This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XOS - 802.1X AP but bypass bridge@AP clients

XOS - 802.1X AP but bypass bridge@AP clients

Ronald_Dvorak
Honored Contributor

‎05-24-2016 10:08 AM

Hi,

is it possible to authenticate the AP via 802.1X PEAP on the switchport but bypass/disable the authentication for the bridge@AP clients that are connected to the AP.

Could you please tell me the configuration steps on the XOS or other ideas for this scenario.

Thanks,
Ron
0 Kudos
12 REPLIES 12

Rainer_Adam
New Contributor III

‎03-15-2017 02:12 PM

Is there any comparable solution for EOS Switches?
0 Kudos

Patrick_Koppen
Contributor
In response to Rainer_Adam

‎03-15-2017 02:12 PM

yes. It's called 'ap-aware'. https://gtacknowledge.extremenetworks.com/articles/Q_A/What-does-this-Feature-AP-Aware-means-on-the-B5-C5-Securestack
0 Kudos

Matthew_Helm1
Extreme Employee

‎06-20-2016 08:59 PM

"Campus mode" vs. "ISP mode" has really to do with VLAN assignment mechanism for the port. In the former, VLAN assignment is done using a VSA sent by the RADIUS server for each authorized client. For ISP mode, the port is preconfigured into a VLAN (typically untagged, but not always) and any authorized clients are bridged into that VLAN.

MAC-based VLAN mode for Netlogin is necessarily "Campus mode" and has the disadvantage that all BUMs are received by all clients on that port regardless of their VLAN assignment.

Regardless, whether pre-configuring the netlogin enabled port into a VLAN, or using a VSA to assign the port to a VLAN, multiple supplicant is still in effect for that port.

However, pre-assigning the VLANs and not using the VSA for the dot1x authentication is a very good idea for my script above. I'll need to make further comments.

0 Kudos

Kevin_Kim
Extreme Employee

‎06-17-2016 02:00 AM

I thought multiple supplicant could be turned off on a netlogin enabled port in campus mode. Without multiple supplicant, a netlogin enabled port will be open to all users connected to the same port once the first user is authenticated. But, the concept guide is not clear whether campus mode turns off multiple supplicant or not.

Multiple supplicants are supported in ISP mode for web-based, 802.1X, and MAC-based authentication. In addition, multiple supplicants are supported in Campus mode if you configure and enable network login MAC-based VLANs.

0 Kudos
GTM-P2G8KFN