802.1x and wireless

NUMAN FARUK KARAKAS · ‎04-19-2013

Hello,

I have been configuring 802.1x with Cisco secure ACS 5.3

ı configured 802.1x for ethernet and it works. there is no problem (ACS asiggn vlan to interfacedepending on whether username and password on client)

The next step wireless but ı have a fews question about configuring 802.1x for wireless

1-)I think If ı am doing 802.1x , ı can not configure port as a trunk ? ,Am ı right ? But if i dont configure port as a trunk , how switch pass multple vlans.

2-) i am using cisco aironet 1140 as a access point.we have 40 acess points and unfortunatly we do not have wireless controller

i can not find any documents about how to configure cisco aironet with autohonomus ios for 802.1x,

I will be grateful for any help

Thank you already,

Leo Laohoo · ‎04-19-2013

Duplicate post #1.

NUMAN FARUK KARAKAS · ‎04-19-2013

it is because associated with both

andre.ortega · ‎04-19-2013

Take a look NUMAN,

hostname AP01

!

no logging console

!

clock timezone GMT-3 0

ip subnet-zero

ip domain name xxxx.com.br

ip name-server 10.10.10.10

ip name-server 10.10.10.4

!

aaa new-model

!

aaa group server radius rad_eap

server 10.10.10.7 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

server 10.10.10.7 auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct

server 10.10.10.7 auth-port 1645 acct-port 1646

!

aaa group server radius rad_admin

server 10.10.10.7 auth-port 1645 acct-port 1646

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server tacacs+ tac_admin

server 10.10.10.7

cache expiry 1

!

aaa authentication login default group tac_admin local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default group tac_admin local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 5 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting network acct_methods start-stop group rad_acct

aaa cache profile admin_cache

all

!

aaa session-id common

dot11 vlan-name AdGST vlan 60

!

dot11 ssid XXXX

vlan 10

authentication open eap eap_methods

authentication key-management wpa

guest-mode

!

dot11 ssid XXXXM

vlan 100

authentication open

authentication key-management wpa

wpa-psk ascii 7 1416160F09007A7A767B67607444

!

dot11 ssid XXXXVoice

vlan 20

authentication open

authentication key-management wpa

wpa-psk ascii 7 101A0D1D5613115A1F077A

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 10 mode ciphers aes-ccm

!

encryption vlan 100 mode ciphers tkip

!

encryption vlan 20 mode ciphers tkip

!

ssid XXXXX

!

ssid XXXXXM

!

ssid XXXXXVoice

!

mbssid

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

l2-filter bridge-group-acl

!

interface Dot11Radio0.10

encapsulation dot1Q 10 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

bridge-group 20 subscriber-loop-control

bridge-group 20 block-unknown-source

no bridge-group 20 source-learning

no bridge-group 20 unicast-flooding

bridge-group 20 spanning-disabled

!

interface Dot11Radio0.60

encapsulation dot1Q 60

no ip route-cache

bridge-group 60

bridge-group 60 subscriber-loop-control

bridge-group 60 block-unknown-source

no bridge-group 60 source-learning

no bridge-group 60 unicast-flooding

bridge-group 60 spanning-disabled

!

interface Dot11Radio0.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

bridge-group 100 subscriber-loop-control

bridge-group 100 block-unknown-source

no bridge-group 100 source-learning

no bridge-group 100 unicast-flooding

bridge-group 100 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.10

encapsulation dot1Q 10 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

no bridge-group 20 source-learning

bridge-group 20 spanning-disabled

!

interface FastEthernet0.60

encapsulation dot1Q 60

no ip route-cache

bridge-group 60

no bridge-group 60 source-learning

bridge-group 60 spanning-disabled

!

interface FastEthernet0.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

no bridge-group 100 source-learning

bridge-group 100 spanning-disabled

!

interface BVI1

ip address 10.10.10.71 255.255.252.0

no ip route-cache

!

ip default-gateway 10.10.10.1

no ip http server

ip http authentication aaa

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip tacacs source-interface BVI1

ip radius source-interface BVI1

!

tacacs-server host 10.10.10.7 key 7 0xxxxxx25C254F1F1A1A55

tacacs-server directed-request

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.10.10.7 auth-port 1645 acct-port 1646 key 7 02520xxxx705F4D59

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

Jatin Katyal · ‎04-28-2013

802.1x is not supported on these port types:

Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed.

–Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode is not changed.

–Dynamic-access ports—If you try to enable 802.1X on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.

–EtherChannel port—Before enabling 802.1X on the port, you must first remove the port from the EtherChannel before enabling 802.1X on it. If you try to enable 802.1X on an EtherChannel or on an active port in an EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.

–Secure port—You cannot configure a secure port as an 802.1X port. If you try to enable 802.1X on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to a secure port, an error message appears, and the security settings are not changed.

–Switch Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a SPAN destination port; however, 802.1X is disabled until the port is removed as a SPAN destination. You can enable 802.1X on a SPAN source port.

Jatin Katyal
- Do rate helpful posts -

~Jatin