This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XOS - 802.1X AP but bypass bridge@AP clients

XOS - 802.1X AP but bypass bridge@AP clients

Ronald_Dvorak
Honored Contributor

‎05-24-2016 10:08 AM

Hi,

is it possible to authenticate the AP via 802.1X PEAP on the switchport but bypass/disable the authentication for the bridge@AP clients that are connected to the AP.

Could you please tell me the configuration steps on the XOS or other ideas for this scenario.

Thanks,
Ron
0 Kudos
13 REPLIES 13

Kevin_Kim
Extreme Employee

‎06-17-2016 02:00 AM

I thought multiple supplicant could be turned off on a netlogin enabled port in campus mode. Without multiple supplicant, a netlogin enabled port will be open to all users connected to the same port once the first user is authenticated. But, the concept guide is not clear whether campus mode turns off multiple supplicant or not.

Multiple supplicants are supported in ISP mode for web-based, 802.1X, and MAC-based authentication. In addition, multiple supplicants are supported in Campus mode if you configure and enable network login MAC-based VLANs.

0 Kudos

OscarK
Extreme Employee

‎05-25-2016 10:01 AM

I think the easiest way would be the AP to tunnel all traffic to the controller so the switch does not see the clients behind the AP ?
0 Kudos

Ronald_Dvorak
Honored Contributor
In response to OscarK

‎05-25-2016 10:01 AM

Unfortunately that isn't an option as it doesn't scale in todays networks with 802.11ac APs in place.
0 Kudos

Matthew_Helm1
Extreme Employee

‎05-24-2016 03:52 PM

There may be an easier way to do this, but if you want the AP to authenticate (using DOT1X first) and then open up the port to other clients that do not have DOT1X authentication as an option, in the past I've used UPM scripting to do something like this. When the AP is authenticated, the authentication UPM script for that AP enables MAC authentication on the port when the AP authenticates and there are masks configured for MACs in the NETLOGIN config and a general set of MAC entries in the RADIUS users DB to authenticate any MAC. The UPM script which would run when the AP is unauthenticated would disable MAC authentication on the port, but preserve DOT1X.

I could write up a configuration for a lab if you have one, otherwise I would have to build a lab to test this scenario and it could take some time.
0 Kudos

Matthew_Helm1
Extreme Employee
In response to Matthew_Helm1

‎05-24-2016 03:52 PM

I did some testing. If you add the other VLANs that are on the AP to the ports tagged you don't have to do so in the UPM profiles.

The UPM profiles do need to be modified slightly to work regardless:

create upm profile api
config netlogin port $(EVENT.USER_PORT) allow egress-traffic all
enable netlogin port $(EVENT.USER_PORT) mac dot1x

.
create upm profile apout
config netlogin port $(EVENT.USER_PORT) allow egress-traffic none
disable netlogin port $(EVENT.USER_PORT) mac

.

Hope this helps.

0 Kudos
GTM-P2G8KFN