Wireless Access

Hi Guys,

I'm looking at provisioning APs to do 802.1x authentication on their wired uplink. Will I have to do this configuration on each individual AP? Referencing the documentation on this, seems I will have to configure the APs individually which will be a huge problem for deployments involving over 500 APs.

https://arubapedia.arubanetworks.com/arubapedia/index.php/How to:_Provisioning_AP_to_do_802.1x_authentication_on_its_wired_uplink

Is my assumption wrong? I hope it is.

Any feedback will be appreciated.

You want to configure the second eth port of your -remote- AP  and 802.1x protected, am I right? If this is the case; you can easily create a AAA profile (that will be assigen to all the ap unit that will be in that ap-group) and assign it to a wired ap profile... Then assign this wired ap profile to the second port of your AP .. Your wired port can work tunneled or bridged, no problem...

The wired profile needs to be untrusted for the AAA profile to take effect. You also need to do the following on the commandline for wired 802.1x to work (please do not ask why):

aaa authentication wired
profile default

The AAA authentication wired command is a holdover that allows you to do wired 802.1x on any port.

(If tunneling or using vlans) The last thing that you need to do is check the VLAN in the wired profile. That VLAN must match the Native VLAN in the AP System Profile parameter. Please check the post here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=2105

Hi kdisc!

This seems to be a different situation. I'm looking at a security option for the APs themselves.

The Customer is looking at protecting their APs with 802.1x authentication in a situation where Students cannot use the Ports on the Aruba MAS Switches.

I'm I making any sense?

Yes Eric, you are correct. You may have to configure and enable 802.1x authentication on each of the port where AP is connected for it`s to do dot1x authentiation on its wired uplink.

Thank you.

This is from page 202 in the ArubaOS 6.2 User Guide.

But will I have to configure anything on the AP themselves (via CLI)?

I believe the provisioning process takes care of the configuration.

Thx Tim.

But I need to have the RADIUS Server configured with this Username and Password.

Correct?

Hello All,

I'm trying to provision APs with 802.1x authentication and I unfortunately never seem to get it to work.

They always come up with a Flag "U1" which means "Unprovisioned" and "802.1x authenticated AP".

I have an account on the customer's AD/E-Directory Server of which is integrated to their 2 RADIUS Servers.

I'm using the RADIUS Servers for Management Access to their MAS Swicthes.

So I decided to use the same Credential for the APs just to test.

I have the aaa dot1x profile created and applied to the MAS Switch Ports where the APs are terminated on. And on the provisioning page on the Controller, I have the 802.1x configuration included. 

So, I have no idea what could be wrong here. Any ideas would be helpful.

user-role AP
access-list stateless allowall-stateless

aaa profile "AP" 

authentication-dot1x "AP"
dot1x-default-role "AP"
dot1x-server-group "AUTH-Server"

screenshots from gui: (be sure to use version 6.1.3.0 or above)

some info from ms: (regarding the 802.1x from ther server side)

http://technet.microsoft.com/en-us/library/dd283093%28v=ws.10%29.aspx