Several corporations are rolling out 802.1X at the access LAN switch level to prevent unauthorized access to their networks. Cisco IOS Software offers network access control at the media access level (layer 2) through implementation of the 802.1X protocol. 802.1X is an IEEE standard for media-level access control, offering the capability to permit or deny network connectivity, control VLAN access and apply traffic policy, based on user or machine identity. Cisco lightweight access points have an 802.1X supplicant to authenticate on the wired side. Let's examine how this can be achieved.
Configure LAN Switch Ports for 802.1X
The first step consists into implementing 802.1X authentication on the authenticator side or LAN switches. Here is a sample configuration:
aaa new-model
aaa authentication dot1x default group radius
radius-server host 10.199.200.71 auth-port 1812 acct-port 1813 key <yourkey>
dot1x system-auth-control
interface FastEthernet0/3
description WiFi Access Point with 802.1X Auth
switchport access vlan 200
switchport mode access
dot1x pae authenticator
authentication port-control auto
spanning-tree portfast
NOTE: The port-control auto option says that once a device logs off, that switchport reverts to an unauthorized state
The above example only shows one LAN port. You need to repeat this for all ports in the switch.
Configure your RADIUS Server
Configure your RADIUS server with the user name and password you will specify in your WLC controller (Wireless > Radios > Global Configuration > 802.1X Supplicant Credentials)
Configure the Cisco WLC with the 802.1X Supplicant Credentials
From the following menu, configure your global 802.1X supplicant credentials
Wireless > Radios > Global Configuration > 802.1X Supplicant Credentials
Check 802.1x Authentication, then fill both the 802.1X username and password. These have a global significance and all LAPs that already joined that WLC will inherit these credentials. In the LAP's config, you will find a config snippet similar to this:
dot1x credentials lwapp_credentials
username 8021xglobal
password 010203040506070809
Please note that you can also implement per-AP credentials instead of global credentials.
Provisioning new LAPs
New LAPs will not be able to join the WLC if their wired switch port is configured for 802.1X. The easiest way to have them join that WLC is to disable 802.1X authentication on one switch port and let the LAP reboot. It will then inherit its new configuration, including the 802.1X credentials. Next, enable 802.1X authentication on the switch port. Another way is to 'prime' your LAPs in a lab with these 802.1X credentials.
Conclusion
Implementing 802.1X on the wired side of your network reinforces your overall network security. With a few mouse clicks, you can configure 802.1X supplicant credentials for all your Cisco lightweight access points from a central location.
