Security

For 802.1X based authentication, WLC acts as an authenticator and in turn communicates with external RADIUS servers. But NAS (Network Access Server) may be sperate from WLC e.g clearpass can be NAS.

So in the following network architecture, where Clearpass is acting as a NAS (and doing access control based on Radius respone from AAA), what shall be the communication mechanism between WLC and NAS (Note: it's 802.1x authentication)?

 

UE <--(EAPOL)--> WLC <--(??)--> NAS <---(RADIUS)----> AAA Server

 

RADIUS or RadSec is used between the NAS and the RADIUS server.

That is correct but my question was what protocol is used between WLC and NAS for 802.1x? If authenticator runs on WLC then how does NAS sniff RADIUS replies from RADIUS Server for user access control?

The WLC is the NAS. Not sure I understand your question. NAS to AAA server uses the RADIUS or RadSec protocols.

Let me ask it this way.

1) Can we can a NAS which is separate from WLC for 802.1x auth?

In following way:
UE <—> WLC <—> NAS <—> RADIUS-Server

2) Clearpass itself can act as NAS for 802.1x? Right?

The NAS is always the WLC.

What are you actually trying to do/accomplish? Take out the terminology for a second.

Okay. Our AAA server is external and WLC is configured for 802.1x (EAP-TTLS). We are using Palo Alto as Firewall along with access control.

Once the AAA server has authenticated the user, it categories the users in certain access categories (in Access-Accept). But these categories have to be applied to Palo Alto which is being controlled by an entity (say X, which is kind of access controller).

Now because Access-Accept reaches WLC and not X, how to configure the firewall from X based on RADIUS server response?


[e.g imagine X is clearpass].