Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AP 802.1X switched port-authentication

Hi,

I've setup EAP authentication (PEAP) to authenticate WLAN client on an AP.

The AP is connected to a switch where the port is not configured for 802.1X.

On this switched port I enabled, in multi-host, 802.1X to authenticate also the AP as a client, but since it's enabled I've not been able to authenticate anymore the WLAN client due to the fact that the port will not transition to Authorized

If I connect on the same port a PC using 802.1X,this is working fine..

Am I missing something to configure on the switch or AP ???

Any suggestion are appreciated

Regards

Omar

4 REPLIES
New Member

Re: AP 802.1X switched port-authentication

I think U will need to add this line to that interface port which your AP is connected

dot1x host-mode multi-host

Hope this helps

New Member

Re: AP 802.1X switched port-authentication

Hi,

Thanks for the answer I've already tried without success!...

I'm asking myself if this is possible since EAP authentication is happening between the client and the AP...How could the AP authenticate to the switch since the switch port is waiting for EAP packets but the AP is sending RADIUS packet ???

Is not the case that multi-host is working ONLY if the EAP authentication is happening between client and the switch, bypassing EAP authentication on AP where it's role is to act as a "Relay"???

Omar

New Member

Re: AP 802.1X switched port-authentication

Omar,

There's a gotcha with this...most likely a trunk issue...

Here is a snippet for EAPOL guidelines:

Authentication Configuration Guidelines

This section provides the guidelines for configuring 802.1x authentication on the switch:

802.1x will work with other protocols, but we recommend that you use RADIUS with a remotely located authentication server.

802.1x is supported only on Ethernet ports.

Software release 7.5(1) supports two in-band management interfaces, sc0 and sc1.

802.1x authentication always uses the sc0 interface as the identifier for the authenticator when communicating with the RADIUS server.

802.1x authentication is not supported with the sc1 interface.

You cannot enable 802.1x on a trunk port until you turn off the trunking feature on that port.

You cannot enable trunking on an 802.1x port.

You cannot enable 802.1x on a dynamic port until you turn off the DVLAN feature on that port.

You cannot enable DVLAN on an 802.1x port.

You cannot enable 802.1x on a channeling port until you turn off the channeling feature on that port. You cannot enable channeling on an 802.1x port.

You cannot enable 802.1x on a switched port analyzer (SPAN) destination port. You cannot configure SPAN destination on an 802.1x port. However, you can configure an 802.1x port as a SPAN source port.

You cannot set the auxiliary VLAN to dot1p or untagged and the auxiliary VLAN should not be equal to the native VLAN on the 802.1x-enabled port.

You cannot enable the multiple-authentication option on an 802.1x-enabled auxiliary VLAN port. Enabling the multiple-host option on an 802.1x-enabled auxiliary VLAN is not recommended.

Do not assign a guest VLAN equal to an auxiliary VLAN because an 802.1x-enabled auxiliary VLAN port will not be put into the guest VLAN if the auxiliary VLAN on the port is the same as the guest VLAN.

Here is the url for the link:

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080121d12.html#1029697

New Member

Re: AP 802.1X switched port-authentication

HI,

thanks for the info...already checked...

I receive info from Cisco that this feature will be implemented during this year on IOS...

Basically what I wanted to do is that the client use 802.1X EAP to authenticate to AP....and not to the switch seeing the bypassing oppurtunity (1 client authenticate for all!!!)...but this left open the port where the AP is connected to the switch...so it was nice that AP also authenticate itself to the switch using EAP...

Right now this feature is configrable only on WLAN where an AP act as a Repeater which can authenticate itself to the root AP using EAP (only LEAP!!!)

Omar

335
Views
0
Helpful
4
Replies
CreatePlease to create content