Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
10
Helpful
2
Replies

Dot1x and device-tracking config for WLAN accesspoints interfaces?

Bernd Nies
Level 1
Level 1

‎01-18-2023 10:24 PM

Hi,

We are (have to) deploying wired dot1x on our network. We are using Cisco APs (2700, 2800, 9120 models), some locations in local switching mode, some locations in central switching mode. What is the recommended configuration switch LAN port configuration for dot1x and ip device tracking? We couldn't find a good guide for that.

Example LAN interface for AP in local switching (flexconnect) mode:

interface GigabitEthernet2/0/1
  description Cisco AP
  switchport trunk native vlan 517
  switchport trunk allowed vlan 503,509,517,519
  switchport mode trunk
  device-tracking attach-policy IPDT_UPLINK
  spanning-tree portfast trunk

device-tracking policy IPDT_UPLINK
  trusted-port
  device-role switch
  no protocol udp

The switch shows authentication sessions of all the clients connected to the Cisco AP.

#sh access-session int Gi1/0/1
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Gi1/0/1                  0027.e349.0290 N/A     UNKNOWN Unauth      02FC150A00002DA2C5433985
Gi1/0/1                  183e.efdb.bfc5 N/A     UNKNOWN Unauth      02FC150A00002EACC7BAB179
Gi1/0/1                  185e.0f6f.2c05 N/A     UNKNOWN Unauth      02FC150A00002E7CC76E7F19
Gi1/0/1                  401c.8329.08d3 N/A     UNKNOWN Unauth      02FC150A00002ECEC7DC607D
Gi1/0/1                  4e26.61d2.35dd N/A     UNKNOWN Unauth      02FC150A00002E9EC7B4D789
Gi1/0/1                  4ea2.0359.a5e9 N/A     UNKNOWN Unauth      02FC150A00002EE6C7EF8C4D
Gi1/0/1                  5ece.4459.faa6 N/A     UNKNOWN Unauth      02FC150A00002EB9C7CC0885
Gi1/0/1                  6eee.0aa5.ffc7 N/A     UNKNOWN Unauth      02FC150A00002F1EC823F609
Gi1/0/1                  709c.d1c6.8923 N/A     UNKNOWN Unauth      02FC150A00002EA1C7B5A711
Gi1/0/1                  94e6.f78e.b2dc N/A     UNKNOWN Unauth      02FC150A00002E88C7865029
Gi1/0/1                  a2df.8543.76f1 N/A     UNKNOWN Unauth      02FC150A00002F21C8257E79
Gi1/0/1                  b25c.6690.d49e N/A     UNKNOWN Unauth      02FC150A00002F22C8258DD5
Gi1/0/1                  c403.a83d.f379 N/A     UNKNOWN Unauth      02FC150A00002EB3C7C673DD
Gi1/0/1                  c403.a8cc.87ce N/A     UNKNOWN Unauth      02FC150A00002EAAC7BA0125
Gi1/0/1                  c834.8e64.c51d N/A     UNKNOWN Unauth      02FC150A00002EB0C7C2949D
Gi1/0/1                  d0ab.d5c1.d126 N/A     UNKNOWN Unauth      02FC150A00002EBFC7D00BED
Gi1/0/1                  d2ac.22de.5490 N/A     UNKNOWN Unauth      02FC150A00002EB7C7CA3391
Gi1/0/1                  daaa.9426.9d75 N/A     UNKNOWN Unauth      02FC150A00002EAFC7C1E21D
Gi1/0/1                  e61f.a69e.349f N/A     UNKNOWN Unauth      02FC150A00002EF7C801C639
Gi1/0/1                  f057.a686.9467 N/A     UNKNOWN Unauth      02FC150A00002EE5C7EEB4D9
Gi1/0/1                  f057.a68c.2968 N/A     UNKNOWN Unauth      02FC150A00002E83C77F37D1
Gi1/0/1                  fa24.bdd6.0bd6 N/A     UNKNOWN Unauth      02FC150A00002EE3C7EE5661

We haven't configured dot1x for the WLAN AP LAN ports. Cisco guide tells to power cycle each AP and configure a user/password dot1x authentication for each AP. We are generally using dot1x with EAP/TLS and distributed device certificates for the user notebooks.

Is that normal? What is the most common best practise for dot1x and device-tracking configuration of switch LAN ports for wireless access-points?

Regards,
Bernd

Labels:
0 Helpful
2 Replies 2

agrissimanis
Level 1
Level 1

‎01-25-2023 03:36 AM

For local mode APs, I would keep your standard corporate dot1x switchport config template, as there would only be one MAC address on the port (the AP). You could configure dot1x authentication for the APs on the WLC or you could rely on MAB/profiling to authenticate the APs. You can also keep the standard device tracking config.

With Flexconnect APs and locally switched WLANs, you will see multiple MAC addresses on the port, as shown in the “sh access-session int Gi1/0/1” output you posted. One of these MAC addresses is the AP and the rest are clients from a locally switched WLAN. This would cause problems when you go into closed mode on wired, as the switch will try to authenticate all these wireless client MAC addresses, and these would most likely fail (depending on ISE authorization policies). This is unnecessary, as the wireless clients have already been authenticated by the controller.

To get around this, usually “authentication host-mode multi-host” command is used on switchports where Flex APs connect. This causes the very first MAC address on the port to be authenticated (the AP when it boots) and rest of the MAC address that appear after (the wireless clients) will be ignored by the switch.

You could set a limit of MAC addresses learned to 1 in the device tracking policy and apply that policy to the Flex AP port, if you don’t want to see the wireless client MACs in the tracking database.

In some cases, because of these issues, Flex APs get excluded from dot1x config altogether..

Bernd Nies
Level 1
Level 1

‎01-26-2023 09:29 PM - edited ‎01-26-2023 09:46 PM

So in FlexConnect mode the AP should be either configured with username/password dot1x authentication of the uplink LAN connection like [1,2] or the switchport should not do dot1x at all. We currently have on ISE only EAP/TLS configured with device certificate authentication. We would then need to create a policy that just matches the wired AP and allow EAP-FAST for those. Am I correct?

EDot1x port configEuration on the access switch IBNS 2.0 style would then be as follows?

 

template AP_WIRED_DOT1X_CLOSED
 dot1x pae authenticator
 dot1x timeout quiet-period 300
 dot1x timeout tx-period 10
 dot1x max-reauth-req 3
 mab
 subscriber aging inactivity-timer 60 probe
 access-session control-direction in
 access-session closed
 access-session port-control auto
 access-session host-mode multi-host
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber POLICY_DOT1X_MAB_LOOP

interface GigabitEthernet1/0/4
 description Cisco AP (FlexConnect)
 switchport trunk allowed vlan 602,603,617,619
 switchport trunk native vlan 617
 switchport mode trunk
 ip device tracking maximum 0
 spanning-tree portfast edge trunk
 source template AP_WIRED_DOT1X_CLOSED

 

 

[1] https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html

[2] https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217848-configure-802-1x-supplicant-for-access-p.html 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card