9/22/21, 12:38 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

Configure the Network for Access Point 802.1X Authentication

This topic explores the process to configure the wireless network to provide 802.1X port-based authentication for
the access point to its local access switch.

Configure the Network for Access Point 802.1X Authentication

You configure IEEE 802.1X port-based authentication on a device to prevent unauthorized devices from gaining
access to the network. A device can combine the function of a router, switch, and access point, depending on the
fixed configuration. Any device that connects to a switch port where 802.1X authentication is enabled must go
through the relevant Extensible Authentication Protocol (EAP) authentication model to start exchanging traffic.

Currently, Cisco access points (Wave 2) support 802.1X authentication with a switch port for EAP-Flexible
Authentication via Secure Tunneling (EAP-FAST), EAP-Transport Layer Security (EAP-TLS), and EAP-Protected
Extensible Authentication Protocol (EAP-PEAP) methods. Now you can enable configurations and provide
credentials to the access point from Cisco WLC.

Cisco access points (Wave 1) support EAP-FAST only (AP1700, AP2700, and AP3700).

EAP-FAST Protocol
You can establish a secure TLS tunnel with RADIUS in the EAP-FAST protocol that Cisco developed. However, the
access point requires a strong shared key with a Protected Access Credential (PAC), either provided via in-band
provisioning (in a secured channel) or via out-band provisioning (manual). Note that the EAP-FAST type
configuration requires dot1x credentials configuration for the access point, because the access point will use EAP-
FAST with the Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP V2) method.

EAP-TLS and EAP-PEAP Protocols

The EAP-TLS protocol or EAP-PEAP protocol provides certificate-based mutual EAP authentication. In EAP-TLS,
both the server- and the client-side certificates are necessary, where the secured shared key is derived for the
particular session to encrypt or decrypt data. Whereas in EAP-PEAP, only the server-side certificate is necessary,
where the client authenticates by using a password-based protocol in a secured channel. Note that the EAP-PEAP

https://learningspace.cisco.com/dkitserver/content/show?x=MyCKmco561wrt9DD&isLatest=false 1/7
9/22/21, 12:38 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

type configuration requires dot1x credentials configuration for the access point. The access point also must go
through LSC provisioning. Access points use the PEAP protocol with the MS-CHAP V2 method.

Limitations of 802.1X Authentication

The following are the limitations of 802.1X authentication:

802.1X is not supported on dynamic ports or Ethernet channel ports.
802.1X is not supported in a mesh access point scenario.
There is no recovery from the Cisco WLC on credential mismatch or the expiry or invalidity of the certificate on
the access point. You must disable the 802.1X authentication on the switch port to reconnect the access point to
fix the configurations.
No certificate revocation checks are implemented on the installed access point certificates.
You can provision only one Locally Significant Certificate (LSC) on the access point. You must use the same
certificate for Control and Provisioning of Wireless Access Points (CAPWAP) Datagram Transport Layer
Security (DTLS) session establishment with Cisco WLC and the 802.1X authentication with the switch. If global
LSC configuration on Cisco WLC is disabled, the access point deletes LSC, which is already provisioned.
If you apply clear configurations on the access point, the access point will lose the 802.1X EAP type
configuration and the LSC certificates. The access point should again go through staging process if 802.1X is
necessary.

The access point acts as the 802.1X supplicant and is authenticated by the switch against the RADIUS server,
which supports EAP-FAST, EAP-TLS, and EAP-PEAP. When dot1x authentication is enabled on a switch port, the
device that is connected to it authenticates itself to receive and forward data other than 802.1X traffic.

To authenticate with the EAP-FAST method, the access point requires the credentials of the RADIUS server. You
can configure it at the Cisco WLC, from where it will pass on to the access point via a configuration update request.
For EAP-TLS or EAP-PEAP, the access points use the certificates (device ID and CA) that the local certificate
authority (CA) server makes significant.

