Re: check this out

Tony Rosolek · ‎08-27-2015

Hey Guys

How do you secure your switch ports when you operate access points in Flexconnect mode?

I've read that 802.1x authentication is not supported on trunk ports.

Is it possible to use PEAP or another EAP-Type instead of EAP-Fast to authenticate the APs?

||| Please rate helpful posts. Thanks! |||

abwahid · ‎08-31-2015

Hi,

Configure LAN Switch Ports for 802.1X

The first step consists into implementing 802.1X authentication on the authenticator side or LAN switches. Here is a sample configuration:

aaa new-model

aaa authentication dot1x default group radius

radius-server host 10.199.200.71 auth-port 1812 acct-port 1813 key <yourkey>

dot1x system-auth-control

interface FastEthernet0/3

description WiFi Access Point with 802.1X Auth

switchport access vlan 200

switchport mode access

dot1x pae authenticator

authentication port-control auto

spanning-tree portfast

NOTE: The port-control auto option says that once a device logs off, that switchport reverts to an unauthorized state

The above example only shows one LAN port. You need to repeat this for all ports in the switch.

Configure your RADIUS Server

Configure your RADIUS server with the user name and password you will specify in your WLC controller (Wireless > Radios > Global Configuration > 802.1X Supplicant Credentials)

Configure the Cisco WLC with the 802.1X Supplicant Credentials

From the following menu, configure your global 802.1X supplicant credentials

Wireless > Radios > Global Configuration > 802.1X Supplicant Credentials

NewImage

Check 802.1x Authentication, then fill both the 802.1X username and password. These have a global significance and all LAPs that already joined that WLC will inherit these credentials. In the LAP’s config, you will find a config snippet similar to this:

dot1x credentials lwapp_credentials

username 8021xglobal

password 010203040506070809

Please note that you can also implement per-AP credentials instead of global credentials.

Provisioning new LAPs

New LAPs will not be able to join the WLC if their wired switch port is configured for 802.1X. The easiest way to have them join that WLC is to disable 802.1X authentication on one switch port and let the LAP reboot. It will then inherit its new configuration, including the 802.1X credentials. Next, enable 802.1X authentication on the switch port. Another way is to ‘prime’ your LAPs in a lab with these 802.1X credentials.

Conclusion

Implementing 802.1X on the wired side of your network reinforces your overall network security. With a few mouse clicks, you can configure 802.1X supplicant credentials for all your Cisco lightweight access points from a central location.

Tony Rosolek · ‎08-31-2015

Thanks for your reply, but the flex connect access points are not connected to access port but to trunk mode ports. As far as I know, dot1x is not supported on trunk ports.

||| Please rate helpful posts. Thanks! |||

maarten_dhooghe · ‎02-02-2017

check this out

http://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html

you'll need to boot the AP on an access-port and the NEAT response from the ISE will change the port from access to trunk

Frank Lothar Weber · ‎02-24-2018

Any idea how this can be done when you are using IBNS2.0 config syntax for 802.1x (like "service-policy type control subscriber xxxyyyzzzz"), not the "old" syntax ??

Rgs

Frank

Accesspoint as 802.1x Supplicant - Port Security with Flexconnect APs