You are here: Authentication and User Management > Configuring 802.1X Authentication for a Network Profile
Previous TopicNext Topic

Configuring 802.1X Authentication for a Network Profile

The Instant network supports internal RADIUS server and external RADIUS server for 802.1X authentication.

The steps involved in 802.1X authentication are as follows:

1. The NAS requests authentication credentials from a wireless client.
2. The wireless client sends authentication credentials to the NAS.
3. The NAS sends these credentials to a RADIUS server.
4. The RADIUS server checks the user identity and authenticates the client if the user details are available in its database. The RADIUS server sends an Access-Accept message to the NAS. If the RADIUS server cannot identify the user, it stops the authentication process and sends an Access-Reject message to the NAS. The NAS forwards this message to the client and the client must re-authenticate with appropriate credentials.
5. After the client is authenticated, the RADIUS server forwards the encryption key to the NAS. The encryption key is used for encrypting or decrypting traffic sent to and from the client.

 

The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network first connects to the NAS.

Configuring 802.1X Authentication for a Wireless Network Profile

You can configure 802.1X authentication for a wireless network profile in the Instant UI or CLI.

In the Instant UI

To enable 802.1X authentication for a wireless network:

1. In the Network tab, click New to create a new network profile or select an existing profile for which you want to enable 802.1X authentication and click edit.
2. In the Edit <profile-name> or New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next.
3. In the Security tab, specify the following parameters for the Enterprise security level:
a. Select any of the following options from the Key management drop-down list.
l WPA-2 Enterprise
l WPA Enterprise
l Both (WPA-2 & WPA)
l Dynamic WEP with 802.1X
4. If you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys, set Session Key for LEAP to Enabled.
5. To terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS server, set Termination to Enabled.

By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the AP acts as a relay for this exchange. When Termination is enabled, the IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server.

6. Specify the type of authentication server to use and configure other required parameters. You can also configure two different authentication servers to function as primary and backup servers when termination is enabled. For more information on RADIUS authentication configuration parameters, see Configuring an External Server for Authentication.
7. Click Next to define access rules, and then click Finish to apply the changes.

In the CLI

To configure 802.1X authentication for a wireless network:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>}

(Instant AP)(SSID Profile <name>)# opmode {wpa2-aes|wpa-tkip|wpa-tkip,wpa2-aes|dynamic-wep}

(Instant AP)(SSID Profile <name>)# leap-use-session-key

(Instant AP)(SSID Profile <name>)# termination

(Instant AP)(SSID Profile <name>)# auth-server <server1>

(Instant AP)(SSID Profile <name>)# auth-server <server2>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>

(Instant AP)(SSID Profile <name>)# auth-survivability

(Instant AP)(SSID Profile <name>)# exit

(Instant AP)(config)# auth-survivability cache-time-out <hours>

(Instant AP)(config)# end

(Instant AP)# commit apply

Configuring 802.1X Authentication for Wired Profiles

You can configure 802.1X authentication for a wired profile in the Instant UI or CLI.

In the Instant UI

To enable 802.1X authentication for a wired profile:

1. Click the Wired link under More at the top right corner of the main window. The Wired window is displayed.
2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable 802.1X authentication and then click Edit.
3. In the New Wired Network or the Edit Wired Network window, ensure that all the required Wired and VLAN attributes are defined, and then click Next.
4. In the Security tab, select Enabled from the 802.1X authentication drop-down list.
5. Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see Configuring Security Settings for a Wired Profile.
6. Click Next to define access rules, and then click Finish to apply the changes.
7. Assign the profile to an Ethernet port. For more information, see Assigning a Profile to Ethernet Ports.

In the CLI

To enable 802.1X authentication for a wired profile:

(Instant AP) (config)# wired-port-profile <name>

(Instant AP) (wired ap profile <name>)# type {<employee> |<guest>}

(Instant AP) (wired ap profile <name>)# dot1x

(Instant AP) (wired ap profile <name>)# auth-server <server1>

(Instant AP) (wired ap profile <name>)# auth-server <server2>

(Instant AP) (wired ap profile <name>)# server-load-balancing

(Instant AP) (wired ap profile <name>)# radius-reauth-interval <Minutes>

(Instant AP) (wired ap profile <name>)# end

(Instant AP)# commit apply