In this document, we will discuss various aspects about Autonomous AP's and comparision between Network EAP vs Open Authentication with EAP and finding the right combination.
When configuring an SSID with EAP/802.1X on an autonomous AP, we are given the choice between Network EAP and Open Authentication with EAP (or both).
On the CLI, we would say
dot11 ssid whatever authentication open eap eap_methods authentication network-eap eap_methods
In configuration guide it is not completely clear, here is a quick summary of which one to choose and when.
All this started at the time when we had "nothing (Authentication set to 0 in the AP beacons)" or WEP PSK (Authentication set to 1 in the AP beacons). WEP was weak, so everybody needed a replacement for it. When LEAP implemented , which implies both authentication mechanism and some encryption. The Authentication value was set to 1 in the AP beacons using LEAP, not to indicate PSK but to indicate "authentication required" (and this is also why you cannot use LEAP with no encryption). But this does not really conform to the (future, when LEAP was created) 802.11i (and WPA) specifications, so this is specific.
Later on, when WPA and 802.11i appeared, the protocol detailed that, for compatibility with the 802.1X protocol, the authentication would occur at the association phase. In other words, with 802.1X you plug your PC to a switch, and it is only when you do that that authentication occurs. Similarly in the wireless space, you go through the 802.11 authentication phase (request/response) in an open manner, and it is only when you go to the association phase, which is the "hey, plug me to your cell" message, that the AP says "wait, I need to do 802.1X authentication first", and the EAP process starts. So, Authentication is set to 0 (for its 802.11 part), and EAP/802.1X starts at the association phase. When Cisco replaced LEAP with EAP-FAST Authentication is set to 0.
So it seems that Network EAP = LEAP and Open authentication with EAP = Any other EAP. This is something we see when checking Network EAP: the popup window clearly states that if we use EAP-FAST or any other EAP (than LEAP), we should check Open with EAP. We can of course check both when we want to allow LEAP and another EAP, but we will not be able to authenticate using EAP-FAST if we choose Network EAP only.
There is one exception though. for long, LEAP used to be the default "secure" authentication method. This makes that some old clients (for example access points!) need to be offered LEAP to get started (or turned on, name it the way you like). In other words, if we build a wireless link between 2 APs, for a repeater, bridge or Workgroup Bridge configuration, and if we use 802.1X on that link, we need to offer LEAP (i.e Network EAP) for the secure authentication to be used. So we can offer Network EAP, or Network EAP and Open with EAP, but we should not offer just Open with EAP.
Which one is going to be used if we offer both? Well, it all depends on how we configure our client side (non root Bridge, Workgroup Bridge, etc). If we use the "old" EAP Client (optional feature), in the SSID page:
Which is in the CLI: dot11 ssid whatever authentication client username Test password 7 104D000A0618
This is going to use LEAP only. If we want to use another EAP, for example EAP-FAST, we need to empty that EAP Client field (it cannot be used in combination with another method), then use the AP Authentication feature.
In this page, we define credentials and method. We can pick up several methods if we want. Then from the SSID page, we can call these methods:
In the CLI, this is: dot11 ssid whatever dot1x credentials Test dot1x eap profile Myfast exit eap profile Myfast method fast dot1x credentials test username cisco password cisco
So we offer both LEAP and Open with EAP, and using the newer AP Authentication method allows us to use the credentials we defined, and use the most secure method selected. In this example, we use EAP FAST only, so that's the one we'll use. Of course, the RADIUS to which you main AP points (local RADIUS on the main APor external RADIUS) needs to allow that method.
Careful when testing, it is only from the non-root AP / WGB / repeater CLI that we will use, at authentication time, which method was used. The main AP CLI will just tell us "WPA", or "Open", etc., but not the details of the authentication method used.
If we offer just Open with EAP, as the AP expects LEAP (Network LEAP) among the possibilities, then the EAP part is discarded. Although our link may come up, if we look carefully at our non-root AP CLI, we will see that the authentication is going to be "Open" (NOT with EAP), so there is no real authentication there. As soon as we also offer Network EAP, the non-root AP is happy, being offered LEAP, btu also something stronger, and is going to use the stronger method (EAP-FAST in our example)
[ The link to the discussion will be published on November 10th ]
This event is an opportunity to discuss the LTE market trends from a consumer perspective, highlighting the 4G LTE service from Cisco Enterprise BU. Furthermore, we will discuss the strateg...
Hi,I am attempting to create a WMI on c9800 controller. I had used the pre-installed MIC (CISCO_IDEVID_SUDI) on 16.10.1 but upon upgrading to 16.12.4s, I am now unable to use this trustpoint.Via the Gui, I no longer have a list of trustpoints to select fr...
Earlier this week one of our classrooms started to have some strange wireless issues that I've only seemed to replicate in this one classroom. When the teacher of the affected classroom tries to screen mirror to the Apple TV in their classroom they lose c...
Hello all,Iam new to this forum and also new in the Cisco world so sorry if I dont understand things right away.I would like to know if there is a way to force a connection to a specific LTE Band.I noticed that the LTE router sometimes connect to a L...
Hi guys,we have 3 WLC 5520 in 188.8.131.52 and i had to reboot all of them to get rid of new mobility. In every AP it is configured manually the failover of the APs.When i rebooted WLC-3 almost all the APs joined the second one as it was supposed to. Just fe...