Access Point Configuration
capwap ap dot1x username <username> password <password>
By doing so capwap knows its dot1x credentials for authentication. Only after successful authentication capwap will initiate the discovery and joining process meaning that if there is an AP and it does not know the dot1x credentials, then it is not possible for that AP to send any capwap messages which results in preventing AP to join WLC.
Switch Configuration
Interface Configuration
switchport access vlan <vlan>
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
Globlal Configuration
dot1x system−auth−control
aaa new−model
aaa authentication dot1x default group radius
radius-server host <IP Address> key <Password>
WLC Configuration
Here you need to provide 802.1x supplicant credentials for an AP to get the credentials to do the authentication.
All AP which is available in WLC will get to know the dot1x credentials so that if we configure the port as dot1x authenticator, AP would not have any issues in doing authentication.
The configuration here is globally and is applied to all the AP.
We can over-ride the above global configuration by assigning credentials in AP itself.
Once we add the credentials either globally or directly, it will be pushed immediately inside AP.
When we apply the commands in switchport, AP needs to now do the authentication then only it will rejoin back to WLC, meaning that AP will lose the capwap connectivity with WLC. And will rejoin the WLC.
ISE Configuration
Adding Switch
Create dot1x credentials (username and password) in ISE
Create Identity Group and define the credentials created in previous step
Create Policy Set
Keep Default Policy and use All_User_ID_Stores
Create Authorization Policy to permit access if the condition is matched
No comments:
Post a Comment