AP 802.1X Supplicant
IEEE 802.1X port-based authentication is configured on a device to prevent unauthorized devices (supplicants) from gaining access to the network. The device can combine the function of an access point, depending on the fixed configuration or installed modules.
You can configure 802.1X authentication between a lightweight access point and a Cisco switch. The switch uses a RADIUS server (Cisco ISE) which uses EAP-FAST with anonymous PAC provisioning to authenticate the supplicant AP device.
You can configure global authentication settings that all access points that are currently associated with the controller and any that associate in the future. You can also override the global authentication settings and assign unique authentication settings for a specific access point.
After the 802.1x authentication is configured on the switch, it allows 802.1x authenticated device traffic only.
There are two modes of authentication models:
-
Global authentication—authentication setup for all APs
-
AP Level authentication—authentication setup for a particular AP
The switch by default authenticates one device per port. This limitation is not present in the Cisco Catalyst Switches. The host mode type configured on the switch determines the number and type of endpoints allowed on a port. The host mode options are:
-
Single host mode-a single IP or MAC address is authenticated on a port. This is set as the default.
-
Multi-host mode-authenticates the first MAC address and then allows an unlimited number of other MAC addresses. Enable the host mode on the switch ports if connected AP has been configured with local switching mode. It allows the client’s traffic pass the switch port. If you want a secured traffic path, then enable dot1x on the WLAN to protect the client data.
The feature supports AP in local mode, FlexConnect mode, sniffer mode, and monitor mode. It also supports WLAN in central switching and local switching modes.
Note
In FlexConnect mode, ensure that the VLAN support is enabled on the AP the correct native VLAN is configured on it.
802.1x on AP |
Switch |
Result |
---|---|---|
DISABLED |
ENABLED |
AP does not join the controller |
ENABLED |
DISABLED |
AP joins the controller. After failing to receive EAP responses, fallbacks to non-dot1x CAPWAP discovery automatically |
ENABLED |
ENABLED |
AP joins the controller, post port-Authentication |
In a situation where the credentials on the AP need correction, disable the Switch port Dot1x Authentication, and re-enable the port authentication after updating the credentials.
This section contains the following subsections: