802.1X Supplicant Support

The 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication protocol prevents unauthorized clients from gaining access to the network through publicly accessible ports. If the ports to which the Instant APs are connected are configured to use the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication method, ensure that you configure the Instant APs to function as an 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. client or supplicant. If the network requires all wired devices to authenticate using PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS. or TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.  protocol, you need to configure the Instant AP uplink ports for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, so that the switch grants access to the Instant AP only after completing the authentication as a valid client.

To enable the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. supplicant support on an Instant AP, ensure that the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication parameters are configured on all Instant APs in the cluster and are stored securely in the Instant AP flash.

Configuring an Instant AP for 802.1X Authentication Using the WebUI

Complete the below procedures to configure 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. supplicant support on an Instant AP :

  1. Configure the 802.1X authentication mode.
  2. Configure the uplink port for 802.1X authentication.

Configuring the 802.1X authentication mode

There are two 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication modes on an Instant AP. Choose either one of these methods for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication based on the controller configuration:

PEAP Authentication

In PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS. based authentication, the Instant AP is validated by verifying its username and password against the uplink controller. The following procedure describes how to configure PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS. based 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication using the WebUI:

  1. In the Configuration > Access Points page, select the Instant AP for which you want to configure 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, and click on Edit.
  2. In the Edit Access Point <access point> page, expand the Uplink tab.
  3. Expand PEAP User.
  4. Enter the Username and Password for PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS. authentication. The Instant AP stores the username and password in its flash and uses the credentials for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. When the Instant AP boots, the /tmp/ap1xuser and /tmp/ap1xpassword files are created based on these credentials.
  5. To validate the authentication server, upload the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate for AP1X on the Instant AP. To upload CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate for AP1X, use the following procedure:
    1. Expand Upload Certificates.
    2. Enter the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate in the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. field.
    3. Set the Certificate type to CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate..
    4. Click on Upload Certificate.
  6. Click Save.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command sets username and password used by the PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS. protocol-based 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication:

(Instant AP)# ap1x-peap-user <ap1xuser> <password>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command installs the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate that is used to validate the authentication server:

(Instant AP)# download-cert ap1xca <url> format pem

Certificate Authentication

In certificate based 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, a certificate is uploaded to the Instant AP which is used by the controller to the validate the AP. The following procedure describes how to configure certificate-based 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication:

  1. In the Configuration > Access Points page, select the Instant AP on which you want to configure certificate based 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, and click Edit.
  2. In the Edit Access Point <access point> page, expand the Uplink tab.
  3. Select Upload Certificate tab.
  4. Specify the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the certificate in the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. field.
  5. Set the Certificate type to Cert.
  6. Enter the password for the certificate in the Passphrase and Retype passphrase fields.
  7. Click on Upload certificate to save the certificate on the AP.
  8. To validate the authentication server used for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, upload the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate to the Instant AP. To upload the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate, use the following procedure:

    1. Expand Upload Certificates.
    2. Enter the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate in the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. field.
    3. Set the Certificate type to CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate..
    4. Click on Upload Certificate.

  9. Click Save.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands downloads user certificates from a TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. , FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. , or web server for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication:

(Instant AP)# download-cert ap1x <url> format pem [psk <psk>]

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command installs the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate that is used to validate the authentication server:

(Instant AP)# download-cert ap1xca <url> format pem

Configuring Uplink Port for 802.1X Authentication

To configure 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication on the uplink port of the Instant AP, complete the following steps:

  1. Go to Configuration > System page.
  2. Click Show advanced options at the bottom of the page and expand Uplink.
  3. Under AP1X, select PEAP or TLS in the AP1X type drop-down list. When TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.  is selected, the certificate type changes to User by default. The User type certificate is the Cert type certificate uploaded on the AP for certificate based 802.1X authentication.
  4. To validate the server credentials, toggle the Validate server switch to enable. Ensure that the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate for validating server credentials is uploaded to Instant AP database. The CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is uploaded in the Configuration > Access Point page of the Instant AP.
  5. Click Save.
  6. Reboot the Instant AP.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command sets the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication type to PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS.:

(Instant AP)(config)# ap1x peap [validate-server]

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command sets 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication type to TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. :

(Instant AP)(config)# ap1x tls <user> [validate-server]

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command sets the authentication timeout interval for the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication:

(Instant AP)(config)# ap1x-timeout <seconds>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command shows the certificate details for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.:

(Instant AP)# show ap1xcert

The verify the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. configuration, use any of the following commands:

  • show ap1x config
  • show ap1x debug-logs
  • show ap1x status

For more information on the commands, refer to the Aruba Instant 8.x CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. Reference Guide.