Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
0
Helpful
2
Replies

Cisco 5508 with 802.1x and CCKM + 7925G

erikzimmerman
Level 1
Level 1

‎12-03-2015 08:17 AM - edited ‎07-05-2021 04:20 AM

I have a 5508 currently configured with CCKM for 7925g voip phones.  At another location we installed cisco meraki AP's which do not support this config so I need to transition to 802.1x/windows nps so that all phones can be configured identically and work at all sites.

can 802.1x and cckm coexist on the same SSID?

  On the wireless ssid I have wlan>ssid>security>layer 2>authentication key management both 802.1x and cckm are checked.  In security>radius>authentication two servers are configured but I never see the wlc send the raidus request to the windows servers.

The only thing I dont have set is wlan>ssid>security>AAA Servers, as I understand it from the wlc documentation since 802.1x is checked the layer2 tab it should use the servers configured in the security section.  The customer cannot grant me downtime to change those settings for a couple of days.

I know the radius/wlc can see each other, ping works fine and on one of the radius servers I did have the shared secret misconfigured and could see errors in the logs, that has been resolved. The 7925g phones at this sight are configured for Auto AKM, we have one test phone set to peap security which isnt working.

I just want to confirm its possible to run both at the same time.  As i understand it, the wlc should try 802.1x first and fall back to cckm/local authentication if those servers dont respond.  

Labels:
0 Helpful
2 Replies 2

Scott Fella
Hall of Fame
Hall of Fame

‎12-03-2015 08:29 AM

Yes they can exist together. If you have 802.1x + cckm and you have devices that don't support cckm, those devices will still connect. As far as radius, when you define the radius server in the security tab and have network checked, that is a global setting saying that any wlans with authentication and or accounting enabled, the WLC will use the servers defined. If you don't have that checked on the radius server, then you would need to define the radius servers on the WLAN. This is how I setup 802.1x, with the radius servers being defined in the WLAN and network not being checked on the security tab. 

Does this help?

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful

erikzimmerman
Level 1
Level 1
In response to Scott Fella

‎12-03-2015 08:50 AM

Hi Scott,

I verified all those settings you mentioned but it got me thinking something was overriding the global settings (I inherited this wlc so Im still finding out some of the per ssid configuration).

Under wlans>ssid>security>AAA servers the local eap authentication check box is checked, I think thats overrriding the global settings for the SSID on the layer 2 tab to make it only try local eap.  I've got some downtime scheduled tomorrow morning and I'll set radius servers on that tab also.

Thanks for the reply, I think it got me going in the right direction here.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card