-1

Here is the context of the question:

I have multiple switches with port-authentication (MAC based or 802.1X). Each switch are connected with a trunk port statically configured. One vlan for authenticated users, and one vlan for guest users. The RADIUS server is connected on port 1 on switch 1. The trunk port is port 4 on both switches.

        [RADIUS server]
              |
[SWITCH 1 | Port1 | Port2 | Port3 | Port4]
                                      |
                                      |
[SWITCH 2 | Port1 | Port2 | Port3 | Port4]

Here is the question:

How can I plug an access-point on an arbitrary port without changing the configuration of the corresponding port ? (meaning disable authentication on corresponding port and activate trunk on it) ?

I want to support both "access point" and classical user on all ports.

(The access point provides two SSIDs, one for classical user, one for guest.)

Thank you, all comments are welcome.

gapz
  • 1
  • 1

1 Answers1

0

In the configuration you're describing you'd typically plug an access point (AP) into a port that's configured as a member of the VLAN where "authenticated users" traffic should be sent and where "guest users" traffic should be sent. Which one(s) need to be tagged versus untagged depends a little bit on your environment and the oddities of your switches (some junkier old switches can't tag VLAN 1, for example). Some APs specifically allow you assign the management VLAN, others just want to be managed from an untagged VLAN.

You're likely managing the AP from the same VLAN that "authenticated users" traffic will be sent, so you can probably get away with a port that's an untagged member of that VLAN, and a tagged member of the "guest users" VLAN.

Edit:

I understand what you're looking for now.

You're doing wired 802.1x right now on your switch.

Your access point likely can do wireless 802.1x. You'd plug the AP into a port, as I described above, with 802.1x disabled in the switch. The AP would handle the 802.1x for wireless clients, authenticating back to the RADIUS server for those clients.

Think of the AP like another switch with the wireless clients being connected. You want the 802.1x to happen inside the AP, not in the switch port it's plugged in to.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • I plug the access point on a port which is doing an authentication. Based on the result of this authentication, it moves the port in an approriate vlan (classic users or guests). My main issue is that I can't tagged 2 vlans between my access point and my switch (because I want to offer the same type of access on my access point) because it's plugged on an authenticated port and then you can't do a trunk (I tried on cisco and HP, and trunk with authenticated port are prohibited) – gapz Oct 10 '14 at 06:22