02-06-2019 04:51 AM - edited 07-05-2021 09:48 AM
Hey!
can someone tell me the difference between these two configurations:
02-06-2019 06:42 AM
02-06-2019 07:18 AM
I wanted to ask regarding the 802.1X Auth.
What is the difference regarding 802.1X ?
02-06-2019 07:30 AM
02-06-2019 01:58 PM
The First one is using using 802.1x is when using Cisco LEAP authentication, it doesn't use any WPA or WPA2 encryption but instead uses WEP encryption.
You will more than likely find that with the introduction of WPA3 that this option will be remove to enable the AP/ Controllers to gain WPA3 certification from the WIFI Alliance.
The second one is using the WPA2 AES encryption with 802.1x authentication. If you require a PSK network untick the 802.1X box and tick the PSK box and enter the PSK to the box that pops up
For Layer 2 security there are really only 2 options that you would use:
WPA+WPA2 or none
02-07-2019 12:23 AM - edited 02-07-2019 12:24 AM
Thanks for your answer.
I understand!
Additionally, I would like to do 802.1X Mac Authentication/Mac Filtering with a Microsoft Network Policy Radius Server.
I followed that manual:
It says:
Click Security > MAC Filtering.
In the MAC Filtering window, choose the type of RADIUS server under RADIUS Compatibility Mode.
This example uses Cisco ACS.
From the MAC Delimiter pull down menu, choose the MAC delimiter.
This example uses Colon.
When I want to do that with the Microsoft NPS, which RADIUS Compatibility Mode and MAC Delimiter is correct?
02-07-2019 12:36 AM
02-08-2019 02:03 AM - edited 02-08-2019 02:04 AM
I also have to check the "Mac Filtering" box under Layer 2 Security, don't I?
What do you mean with password for the mac auth?
My NPS Server is installed on my domain controller with Active Directory. So my intention is to create a user that has the mac address as username and password, without colons, for example: 00a24455d223.
Then I want to add that user to a domain group. In the NPS I want to create a network policy with the condition "windows group". I then choose the group that contains the mac address users. (as I said before).
Do you think that works?
02-08-2019 02:40 AM
When your doing MAC auth with radius, the WLC sends a username and password to the RADIUS server.
If you select mode Cisco ACS it uses the client MAC address for both the username and password. If your configuring this on AD and having NPS check this then that will work.
Check the delimiter matches how you plan to enter these.
Is your plan to also look at user Auth? or only consumed with the mac auth?
If your looking at both, you could use RADIUS rules (now i cant talk for NPS as my RADIUS experience is limited to ISE) and the auth is against the users credentials but you also use the client MAC address to define the authorisation policy.
cheers
Haydn
02-08-2019 03:16 AM
And I need to check that box, right?
02-08-2019 03:18 AM
correct
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide