Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1619
Views
0
Helpful
3
Replies

802.1x WLC 5508

Go to solution
JohnTylerPearce
Level 7
Level 7

‎12-15-2011 12:45 PM - edited ‎07-03-2021 09:15 PM

After doing some research, I have figured out how to, for the most part, setup 802.1x via wireless. I'm using two 5508 WLCs, and Cisco ACS. I will setup the user account/password information via Cisco ACS and User Identity and Hosts. I know from the WLC 5508 web admin tool that I can choose 802.1x in the security parameters. I only have a few question. We have two wireless networks, one is wide open and provides internet access, the other will provide internal access for select users. I am setting up 802.1x on the internal wireless lan. Do I need to configure any 802.1 configuration commands on the switch in order for this to work, if so where would be the locations to do this at? Also, does anyone know if there is a MAC isolation configuration option I can configure to not allow other hosts on this specific wireless network to communicate with each other?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎12-15-2011 01:12 PM

John,

     No, you do not need to do any configuration on the switches to support the 802.1x for the wireless clients.  The WLC will send the packets to the ACS, and vice versus.  So you're good there.

Under the WLAN config, there is an option for Peer-to-Peer blocking, it's either:

disabled = allowed, no interaction from the WLC

enalbed = disallowed, WLC will not bridge the packets

forward upstream = packet gets sent to L3 and ACL enforced from there.

If you don't want them to talk across the wireless to each other, just set it to enabled, and you should be good.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎12-15-2011 01:12 PM

John,

     No, you do not need to do any configuration on the switches to support the 802.1x for the wireless clients.  The WLC will send the packets to the ACS, and vice versus.  So you're good there.

Under the WLAN config, there is an option for Peer-to-Peer blocking, it's either:

disabled = allowed, no interaction from the WLC

enalbed = disallowed, WLC will not bridge the packets

forward upstream = packet gets sent to L3 and ACL enforced from there.

If you don't want them to talk across the wireless to each other, just set it to enabled, and you should be good.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to Stephen Rodriguez

‎12-15-2011 01:16 PM

Thanks a bunch Stephen! One other question, is there a way I can block 3 unsuccessful attempts to log on? I would like it to block attempt to logon with username/password every 3rd time for 60 minutes. Once, again thanks for the information!

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to JohnTylerPearce

‎12-15-2011 01:21 PM

that should be there by default.  The option is Client Exclusion, which can be enabled/disabled per WLAN, as well as the timer

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card