Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

802.1x, 350AP, 3550 Switch, and ACS 3.0

Yikes!

Whatta mess I got myself into! Im trying to implement a couple of security features (at the same time) due to higher corporate directives. I am trying to implement Radius, 802.1x port authentication on a Cat 3550 switch, and mac address athuentication for wireless clients. The idea was:

1. The 3550 has port based authentication on it and should authenticate access points as well as any workstations that will/may connect to it.

2. The wireless clients will be MAC authenticated via the access point passing requests to the radius server.

Confused? I am too, help!

Thanks

3 REPLIES
Cisco Employee

Re: 802.1x, 350AP, 3550 Switch, and ACS 3.0

Hi ,

My understaning is you can do it .

Cat 3550 supports 802.1x authenitcation , so install AP on particular port and

first have 802.1x authentication working .

Than configure test wireless client without any authenitcation ( in default mode )

and if you can pass traffic .

Configure local mac address database on the AP to authenitcate mac address of

the client and see how it goes .

Some useful urls :

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b469f.shtml

Nilesh

New Member

Re: 802.1x, 350AP, 3550 Switch, and ACS 3.0

Nilesh, Thanks for the reply.

But I do have a few further questions if you are willing:

1. Getting the AP to use 802.1x and talk with the radius server seems to be the big problem. I have not been able to find clear enough instructions on how to set the AP to do 802.1x through the switch. I do realize the LEAP is just cisco's implementation of 802.1x but we are trying to use non-proprietary protocols.

2. We already have the clients MAC addresses in the AP's but want to get away from this (network mgt issues) by using the ACS server.

I guess what makes this confusing for me is the chain of events and if they are possible to do. Here are the steps as I see them, please advise if this is not possible to do.

1. Access point is plugged into 3550 and uses 802.1x authentication with radius through the switch. Once the switchport is authorized, then the wireless clients can try to associate with AP. To do this the MAC address of the client , is sent to ACS for authorization and when authorized allowed to communicate. Then the wireless client retrieves an IP address through DHCP.

Whew.

Cisco Employee

Re: 802.1x, 350AP, 3550 Switch, and ACS 3.0

Cisco APs do not currently implement 802.1x supplicant capability (they cannot be a client).

To do what you want you need to turn 802.1x off on the particular switch port you are connecting the AP to. 802.1x port-based-authentication can then be enabled on the AP, if desired.

It is strange that you want to use 802.1x on the 3550 and not on the AP. MAC authentication is **very** easily bypassed by spoofing a valid MAC address.

Cheers,

Bruce

164
Views
0
Helpful
3
Replies
CreatePlease to create content