Wireless Access

 Can't iOS device connect to iAP215 if there is no internet connection? 

In 802.1x, I want to connect to local vlan (10) first which doesn't communicate to Internt to authenticate from outiside radius. After we pass autheticaion, we want to move internet valn (100). Please see attahced diagram and note vlan 10 and 100 is not routing. 

I can't create this set up becuae IAP need to access to internet(Is there any way to prevent this?) 

How can we realize this solution on iAP?

Regards

Simon

With 802.1X, authentication happens with the client before IP/VLAN assignment takes place. There should not be a need to connect to vlan 10 prior to authentication, and then move to vlan 100, unless you're attempting to do multiple authentication methods beyond what is listed here.

Thanks Charlie,

Per your assistant, I removed vlan 10 and all equipmetns such as AD, DHCP and even IAP have vlan "100" ip addresses. 

But device mac addresses don't flow to the AD so the authenticaiton fails.

I can see mac address is registered on switch IAP 1/1port though. 

I am wondering how devices can come inside vlan 100 on IAP without having ip address. It should have been broadcasted on vlan 100.

Is there any added configuration needed? 

device -------->    IAP ----v100----1/1Switch1/2----v100----AD. 

Regards

Simon

The VLAN is a L2 construct along with 802.1x authentication. A client can join a VLAN without the need for an IP address (L3). The IAP will proxy the authentication request to the back end authentication server. Depending on the authentication response the client will either be accepted and obtain an IP address along with possibly a new VLAN or be rejected. Is the connectivity between your IAP/VC and AD in place and working as expected? Do you see any logs on your AD for rejections from the IAP?

The below videos will also help with the configuration:

https://www.arubanetworks.com/products/networking/aruba-instant/instant-training/

Thanks zalion0

I don't configure authentication setting on client yet.
Broadcast packets are not sent to the vlan 100 without 802.1x configuration on the device?
In my wired 802.1x circumstance, it can allocate to failed vlan if 802.1x set is not configured. I thought Wireless can also do the same.
I am not sure whether device packets including EAPOL reach to AD if it's only configured, but I will try.

---

@sshimon wrote:

I don't configure authentication setting on client yet.
Broadcast packets are not sent to the vlan 100 without 802.1x configuration on the device?
In my wired 802.1x circumstance, it can allocate to failed vlan if 802.1x set is not configured. I thought Wireless can also do the same.
I am not sure whether device packets including EAPOL reach to AD if it's only configured, but I will try.

---

Wireless behavior of 802.1X will be different than wired behavior. With wireless, the 802.1X process is used to derive the encryption keys needed to participate in the RSN. If authentication fails, encryption keys are not possible. A wireless network that is configured to support 802.1X does not have a failback mechanism to handle unauthenticated clients.