Wired Intelligent Edge

Dear,

our customer wants to have all his switches doing 802.1x on all of their ports.

For APs they first want to do mac-authentication to come in a VLAN where we can provision the APs, they also want to send a certificate to the AP to do the authentication on the switch afterwards. (and removing the mac-authentication for this AP after this)

Is this even possible?

I saw you can configure 802.1x Parameters using PEAP, but is it also possible to do 802.1x with a certificate on the APs?

Kind regards,

---

@Thomasds wrote:

Dear, our customer wants to have all his switches doing 802.1x on all of their ports. For APs they first want to do mac-authentication to come in a VLAN where we can provision the APs, they also want to send a certificate to the AP to do the authentication on the switch afterwards. (and removing the mac-authentication for this AP after this) Is this even possible? I saw you can configure 802.1x Parameters using PEAP, but is it also possible to do 802.1x with a certificate on the APs? Kind regards,

---

That all depends on your switch.  If an AP is new, it will not do 802.1x.  Your switch can mac authenticate them and put them into the VLAN needed to provision 802.1x credentials.  When you provision 802.1x credentials, it should pass 802.1x on the switchport on the next reboot and then end up in the correct VLAN.  Access points do not use certificate-based authentication on their ports.

Thanks both for the reply

That was all I needed to know

Kind regards,

EAP-PEAP (username/password) is the only supported method for the 802.1X supplicant on an access point.