12-15-2011 12:45 PM - edited 07-03-2021 09:15 PM
After doing some research, I have figured out how to, for the most part, setup 802.1x via wireless. I'm using two 5508 WLCs, and Cisco ACS. I will setup the user account/password information via Cisco ACS and User Identity and Hosts. I know from the WLC 5508 web admin tool that I can choose 802.1x in the security parameters. I only have a few question. We have two wireless networks, one is wide open and provides internet access, the other will provide internal access for select users. I am setting up 802.1x on the internal wireless lan. Do I need to configure any 802.1 configuration commands on the switch in order for this to work, if so where would be the locations to do this at? Also, does anyone know if there is a MAC isolation configuration option I can configure to not allow other hosts on this specific wireless network to communicate with each other?
Solved! Go to Solution.
12-15-2011 01:12 PM
John,
No, you do not need to do any configuration on the switches to support the 802.1x for the wireless clients. The WLC will send the packets to the ACS, and vice versus. So you're good there.
Under the WLAN config, there is an option for Peer-to-Peer blocking, it's either:
disabled = allowed, no interaction from the WLC
enalbed = disallowed, WLC will not bridge the packets
forward upstream = packet gets sent to L3 and ACL enforced from there.
If you don't want them to talk across the wireless to each other, just set it to enabled, and you should be good.
HTH,
Steve
----------------------------------------------------------------------------------------------------------
Please remember to rate helpful posts or to mark the question as answered so that it can be found later.
12-15-2011 01:12 PM
John,
No, you do not need to do any configuration on the switches to support the 802.1x for the wireless clients. The WLC will send the packets to the ACS, and vice versus. So you're good there.
Under the WLAN config, there is an option for Peer-to-Peer blocking, it's either:
disabled = allowed, no interaction from the WLC
enalbed = disallowed, WLC will not bridge the packets
forward upstream = packet gets sent to L3 and ACL enforced from there.
If you don't want them to talk across the wireless to each other, just set it to enabled, and you should be good.
HTH,
Steve
----------------------------------------------------------------------------------------------------------
Please remember to rate helpful posts or to mark the question as answered so that it can be found later.
12-15-2011 01:16 PM
Thanks a bunch Stephen! One other question, is there a way I can block 3 unsuccessful attempts to log on? I would like it to block attempt to logon with username/password every 3rd time for 60 minutes. Once, again thanks for the information!
12-15-2011 01:21 PM
that should be there by default. The option is Client Exclusion, which can be enabled/disabled per WLAN, as well as the timer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: