Customers have been deploying edge secure and are very cautious about leaving ports open. When ports to which APs are connected also are to be configured for 802.1x, AP should have the capability to work as a dot1x client.
This article explains on the requirement, network setup, configuration and troubleshooting for configuring AP for dot1x authentication on its uplink port.
Environment : RAP 3 requiring authentication on uplink Cisco port.
Network Topology :
Network Setup
RAP3 =======(Trunk)=======Cisco 3750 (Trunk + Dot1x authenticator on port) ====== Network ------- Controller ---------- Network---------- CPPM
RAP Provisioning profile:
ap provisioning-profile "test123"
remote-ap
apdot1x-username "test"
apdot1x-passwd "test123"
!
Cisco Port & Radius config:
aaa new-model
aaa authentication dot1x default group radius
interface GigabitEthernet1/0/17
switchport access vlan 160
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport mode trunk
authentication port-control auto
dot1x pae authenticator
!
radius server CPPM
address ipv4 10.17.164.192 auth-port 1645 acct-port 1646
key test123
(Configure CPPM for Radius client as Cisco switch & user for auth in local db)
Ensure that Cisco switch is able to authenticate with the radius server with a test authentication.
Cisco-3750-X-1#test aaa group radius test test123 legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
Cisco-3750-X-1#
AP successfully Authenticates on the Dot1x port, Cisco working as Authenticator.
(GEC-RAP) #show ap active
Active AP Table
---------------
Name Group IP Address 11g Clients 11g Ch/EIRP/MaxEIRP 11a Clients 11a Ch/EIRP/MaxEIRP AP Type Flags Uptime Outer IP
---- ----- ---------- ----------- ------------------- ----------- ------------------- ------- ----- ------ --------
MM-RAP3 cigna-63 6.6.6.8 0 AP:HT:6/3/18 0 RAP-3WNP R1E2a 12m:47s 104.36.248.10
Flags: 1 = 802.1x authenticated AP; 2 = Using IKE version 2;
A = Enet1 in active/standby mode; B = Battery Boost On; C = Cellular;
D = Disconn. Extra Calls On; E = Wired AP enabled; F = AP failed 802.1x authentication;
H = Hotspot Enabled; K = 802.11K Enabled; L = Client Balancing Enabled; M = Mesh;
N = 802.11b protection disabled; P = PPPOE; R = Remote AP;
S = AP connected as standby; X = Maintenance Mode;
a = Reduce ARP packets in the air; d = Drop Mcast/Bcast On; u = Custom-Cert RAP;
r = 802.11r Enabled
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.
Num APs:1
To verify at Cisco switch if the dot1x authentication is complete:
Cisco-3750-X-1#show dot1x interface gigabitEthernet 1/0/17 details
Dot1x Info for GigabitEthernet1/0/17
-----------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
Dot1x Authenticator Client List
-------------------------------
EAP Method = PEAP
Supplicant = 000b.8682.7b67
Session ID = 0AA3A305000000200444998D
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Ensure that you have configured the right credentials in the provisioning profile.
Ensure that you have mapped the right provisioning profile in group.
Ensure that Switch can acts as a Radius client and complete an authentication successfully.
Check logs in the Radius server.