Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
3
Replies

802.1x, 350AP, 3550 Switch, and ACS 3.0

billm
Level 1
Level 1

‎04-10-2003 12:34 PM - edited ‎07-04-2021 08:38 AM

Yikes!

Whatta mess I got myself into! Im trying to implement a couple of security features (at the same time) due to higher corporate directives. I am trying to implement Radius, 802.1x port authentication on a Cat 3550 switch, and mac address athuentication for wireless clients. The idea was:

1. The 3550 has port based authentication on it and should authenticate access points as well as any workstations that will/may connect to it.

2. The wireless clients will be MAC authenticated via the access point passing requests to the radius server.

Confused? I am too, help!

Thanks

Labels:
0 Helpful
3 Replies 3

ndoshi
Cisco Employee
Cisco Employee

‎04-10-2003 07:09 PM

Hi ,

My understaning is you can do it .

Cat 3550 supports 802.1x authenitcation , so install AP on particular port and

first have 802.1x authentication working .

Than configure test wireless client without any authenitcation ( in default mode )

and if you can pass traffic .

Configure local mac address database on the AP to authenitcate mac address of

the client and see how it goes .

Some useful urls :

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b469f.shtml

Nilesh

0 Helpful

billm
Level 1
Level 1
In response to ndoshi

‎04-11-2003 08:46 AM

Nilesh, Thanks for the reply.

But I do have a few further questions if you are willing:

1. Getting the AP to use 802.1x and talk with the radius server seems to be the big problem. I have not been able to find clear enough instructions on how to set the AP to do 802.1x through the switch. I do realize the LEAP is just cisco's implementation of 802.1x but we are trying to use non-proprietary protocols.

2. We already have the clients MAC addresses in the AP's but want to get away from this (network mgt issues) by using the ACS server.

I guess what makes this confusing for me is the chain of events and if they are possible to do. Here are the steps as I see them, please advise if this is not possible to do.

1. Access point is plugged into 3550 and uses 802.1x authentication with radius through the switch. Once the switchport is authorized, then the wireless clients can try to associate with AP. To do this the MAC address of the client , is sent to ACS for authorization and when authorized allowed to communicate. Then the wireless client retrieves an IP address through DHCP.

Whew.

0 Helpful

bmcmurdo
Cisco Employee
Cisco Employee
In response to billm

‎04-11-2003 09:12 AM

Cisco APs do not currently implement 802.1x supplicant capability (they cannot be a client).

To do what you want you need to turn 802.1x off on the particular switch port you are connecting the AP to. 802.1x port-based-authentication can then be enabled on the AP, if desired.

It is strange that you want to use 802.1x on the 3550 and not on the AP. MAC authentication is **very** easily bypassed by spoofing a valid MAC address.

Cheers,

Bruce

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card