Wireless Access

Reply
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Provisioning APs to do 802.1x authentication on its wired uplink

Hi Guys,

 

I'm looking at provisioning APs to do 802.1x authentication on their wired uplink. Will I have to do this configuration on each individual AP? Referencing the documentation on this, seems I will have to configure the APs individually which will be a huge problem for deployments involving over 500 APs.

 

https://arubapedia.arubanetworks.com/arubapedia/index.php/How to:_Provisioning_AP_to_do_802.1x_authentication_on_its_wired_uplink

 

Is my assumption wrong? I hope it is.

 

Any feedback will be appreciated.

MVP
Posts: 1,401
Registered: ‎05-28-2008

Re: Provisioning APs to do 802.1x authentication on its wired uplink

[ Edited ]

You want to configure the second eth port of your -remote- AP  and 802.1x protected, am I right? If this is the case; you can easily create a AAA profile (that will be assigen to all the ap unit that will be in that ap-group) and assign it to a wired ap profile... Then assign this wired ap profile to the second port of your AP .. Your wired port can work tunneled or bridged, no problem...

 

 

The wired profile needs to be untrusted for the AAA profile to take effect. You also need to do the following on the commandline for wired 802.1x to work (please do not ask why):

aaa authentication wired
profile default

 

The AAA authentication wired command is a holdover that allows you to do wired 802.1x on any port.

(If tunneling or using vlans) The last thing that you need to do is check the VLAN in the wired profile. That VLAN must match the Native VLAN in the AP System Profile parameter. Please check the post here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=2105

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Provisioning APs to do 802.1x authentication on its wired uplink

Hi kdisc!

 

This seems to be a different situation. I'm looking at a security option for the APs themselves.

 

The Customer is looking at protecting their APs with 802.1x authentication in a situation where Students cannot use the Ports on the Aruba MAS Switches.

 

I'm I making any sense?

Aruba
Posts: 233
Registered: ‎11-19-2009

Re: Provisioning APs to do 802.1x authentication on its wired uplink

Yes Eric, you are correct. You may have to configure and enable 802.1x authentication on each of the port where AP is connected for it`s to do dot1x authentiation on its wired uplink.

 

Thank you.

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: Provisioning APs to do 802.1x authentication on its wired uplink

This is from page 202 in the ArubaOS 6.2 User Guide.

 

8021xap.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Provisioning APs to do 802.1x authentication on its wired uplink

But will I have to configure anything on the AP themselves (via CLI)?

 

 

 

 

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: Provisioning APs to do 802.1x authentication on its wired uplink

I believe the provisioning process takes care of the configuration.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,401
Registered: ‎05-28-2008

Re: Provisioning APs to do 802.1x authentication on its wired uplink

[ Edited ]

screenshots from gui: (be sure to use version 6.1.3.0 or above)

Untitled.png

 

some info from ms: (regarding the 802.1x from ther server side)

http://technet.microsoft.com/en-us/library/dd283093%28v=ws.10%29.aspx

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Provisioning APs to do 802.1x authentication on its wired uplink

Thx Tim.

 

But I need to have the RADIUS Server configured with this Username and Password.

Correct?

 

 

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: Provisioning APs to do 802.1x authentication on its wired uplink

Correct. An AD account for example.


Sent from my BlackBerry Z10

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: