04-10-2003 12:34 PM - edited 07-04-2021 08:38 AM
Yikes!
Whatta mess I got myself into! Im trying to implement a couple of security features (at the same time) due to higher corporate directives. I am trying to implement Radius, 802.1x port authentication on a Cat 3550 switch, and mac address athuentication for wireless clients. The idea was:
1. The 3550 has port based authentication on it and should authenticate access points as well as any workstations that will/may connect to it.
2. The wireless clients will be MAC authenticated via the access point passing requests to the radius server.
Confused? I am too, help!
Thanks
04-10-2003 07:09 PM
Hi ,
My understaning is you can do it .
Cat 3550 supports 802.1x authenitcation , so install AP on particular port and
first have 802.1x authentication working .
Than configure test wireless client without any authenitcation ( in default mode )
and if you can pass traffic .
Configure local mac address database on the AP to authenitcate mac address of
the client and see how it goes .
Some useful urls :
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b469f.shtml
Nilesh
04-11-2003 08:46 AM
Nilesh, Thanks for the reply.
But I do have a few further questions if you are willing:
1. Getting the AP to use 802.1x and talk with the radius server seems to be the big problem. I have not been able to find clear enough instructions on how to set the AP to do 802.1x through the switch. I do realize the LEAP is just cisco's implementation of 802.1x but we are trying to use non-proprietary protocols.
2. We already have the clients MAC addresses in the AP's but want to get away from this (network mgt issues) by using the ACS server.
I guess what makes this confusing for me is the chain of events and if they are possible to do. Here are the steps as I see them, please advise if this is not possible to do.
1. Access point is plugged into 3550 and uses 802.1x authentication with radius through the switch. Once the switchport is authorized, then the wireless clients can try to associate with AP. To do this the MAC address of the client , is sent to ACS for authorization and when authorized allowed to communicate. Then the wireless client retrieves an IP address through DHCP.
Whew.
04-11-2003 09:12 AM
Cisco APs do not currently implement 802.1x supplicant capability (they cannot be a client).
To do what you want you need to turn 802.1x off on the particular switch port you are connecting the AP to. 802.1x port-based-authentication can then be enabled on the AP, if desired.
It is strange that you want to use 802.1x on the 3550 and not on the AP. MAC authentication is **very** easily bypassed by spoofing a valid MAC address.
Cheers,
Bruce
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide