802.1X authentication in enterprise environment with access switch WS-C3750-48TS-E (C3750 Software (C3750-IPSERVICES-M), Version 12.2(50)SE3).

I am using dynamic VLAN assignments, like guest VLAN, restricted(critical) VLAN, unauthorized VLAN for wired clients.Everything if fine for them.

I want to use only one SSID for wireless clients. Is it possible to use "authentication host-mode multi-auth" command for configuring switch port with connected Cisco AP 1242G to it ?

Example configuration:

description Cisco 1242G AP

switchport access vlan 2223

switchport mode access

switchport voice vlan 998

authentication event fail retry 1 action authorize vlan 2226

authentication event server dead action authorize vlan 2227

authentication event no-response action authorize vlan 2224

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication port-control auto

authentication periodic

authentication timer reauthenticate 300

authentication violation protect

mab

dot1x pae authenticator

dot1x timeout quiet-period 10

dot1x timeout tx-period 1

dot1x max-reauth-req 1

spanning-tree portfast

spanning-tree bpduguard enable

Do I have to enable 802.1X auth on the AP or it has to be pass-through for wireless clients and be the client of the switch itself (with its MAC address) ?

Thank you in advance !