08-27-2015 02:31 AM - edited 07-05-2021 03:50 AM
Hey Guys
How do you secure your switch ports when you operate access points in Flexconnect mode?
I've read that 802.1x authentication is not supported on trunk ports.
Is it possible to use PEAP or another EAP-Type instead of EAP-Fast to authenticate the APs?
08-31-2015 01:57 AM
Hi,
The first step consists into implementing 802.1X authentication on the authenticator side or LAN switches. Here is a sample configuration:
aaa new-model
aaa authentication dot1x default group radius
radius-server host 10.199.200.71 auth-port 1812 acct-port 1813 key <yourkey>
dot1x system-auth-control
interface FastEthernet0/3
description WiFi Access Point with 802.1X Auth
switchport access vlan 200
switchport mode access
dot1x pae authenticator
authentication port-control auto
spanning-tree portfast
NOTE: The port-control auto option says that once a device logs off, that switchport reverts to an unauthorized state
The above example only shows one LAN port. You need to repeat this for all ports in the switch.
Configure your RADIUS server with the user name and password you will specify in your WLC controller (Wireless > Radios > Global Configuration > 802.1X Supplicant Credentials)
From the following menu, configure your global 802.1X supplicant credentials
Wireless > Radios > Global Configuration > 802.1X Supplicant Credentials
Check 802.1x Authentication, then fill both the 802.1X username and password. These have a global significance and all LAPs that already joined that WLC will inherit these credentials. In the LAP’s config, you will find a config snippet similar to this:
dot1x credentials lwapp_credentials
username 8021xglobal
password 010203040506070809
Please note that you can also implement per-AP credentials instead of global credentials.
New LAPs will not be able to join the WLC if their wired switch port is configured for 802.1X. The easiest way to have them join that WLC is to disable 802.1X authentication on one switch port and let the LAP reboot. It will then inherit its new configuration, including the 802.1X credentials. Next, enable 802.1X authentication on the switch port. Another way is to ‘prime’ your LAPs in a lab with these 802.1X credentials.
08-31-2015 02:08 AM
Thanks for your reply, but the flex connect access points are not connected to access port but to trunk mode ports. As far as I know, dot1x is not supported on trunk ports.
02-02-2017 03:35 AM
check this out
http://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html
you'll need to boot the AP on an access-port and the NEAT response from the ISE will change the port from access to trunk
02-24-2018 09:04 AM
Any idea how this can be done when you are using IBNS2.0 config syntax for 802.1x (like "service-policy type control subscriber xxxyyyzzzz"), not the "old" syntax ??
Rgs
Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide