0

I'm sorry if this is a noobish question. If you have some cisco switch connected to d-link wireless access points, which acts as the Radius client?

Zouzou Ibba
  • 39
  • 1
  • 2
  • 8

1 Answers1

1

Whichever is acting as the "Authenticator" (https://en.wikipedia.org/wiki/IEEE_802.1X#Overview).

The main parts of 802.1x Authentication are:

  • A supplicant, a client end user, which wants to be authenticated.
  • An authenticator (an access point or a switch), which is a "go between", acting as proxy for the end user, and restricting the end user's communication with the authentication server.
  • An authentication server (usually a RADIUS server), which decides whether to accept the end user's request for full network access.

https://kb.netgear.com/1209/What-is-802-1x-Security-Authentication-for-Wireless-Networks

From this it looks like you can have the switch authenticate the access point (to prevent someone plugging in a different access point) but that the access point itself could be authenticating the clients too.

The switch would likely only authenticate what is plugged into it and I doubt would be wireless client aware.

See also : Does WPA2 Enterprise also authenticate clients to the 802.1X protected switch port?

Matthew1471
  • 1,124
  • 10
  • 14
  • What about this: http://www.cisco.com/c/dam/en/us/td/i/100001-200000/190001-200000/190001-191000/190652.ps/jcr:content/renditions/190652.jpg – Zouzou Ibba Jul 28 '17 at 17:56
  • LWAPP (en.wikipedia.org/wiki/Lightweight_Access_Point_Protocol) support appears to be required in that scenario. As the AP itself behaves like a switch (allowing more devices to connect) I looked up how 802.1x works with additional switches and found : https://networkengineering.stackexchange.com/questions/6162/how-can-i-implement-802-1x-when-i-need-to-use-intermediate-switches .. it looks like you certainly can chain.. hmm – Matthew1471 Jul 28 '17 at 18:04
  • Ah. So the Wireless Access Point can also act as a supplicant itself? Is that necessary? – Zouzou Ibba Jul 28 '17 at 18:09
  • If you're on a network that requires it before your AP can even communicate on the LAN then yes. Also it depends on your threat model, are you worried someone will plug in a rogue access point (in the lobby?) or is your AP in an area (data centre) that's not a risk? Here's how I'd configure a particular AP being a supplicant : https://supportforums.cisco.com/document/12559646/configure-8021x-supplicant-settings-wap131-and-wap371 – Matthew1471 Jul 28 '17 at 18:12