topic AP aware - how is it supposed to work? in ExtremeCloud IQ- Site Engine Management Center

AP aware - how is it supposed to work?

Flavio — Thu, 09 Jan 2020 15:18:00 GMT

Hi all.

I’m wondering how “AP aware” feature is supposed to work. Is anybody using it and could share how it should be configured and intended to be used?

Thanks,

Flavio.

Re: AP aware - how is it supposed to work?

Ronald_Dvorak — Thu, 09 Jan 2020 15:51:57 GMT

Hi,

here a KB article about the feature…

https://gtacknowledge.extremenetworks.com/articles/How_To/EMC-How-to-enable-the-AP-Aware-Feature-in-EMC-s-Policy-Manager

-Ron

Re: AP aware - how is it supposed to work?

Flavio — Thu, 09 Jan 2020 16:05:03 GMT

Hi Ronald.

That I already found - but that’s not explaining how to apply it and in what situation it is really useful. I’d like to have some examples…

Thanks,

Flavio.

Re: AP aware - how is it supposed to work?

Ronald_Dvorak — Thu, 09 Jan 2020 17:11:56 GMT

Hi Flavio,

you use the feature if you do authentication (e.g. 802.1X) on the switch ports.

Because most of the time you would use a bridge@AP topology for WLAN APs = clients break out directly at the AP port that would mean that the client needs to be authenticated on the WLAN AND on the switch port.

As a double authentication doesn’t make much sense you’d use AP aware to “disable” authentication on the switch port that has a AP connected to it.

Hope that makes sense.

-Ron

Re: AP aware - how is it supposed to work?

Flavio — Thu, 09 Jan 2020 17:40:42 GMT

Hi Ron, thanks for explaining.

I do dot1x in fact on all my switch ports, and until today I did exclude the ports where an AP is connected from dot1x authentication. I configured statically the untagged VLAN for the control/management traffic of the AP and added the tagged VLANs for the SSIDs (Bridge@AP topology used).

The WLAN clients actually authenticate via dot1x on the WLAN, but I also do have some PSK SSIDs. I know don’t really understand how I would apply the “AP aware” feature in my scenario: what should the role do, besides “AP aware” enabling? And if I’d like to be able to connect an AP wherever I want, I would authenticate all APs with MAC address and assign the correct untagged and tagged VLANs to that port with a role specific to APs? Am I on the correct path?

Thanks,

Flavio.

Re: AP aware - how is it supposed to work?

CWurm — Thu, 09 Jan 2020 22:36:02 GMT

Hi Flavio,

if you use 802.1X on your switch port and you have an Bridge@AP topology, then you can see all wireless clients MAC addresses on the switchport, too. Meaning: if you have your AP connected to port 1 on your switch you will see the MAC address of the AP as well as several MAC addresses of all WiFi clients connected to that AP.

The switch now “tries” to authenticate all wireless clients, too - even though they are already authenticated by the AP. Meaning: your clients would be authenticated twice - once on the AP and a second time on the switch. This (of course) is quite stupid and just introduces more issues.

Therefore you enable the “AP aware” feature in NAC. If “AP aware” is enabled only your AP gets authenticated via 802.1X on the switch port and not the wireless clients. AP aware (sort of) turns off 802.1X once your AP has been authenticated on the switch.

Kind regards

Christian

Re: AP aware - how is it supposed to work?

Brian_Anderson1 — Fri, 10 Jan 2020 04:20:54 GMT

Flavio, yes you are on the right track. You can authenticate your APs with mac auth, if you utilize NAC, then this is done with an end system group. Setup the role the APs to use with AP-Aware, setup your vlans you want tagged on your tagged egress list on your role and when an AP is plugged in, it authenticates and the AP-Aware setting only allows one device to auth, which would be your ap. If you didn’t use AP-Aware, clients in a bridged at AP topology would also try to authenticate and it would be a battle of authentication between wireless controller and wired switches, not a pleasant experience for the end user.

AP-Aware also works with 3rd party APs, doesn’t have to be Extreme APs.

Re: AP aware - how is it supposed to work?

Ryan_Yacobucci — Fri, 10 Jan 2020 05:56:53 GMT

When you configure the policy with the “AP Aware” setting and you look at the CLI configuration on the switch you’ll see an “Auth-Override” flag on the end of the policy configuration.

A policy with “Auth-Override” flag will result in a termination of all existing policies on the switch port, and no additional clients will have a session established or be authenticated on that switch port. All traffic will essentially pass through that existing policy session that was created with the auth-override flag, so as already explained the policy with “AP-Aware” enabled must allow all necessary traffic (802.1q VLANs) to clients behind the AP.

Double auth causes issues with residual policy sessions (If two policy end points are configured to “Unregistered” for captive portal when NAC re-authenticates it can’t change both policies at once so one will stick around and cause a portal loop), re-authentication storms, and confusing end system events. You’ll see stuff like iphones on a wired port. As Brain indicates, generally not a pleasant experience.

ERS/VSP has a similar technology called “MHSA” Multi-Host Single Authentication that is similar.

Re: AP aware - how is it supposed to work?

Flavio — Fri, 10 Jan 2020 21:52:30 GMT

Hi Brian - thanks for your reply. Are you the Brian Anderson who is involved in a FortiNAC setup in Switzerland?

Re: AP aware - how is it supposed to work?

Brian_Anderson1 — Fri, 10 Jan 2020 22:28:17 GMT

Unfortunately not. Not that I wouldn’t mind working with FortiNAC , but unfortunately haven’t been to Switzerland .

Re: AP aware - how is it supposed to work?

Flavio — Fri, 10 Jan 2020 22:51:19 GMT

OK - just the same identical name 🙂

Re: AP aware - how is it supposed to work?

Zdeněk_Pala — Wed, 19 Feb 2020 17:21:51 GMT

Hi.

here is some information also: https://www.dropbox.com/s/88izhy825p0xy6w/UniversalPort%20With%20Intro.mp4?dl=0

Re: AP aware - how is it supposed to work?

Flavio — Wed, 19 Feb 2020 18:20:29 GMT

Thanks - our Swiss Extreme SE shared this with me as well 😉