cancel
Showing results for 
Search instead for 
Did you mean: 

AP-Aware: automatic device configuration after AP authenticates with PEAP/TLS on switchport

AP-Aware: automatic device configuration after AP authenticates with PEAP/TLS on switchport

Volker_Kull
Contributor

Uniform function with which all APs (WING,AH) can be authenticated at the switchport via PEAP or TLS and automatically receive the required switchport configuration and remove it when the APs are disconnected. Currently, This is not only to authenticate the AP with 802.1X you have to take care about port configuration, NAC configuration and disable everything after disconnecting the AP.

XCC cannot perform AP authentication with PEAP/TLS (WING7), coudn`t find it in XIQ either, port templates are no available on all switch OS, ACL/OnePolicy is different on switch series,...

It´s a puzzle where the pieces don´t fit togehter…

br

Volker

5 REPLIES 5

AlexN
Extreme Employee

Volker,

 

this functionality exists today. HiveOS/IQE APs also support .1x, but it has to be configured from CLI.
As Markus says, secure onboarding workflow can be implemented, with interim MAC-based auth for brand new APs to kiss the cloud/controller first time, then obtain .1x credentials and authenticate themselves fully.

And of course AP disconnection resets EAP state machine on switch port to unauthenticated stage, where no traffic is allowed and all VLAN memberships are removed
 

Best regards/Un saludo
Alex

Volker_Kull
Contributor

Markus,

 

it´s not just another single feature you want to identify. It´s more a process to securely onboard and offboard an AP into the infrastructure:

  • secure authentication of AP (that this cable could not used for unauthenticated access)
  • preparation of the switchport for AP onboarding (AP connect)
    • untagged & tagged vlans
    • port ACLs
    • authentication settings for the wifi users (no authentication) additionally to the authenticated AP (max device =1 for the untagged VLAN)
    • optional fabric attach
  • preparation of the switchport for offboarding (AP disconnect)
    • remove the tagged vlans, ACLs
    • remove the authentication settings to a standard access port

This should be similar from EXOS to VSP and for WING7 and cloud APs.

We were asked more often what happens if an AP connects to the switchport via a miniswitch. Connecting a PC to the miniswitch after the AP has successfully authenticated at the access switch, the PC can connect to the infrstructure…

Doing this onboarding could be done via script or workflow. The challenge is to prepare the port back to a standard access port after disconnecting the AP. In this case we don´t get a trigger to execute something because there is no authentication….we are fighting with this situation for years and everything we did is only scratching the surface because we need to use a lot of features, triggers and custom programming...until the next realase of SW and we start again from scratch…

 

br

Volker

 

Markus_Nikulski
Extreme Employee

Hi Volker,

 

if I got you right, the AP should support 802.1x/EAP to become authenticated and authorized. Means the request you have is just a AP feature we need. because switch and NAC is able to serve this functions. I’m not a WLAN expert, but presume 802.1x/EAP isn't supported on the Wing APs today. However, in regards initial onboarding of the AP, he will not be able to use any authentication until he get in contact with the WLC/cloud management. For this we typically using a onboarding VLAN/I-SID.

Regards
Markus

Volker_Kull
Contributor

OK, I see. You have no experience what is installed in the field. You would not discuss only about single features if you would have Fabric, LACP/mLAG, NAC provisioning and network automation running together. This is based on the complete integration of a lot of functionalities to work together. We are not able to see every single feature an make a head about ist it good or bad or nice or nessessary.

We have customers expect a modern, innovative, high available and easy to manag infrastructure. Discussing if a feature is worth to implement (or better: worth to work together with other features) or not will not help to keep the existing customers at extreme and get new ones to Extreme.

Please start thinking in end to end processes and not in single features. Again: If you really want to understand our and the customer needs please get in touch with us.

Thx

Volker

 

GTM-P2G8KFN