Configure the Switch

To configure the switch, enable dot1x on the switch globally and add the Cisco ISE server to the switch.

aaa new-model
!

aaa authentication dot1x default group radius

!

dot1x system-auth-control
!

radius server ISE

address ipv4 10.48.39.161 auth-port 1645 acct-port 1646

key 7 123A0C0411045D5679

Now, configure the access point switch port interface Gigabit Ethernet 0/4.

switchport access vlan 231

switchport mode access

authentication order dot1x

authentication port-control
auto
dot1x pae authenticator

spanning-tree portfast
edge

Configure the Access Point for 802.1X Authentication (GUI) (Cisco AireOS)

https://learningspace.cisco.com/dkitserver/content/show?x=MyCKmco561wrt9DD&isLatest=false 2/7
9/22/21, 12:38 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

Set a common username and password for all the access points that join to Cisco WLC with the Global
Configuration feature.

Take the following steps:

1. Choose Wireless >Access Points > Global Configuration. The Global Configuration page displays.
2. Under the 802.1x Supplicant Credentials section, check the 802.1x Authentication check box.
3. In the Username text box, enter the username.
4. In the Password and Confirm Password text boxes, enter the password.
5. Click Apply to commit your changes.
6. Click Save Configuration to save your changes.

The access point will download with the 802.1X credentials.

Configure the Access Point for 802.1X Authentication (GUI) (Cisco IOS XE)
Here you see the Add AP Join Profile page.

https://learningspace.cisco.com/dkitserver/content/show?x=MyCKmco561wrt9DD&isLatest=false 3/7
9/22/21, 12:38 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

To configure the 802. 1X username and password (GUI), take these steps:
1. Choose Configuration > Tags & Profiles > AP Join.
2. Choose the appropriate AP Join profile.

Configure Cisco ISE Server

To configure the Network Devices page in Cisco ISE, choose Administration > Network Resources > Network
Device.

https://learningspace.cisco.com/dkitserver/content/show?x=MyCKmco561wrt9DD&isLatest=false 4/7
9/22/21, 12:38 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

In the Name field, enter the name for the network device. You can provide a descriptive name to the network
device that can differ from the hostname of the device. The device name is a logical identifier.

In the IP Address field, enter a single IP address.

In the Device Profile field, click the drop-down list and choose Cisco as the vendor of the network device. You can
use the tool tip next to the drop-down list to see the flows and services that the selected vendor’s network devices
support, as well as the RADIUS Change of Authorization (CoA) port and type of URL redirect that the device uses.
These attributes are defined in the device type’s network device profile.

Check the RADIUS Authentication Settings check box in the RADIUS Authentication Settings section.

Enter the shared secret for the network device.

You must create an identity group for the AP credentials to belong to and then create an identity for the APs to use.
Take these steps:

https://learningspace.cisco.com/dkitserver/content/show?x=MyCKmco561wrt9DD&isLatest=false 5/7
9/22/21, 12:38 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

1. Navigate to Administration > Identity Management > Groups and add an identity group for the AP Dot1X
credentials.
2. Then navigate to Administration > Identity Management > Identities and create an identity for the APs that
matches the identity that you created on the APs. Be sure to place the new identity in the group that you
created for this purpose.

Navigate to Policy >Policy Sets and add a policy set to verify the credentials that you configured on the WLC for
the access points.

The next figure shows the policy set Port_Auth. The condition here is that if the device is an AP and uses wired
802.1X, then proceed to the authorization profiles.

https://learningspace.cisco.com/dkitserver/content/show?x=MyCKmco561wrt9DD&isLatest=false 6/7
9/22/21, 12:38 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

Expand the View column for the Policy Set Name and create an authorization policy. This example shows a rule
that is named AP_Authentication, which will permit access if the user belongs to the IdentityGroup AP.

The 802.11ac Wave 2 access points can use 802.1X authentication on a switch with which three of the following
protocols? (Choose three.)

EAP-AKA

EAP-FAST

EAP-TLS

PEAP

© 2021 Cisco and/or its affiliates. All rights reserved. Printed contents of [email protected]

https://learningspace.cisco.com/dkitserver/content/show?x=MyCKmco561wrt9DD&isLatest=false 7/7