The Instant network supports internal RADIUS server and external RADIUS server for 802.1X authentication.
The steps involved in 802.1X authentication are as follows:
1. | The NAS requests authentication credentials from a wireless client. |
2. | The wireless client sends authentication credentials to the NAS. |
3. | The NAS sends these credentials to a RADIUS server. |
4. | The RADIUS server checks the user identity and authenticates the client if the user details are available in its database. The RADIUS server sends an Access-Accept message to the NAS. If the RADIUS server cannot identify the user, it stops the authentication process and sends an Access-Reject message to the NAS. The NAS forwards this message to the client and the client must re-authenticate with appropriate credentials. |
5. | After the client is authenticated, the RADIUS server forwards the encryption key to the NAS. The encryption key is used for encrypting or decrypting traffic sent to and from the client. |
|
The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network first connects to the NAS. |
You can configure 802.1X authentication for a wireless network profile in the Instant UI or CLI.
To enable 802.1X authentication for a wireless network:
1. | In the Network tab, click to create a new network profile or select an existing profile for which you want to enable 802.1X authentication and click edit. |
2. | In the | or window, ensure that all required WLAN and VLAN attributes are defined, and then click .
3. | In the Security tab, specify the following parameters for the Enterprise security level: |
a. | Select any of the following options from the Key management drop-down list. |
l | WPA-2 Enterprise |
l | WPA Enterprise |
l | Both (WPA-2 & WPA) |
l | Dynamic WEP with 802.1X |
4. | If you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys, set Session Key for LEAP to Enabled. |
5. | To terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS server, set Termination to . |
By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the AP acts as a relay for this exchange. When Termination is enabled, the IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server.
6. | Specify the type of authentication server to use and configure other required parameters. You can also configure two different authentication servers to function as primary and backup servers when termination is enabled. For more information on RADIUS authentication configuration parameters, see Configuring an External Server for Authentication. |
7. | Click Next to define access rules, and then click Finish to apply the changes. |
To configure 802.1X authentication for a wireless network:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>}
(Instant AP)(SSID Profile <name>)# opmode {wpa2-aes|wpa-tkip|wpa-tkip,wpa2-aes|dynamic-wep}
(Instant AP)(SSID Profile <name>)# leap-use-session-key
(Instant AP)(SSID Profile <name>)# termination
(Instant AP)(SSID Profile <name>)# auth-server <server1>
(Instant AP)(SSID Profile <name>)# auth-server <server2>
(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>
(Instant AP)(SSID Profile <name>)# auth-survivability
(Instant AP)(SSID Profile <name>)# exit
(Instant AP)(config)# auth-survivability cache-time-out <hours>
(Instant AP)(config)# end
(Instant AP)# commit apply
You can configure 802.1X authentication for a wired profile in the Instant UI or CLI.
To enable 802.1X authentication for a wired profile:
1. | Click the Wired link under at the top right corner of the main window. The window is displayed. |
2. | Click New under to create a new network or select an existing profile for which you want to enable 802.1X authentication and then click Edit. |
3. | In the | or the window, ensure that all the required Wired and VLAN attributes are defined, and then click .
4. | In the Enabled from the drop-down list. | tab, select
5. | Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see Configuring Security Settings for a Wired Profile. |
6. | Click Next to define access rules, and then click Finish to apply the changes. |
7. | Assign the profile to an Ethernet port. For more information, see Assigning a Profile to Ethernet Ports. |
To enable 802.1X authentication for a wired profile:
(Instant AP) (config)# wired-port-profile <name>
(Instant AP) (wired ap profile <name>)# type {<employee> |<guest>}
(Instant AP) (wired ap profile <name>)# dot1x
(Instant AP) (wired ap profile <name>)# auth-server <server1>
(Instant AP) (wired ap profile <name>)# auth-server <server2>
(Instant AP) (wired ap profile <name>)# server-load-balancing
(Instant AP) (wired ap profile <name>)# radius-reauth-interval <Minutes>
(Instant AP) (wired ap profile <name>)# end
(Instant AP)# commit apply