WLAN AP as PEAP Supplicant

Clement BONNAL · ‎04-07-2014

Hello,

I need to stage an AP as client, 801.x supplicant.

The WLAN use PEAP/MSCHAPv2 authentification, do you know if it is possible to do it ?

The purpose (which is mandatory) is to connect the AP (as bridge) to a switch where 4 PCs (non WLAN) are wired.

If you have some conf examples !

Regards,

Saurav Lodh · ‎04-22-2014

Configuring the 802.1X Supplicant

Traditionally, the dot1x authenticator/client relationship has always been a network device and a PC client respectively, as it was the PC user that had to authenticate to gain access to the network. However, wireless networks introduce unique challenges to the traditional authenticator/client relationship. First, access points can be placed in public places, inviting the possibility that they could be unplugged and their network connection used by an outsider. Second, when a repeater access point is incorporated into a wireless network, the repeater access point must authenticate to the root access point in the same way as a client does.

Note The 802.1X supplicant is available on 1130AG, 1240AG, 1250, and 1300 series access points. It is not available on 1100 and 1200 series access points.

The supplicant is configured in two phases:

•Create and configure a credentials profile

•Apply the credentials to an interface or SSID

You can complete the phases in any order, but they must be completed before the supplicant becomes operational.

Creating a Credentials Profile

Beginning in privileged EXEC mode, follow these steps to create an 802.1X credentials profile:


	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	dot1x credentials profile	Creates a dot1x credentials profile and enters the dot1x credentials configuration submode.
Step 3	anonymous-id description	(Optional)—Enter the anonymous identity to be used.
Step 4	description description	(Optional)—Enter a description for the credentials profile
Step 5	username username	Enter the authentication user id.
Step 6	password {0 \| 7 \| LINE}	Enter an unencrypted password for the credentials. 0—An unencrypted password will follow. 7—A hidden password will follow. Hidden passwords are used when applying a previously saved configuration. LINE—An unencrypted (clear text) password. Note Unencrypted and clear text are the same. You can enter a 0 followed by the clear text password, or omit the 0 and enter the clear text password.
Step 7	pki-trustpoint pki-trustpoint	(Optional and only used for EAP-TLS)—Enter the default pki-trustpoint.
Step 8	end	Return to the privileged EXEC mode.
Step 9	copy running config startup-config	(Optional) Save your entries in the configuration file.

Use the no form of the dot1x credentials command to negate a parameter.

The following example creates a credentials profile named test with the username Cisco and a the unencrypted password Cisco:

ap1240AG>enable

Password:xxxxxxx

ap1240AG#config terminal

Enter configuration commands, one per line. End with CTRL-Z.

ap1240AG(config)# dot1x credentials test

ap1240AG(config-dot1x-creden)#username Cisco

ap1240AG(config-dot1x-creden)#password Cisco

ap1240AG(config-dot1x-creden)#exit

ap1240AG(config)#

Clement BONNAL · ‎04-22-2014

Hello,

Thank you for your answer. I just have to find one of the APs that you quote ;)

abwahid · ‎09-17-2014

Hi,

Check below deployment guide for better understanding on 802.1x and configuration examples.

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html