Question

AP3912: 802.1X and MAC-Auth parallel on wired ports ?

  • 8 November 2018
  • 4 replies
  • 527 views

Userlevel 4
Hello !
I need 802.1X and MAC-Auth parallel on wired Ports of AP3912i. In the WLAN-Profile > Auth& Acct you can configure 802.1X and MAC-Auth with configuration of the RADIUS Servers for X and MAC. In my configuration 802.1X works perfect with rule overwrite from control ... but I see no MAC auth on clients not supporting 802.1X.
Is that supported ?
Has anybody this configuration up and running ?

Thx for information...

br
Volker

4 replies

Userlevel 4
A short update after some lab testing and a customer project with using wired port authentication on AP3912i:
  • solo MAC or 802.1X authentication on wired ports is working via configuration of a WLAN service (I had EWC, XMC and Control running)
  • MAC bypass (no fallback!) in combination with 802.1X is working as well
  • Multi user authentication on wired ports is working but I don´t know how many devices are possible behind a single port
But, there are some important things to remember:
  • never use a session timeout in the WLAN service for wired ports other than 0 (this makes you and the customer very unhappy - I don´t know why...)
  • Using MUA on a wired port (f.e. with ip-Phone and PC) you have to remember that both devices are in the same SSID(VLAN) but with different IPs (MAC-upstreamVLAN(and IP) matching via authenticated role). Think that the switch is working like a WIFI network.
  • I could not use MAC authentication as a fallback mechanism. If the client aswer the EAPOL request and get´s a reject from RADIUS(NAC), this client cannot authenticate via MAC. I don´t know if this is FAD or a bug.
  • NO troubleshooting for wired ports, no port up/down view, no logs.... NOTHING !!!!
So this is a good product, but bad implementation for wired ports. It´s a pitty!
I have no Idea how this will work if you use the 3912i as an IOT-Defender ....

br
Volker
Userlevel 7
I'm also not able to connect my Samsung TV to the 3912 using a WLAN service with privacy WPA = 802.1X + MAC auth.

I use a PSK WLAN service with MAC auth enabled with ExtremeControl in that case = PSK WLAN for other non-802.1X capable wireless clients.
Userlevel 7
I am using 3912s in our dorms and I was able to get the Pass through port to work with both 802.1x and MAC auth. This is because the switch port handles the multi-auth. My p1,p2 and p3 ports are tied to a certain SSID which doesn't handle multi auth, from what I've seen.

So the WLAN service that is used is just open/none ?
I am using 3912s in our dorms and I was able to get the Pass through port to work with both 802.1x and MAC auth. This is because the switch port handles the multi-auth. My p1,p2 and p3 ports are tied to a certain SSID which doesn't handle multi auth, from what I've seen.

Reply