04-19-2013 12:05 AM - edited 03-07-2019 12:55 PM
Hello,
I have been configuring 802.1x with Cisco secure ACS 5.3
ı configured 802.1x for ethernet and it works. there is no problem (ACS asiggn vlan to interfacedepending on whether username and password on client)
The next step wireless but ı have a fews question about configuring 802.1x for wireless
1-)I think If ı am doing 802.1x , ı can not configure port as a trunk ? ,Am ı right ? But if i dont configure port as a trunk , how switch pass multple vlans.
2-) i am using cisco aironet 1140 as a access point.we have 40 acess points and unfortunatly we do not have wireless controller
i can not find any documents about how to configure cisco aironet with autohonomus ios for 802.1x,
I will be grateful for any help
Thank you already,
04-19-2013 12:17 AM
Duplicate post #1.
04-19-2013 01:50 AM
it is because associated with both
04-19-2013 06:04 AM
Take a look NUMAN,
hostname AP01
!
no logging console
!
clock timezone GMT-3 0
ip subnet-zero
ip domain name xxxx.com.br
ip name-server 10.10.10.10
ip name-server 10.10.10.4
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.10.7 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
server 10.10.10.7 auth-port 1645 acct-port 1646
!
aaa group server radius rad_acct
server 10.10.10.7 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
server 10.10.10.7 auth-port 1645 acct-port 1646
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server tacacs+ tac_admin
server 10.10.10.7
cache expiry 1
!
aaa authentication login default group tac_admin local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default group tac_admin local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
aaa session-id common
dot11 vlan-name AdGST vlan 60
!
dot11 ssid XXXX
vlan 10
authentication open eap eap_methods
authentication key-management wpa
guest-mode
!
dot11 ssid XXXXM
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 1416160F09007A7A767B67607444
!
dot11 ssid XXXXVoice
vlan 20
authentication open
authentication key-management wpa
wpa-psk ascii 7 101A0D1D5613115A1F077A
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 100 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid XXXXX
!
ssid XXXXXM
!
ssid XXXXXVoice
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
!
interface Dot11Radio0.60
encapsulation dot1Q 60
no ip route-cache
bridge-group 60
bridge-group 60 subscriber-loop-control
bridge-group 60 block-unknown-source
no bridge-group 60 source-learning
no bridge-group 60 unicast-flooding
bridge-group 60 spanning-disabled
!
interface Dot11Radio0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
!
interface FastEthernet0.60
encapsulation dot1Q 60
no ip route-cache
bridge-group 60
no bridge-group 60 source-learning
bridge-group 60 spanning-disabled
!
interface FastEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
no bridge-group 100 source-learning
bridge-group 100 spanning-disabled
!
interface BVI1
ip address 10.10.10.71 255.255.252.0
no ip route-cache
!
ip default-gateway 10.10.10.1
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
tacacs-server host 10.10.10.7 key 7 0xxxxxx25C254F1F1A1A55
tacacs-server directed-request
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.7 auth-port 1645 acct-port 1646 key 7 02520xxxx705F4D59
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
04-28-2013 01:08 PM
802.1x is not supported on these port types:
Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed.
–Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode is not changed.
–Dynamic-access ports—If you try to enable 802.1X on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.
–EtherChannel port—Before enabling 802.1X on the port, you must first remove the port from the EtherChannel before enabling 802.1X on it. If you try to enable 802.1X on an EtherChannel or on an active port in an EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.
–Secure port—You cannot configure a secure port as an 802.1X port. If you try to enable 802.1X on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to a secure port, an error message appears, and the security settings are not changed.
–Switch Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a SPAN destination port; however, 802.1X is disabled until the port is removed as a SPAN destination. You can enable 802.1X on a SPAN source port.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide