Controller Based WLANs

How to configure an AP for dot1x authentication of uplink?

Customers have been deploying edge secure and are very cautious about leaving ports open. When ports to which APs are connected also are to be configured for 802.1x, AP should have the capability to work as a dot1x client.

 

This article explains on the requirement, network setup, configuration and troubleshooting for configuring AP for dot1x authentication on its uplink port.

 

Environment : RAP 3 requiring authentication on uplink Cisco port.

 

Network Topology : 

 

Network Setup
 
RAP3 =======(Trunk)=======Cisco 3750 (Trunk + Dot1x authenticator on port) ====== Network ------- Controller ---------- Network---------- CPPM

 

 

RAP Provisioning profile:
ap provisioning-profile "test123"
   remote-ap
   apdot1x-username "test"
   apdot1x-passwd "test123"
!
 
Cisco Port & Radius config:
 
aaa new-model
aaa authentication dot1x default group radius
 
interface GigabitEthernet1/0/17
switchport access vlan 160
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport mode trunk
authentication port-control auto
dot1x pae authenticator
!
 
radius server CPPM
address ipv4 10.17.164.192 auth-port 1645 acct-port 1646
key test123
 
(Configure CPPM for Radius client as Cisco switch & user for auth in local db)

 

Ensure that Cisco switch is able to authenticate with the radius server with a test authentication.
 

Cisco-3750-X-1#test aaa group radius test test123 legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
 
Cisco-3750-X-1#

 
AP successfully Authenticates on the Dot1x port, Cisco working as Authenticator.
 

(GEC-RAP) #show ap active
 
Active AP Table
---------------
Name     Group     IP Address  11g Clients  11g Ch/EIRP/MaxEIRP  11a Clients  11a Ch/EIRP/MaxEIRP  AP Type   Flags  Uptime   Outer IP
----     -----     ----------  -----------  -------------------  -----------  -------------------  -------   -----  ------   --------
MM-RAP3  cigna-63  6.6.6.8     0            AP:HT:6/3/18         0                                 RAP-3WNP  R1E2a  12m:47s  104.36.248.10
 
Flags: 1 = 802.1x authenticated AP; 2 = Using IKE version 2;
       A = Enet1 in active/standby mode;  B = Battery Boost On; C = Cellular;
       D = Disconn. Extra Calls On; E = Wired AP enabled; F = AP failed 802.1x authentication;
       H = Hotspot Enabled; K = 802.11K Enabled; L = Client Balancing Enabled; M = Mesh;
       N = 802.11b protection disabled; P = PPPOE; R = Remote AP;
       S = AP connected as standby; X = Maintenance Mode;
       a = Reduce ARP packets in the air; d = Drop Mcast/Bcast On; u = Custom-Cert RAP;
       r = 802.11r Enabled
 
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.
 
Num APs:1
 
To verify at Cisco switch if the dot1x authentication is complete:
Cisco-3750-X-1#show dot1x interface gigabitEthernet 1/0/17 details
 
Dot1x Info for GigabitEthernet1/0/17
-----------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
 
Dot1x Authenticator Client List
-------------------------------
EAP Method                = PEAP
Supplicant                = 000b.8682.7b67
Session ID                = 0AA3A305000000200444998D
    Auth SM State         = AUTHENTICATED
    Auth BEND SM State    = IDLE
 
 
Ensure that you have configured the right credentials in the provisioning profile.
Ensure that you have mapped the right provisioning profile in group.
Ensure that Switch can acts as a Radius client and complete an authentication successfully.
Check logs in the Radius server.
Version History
Revision #:
1 of 1
Last update:
‎04-08-2015 03:42 AM
Updated by:
 
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.