ExtremeWireless (Identifi)

Expand all | Collapse all

AP3912: 802.1X and MAC-Auth parallel on wired ports ?

  • 1.  AP3912: 802.1X and MAC-Auth parallel on wired ports ?

    Posted 11-08-2018 14:33
    Hello !
    I need 802.1X and MAC-Auth parallel on wired Ports of AP3912i. In the WLAN-Profile > Auth& Acct you can configure 802.1X and MAC-Auth with configuration of the RADIUS Servers for X and MAC. In my configuration 802.1X works perfect with rule overwrite from control ... but I see no MAC auth on clients not supporting 802.1X.
    Is that supported ?
    Has anybody this configuration up and running ?

    Thx for information...

    br
    Volker


  • 2.  RE: AP3912: 802.1X and MAC-Auth parallel on wired ports ?

    Posted 11-08-2018 15:05
    I am using 3912s in our dorms and I was able to get the Pass through port to work with both 802.1x and MAC auth. This is because the switch port handles the multi-auth. My p1,p2 and p3 ports are tied to a certain SSID which doesn't handle multi auth, from what I've seen.



  • 3.  RE: AP3912: 802.1X and MAC-Auth parallel on wired ports ?

    Posted 11-08-2018 15:05
    So the WLAN service that is used is just open/none ?


  • 4.  RE: AP3912: 802.1X and MAC-Auth parallel on wired ports ?

    Posted 11-08-2018 15:14
    I'm also not able to connect my Samsung TV to the 3912 using a WLAN service with privacy WPA = 802.1X + MAC auth.

    I use a PSK WLAN service with MAC auth enabled with ExtremeControl in that case = PSK WLAN for other non-802.1X capable wireless clients.


  • 5.  RE: AP3912: 802.1X and MAC-Auth parallel on wired ports ?

    Posted 11-29-2018 11:14
    A short update after some lab testing and a customer project with using wired port authentication on AP3912i:
    • solo MAC or 802.1X authentication on wired ports is working via configuration of a WLAN service (I had EWC, XMC and Control running)
    • MAC bypass (no fallback!) in combination with 802.1X is working as well
    • Multi user authentication on wired ports is working but I don´t know how many devices are possible behind a single port
    But, there are some important things to remember:
    • never use a session timeout in the WLAN service for wired ports other than 0 (this makes you and the customer very unhappy - I don´t know why...)
    • Using MUA on a wired port (f.e. with ip-Phone and PC) you have to remember that both devices are in the same SSID(VLAN) but with different IPs (MAC-upstreamVLAN(and IP) matching via authenticated role). Think that the switch is working like a WIFI network.
    • I could not use MAC authentication as a fallback mechanism. If the client aswer the EAPOL request and get´s a reject from RADIUS(NAC), this client cannot authenticate via MAC. I don´t know if this is FAD or a bug.
    • NO troubleshooting for wired ports, no port up/down view, no logs.... NOTHING !!!!
    So this is a good product, but bad implementation for wired ports. It´s a pitty!
    I have no Idea how this will work if you use the 3912i as an IOT-Defender ....

    br
    Volker