What is best resource for steps to implement 802.1x on ICX7450 and SmartZone WLAN

  • 1
  • Question
  • Updated 3 months ago
  • Acknowledged
  • (Edited)
Goal --> implement 802.1x configuration on  ICX Switches/WLAN to support 802.1x Authentication for SmartZone WLAN users.

Currently, users are directed to WebAuth Page where login credentials are Authenticated by RADIUS.

Need to ensure proper configurations are applied and VLANs are available on ICXs/WLAN for initial login and Authenticated user connections
Photo of Jeff T

Jeff T

  • 9 Posts
  • 0 Reply Likes

Posted 3 months ago

  • 1
Photo of Scott Farrand

Scott Farrand

  • 15 Posts
  • 4 Reply Likes

Have you already configured 802.1x with vlan assignment on your WLAN?  Or are you trying to figure out how to set this up across your entire environment?


Photo of Jeff T

Jeff T

  • 9 Posts
  • 0 Reply Likes
1 - I have not  yet applied 802.1x vlans - everything is still in default vlan...

2 - Yes.  Hoping to find info on necessary ICX configuration for 802.1x and VLANs AND the applicable configuration for SmartZone WLAN config
Photo of NETWizz

NETWizz

  • 183 Posts
  • 59 Reply Likes
Never got 802.1x to work though it is probably the Microsoft NPS that is the problem.

I have actual RADIUS login working like a champ.

Here was more or less my test configuration, so you can start where I left off about around a year ago if it is of any help.  If you get it to work, please let us know.


ver 08.0.80caT211
!
stack unit 1
  module 1 icx7150-c12-poe-port-management-module
  module 2 icx7150-2-copper-port-2g-module
  module 3 icx7150-2-sfp-plus-port-20g-module
!
!
no global-stp
!
!
!
vlan 1 name DEFAULT-VLAN by port
 no untagged ethe 1/1/2 to 1/1/12
 no spanning-tree
!
vlan 123 name Data by port
 tagged ethe 1/2/2 ethe 1/3/1 to 1/3/2
 untagged ethe 1/1/1 ethe 1/2/1
 no spanning-tree
!
vlan 401 name voice by port
 tagged ethe 1/1/1 to 1/1/2 ethe 1/1/4 to 1/1/12 ethe 1/2/1 to 1/2/2 ethe 1/3/1 to 1/3/2
 no spanning-tree
!
!
vlan 666 name Restricted-Data by port
 no spanning-tree
!
!
!
!
!
!
!
!
!
!
authentication
  auth-default-vlan 123
  restricted-vlan 666
  dot1x enable
  dot1x enable ethe 1/1/2 to 1/1/12
  dot1x port-control auto ethe 1/1/2 to 1/1/12
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication dot1x default radius
aaa authentication login default local
aaa authentication login privilege-mode
console timeout 30
enable aaa console
hostname TESTSW02
ip address 10.1.13.15 255.255.255.0
ip dns domain-list test.testdomain.state.us
ip dns server-address 10.1.5.40 10.1.5.41
no ip dhcp-client auto-update enable
no ip dhcp-client enable
ip default-gateway 10.1.13.1
!
logging host 10.1.2.3
logging console
logging persistence
mirror-port ethernet 1/1/1
!
no telnet server
username testwan password .....
radius-server host 10.1.120.221 auth-port 1812 acct-port 1813 default key 2 $b24zbw== dot1x
cdp run
fdp run
snmp-server contact Network Operations Center
snmp-server host 10.1.2.3 version v3 priv testwan
snmp-server group testv3 v3 priv access 99 read all write all
snmp-server user testwan testv3 v3 access 99 encrypted auth sha 6974065afb9f99927806e01c6ae2175104870138 priv encrypted aes 6974065bfb9f99927806e01c6ae21751
!
!
clock summer-time
clock timezone us Eastern
!
!
ntp
 server 10.220.1.1
!
!
web access-group 99
no web-management http
web-management https
banner motd ^C
------------------------------------------------------------------------^C
^C
Temporary Infrastructure Test Switch^C
^C
This system is solely for the use of authorized test personnel.^C
The information contained herein is the property of test and subject to^C
non-disclosure, security, and confidentiality requirements.^C
test will monitor system usage for unauthorized activities.^C
Any user accessing this system expressly consents to such monitoring.^C
^C
Asset xxxxxxxx^C
^C
------------------------------------------------------------------------^C
^C
!
ssh access-group 99
!
!
!
interface ethernet 1/1/1
 trust dscp
!
interface ethernet 1/1/2
 trust dscp
!
interface ethernet 1/1/3
 trust dscp
!
interface ethernet 1/1/4
 trust dscp
!
interface ethernet 1/1/5
 trust dscp
!
interface ethernet 1/1/6
 trust dscp
!
interface ethernet 1/1/7
 trust dscp
!
interface ethernet 1/1/8
 trust dscp
!
interface ethernet 1/1/9
 trust dscp
!
interface ethernet 1/1/10
 trust dscp
!
interface ethernet 1/1/11
 trust dscp
!
interface ethernet 1/1/12
 trust dscp
!
interface ethernet 1/2/1
 mon ethernet 1/1/1 both
 trust dscp
!
interface ethernet 1/2/2
 trust dscp
!
interface ethernet 1/3/1
 speed-duplex 1000-full
 trust dscp
!
interface ethernet 1/3/2
 speed-duplex 1000-full
 trust dscp
!
!
!
ip access-list standard 99
 sequence 10 permit host 10.1.4.5
 sequence 20 permit host 10.6.7.8
 sequence 30 permit host 10.9.10.11
!
sflow destination 10.1.2.3 2055
!
lldp run
!
!
ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc
!
!
!
end



Photo of Jeff T

Jeff T

  • 9 Posts
  • 0 Reply Likes
Thanks for input and providing your example.  If progress is made, I will reciprocate.
Photo of Tim Brumbaugh

Tim Brumbaugh

  • 33 Posts
  • 17 Reply Likes
Couple of questions? Are you wanting to do 802.1x auth on the ICX and on your WLAN's?

Photo of Jeff T

Jeff T

  • 9 Posts
  • 0 Reply Likes
Tim,

Currently utilizing NPS to perform RADIUS Auth for ICXs and RADIUS works with WLAN WebAuth.
Trying to get 802.1x Auth working for WLANs
Photo of Tim Brumbaugh

Tim Brumbaugh

  • 33 Posts
  • 17 Reply Likes
Very common thing to setup.  Since you are using NPS you should have a handle on that except that depending on how you configure it each radio is a client or the controller is the client in NPS.  We usually add each radio or the subnet that the radios are on for management as the client.   
Then create a connection request policy. Overview tab is a name and the rest default then the conditions tab is as follows.

The settings tab is default except for the authentication methods.
If you edit the EAP type then you can select the certificate to use.


On the VSC or SZ controller it looks like this. Create a Radius Server Connection under Services/Profiles/authentication.

Create a WLAN that uses 802.1x.  The picture in this one is named cloupath but disregard as it is one I use for testing lots of different things.

You have to watch your logs on the NAP server to see what might be happening if the clients are not able to connect.  If the NAP log shows nothing it might have to be enabled.  
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
Sometimes the local policy has issues and it can be found here to enable the NAP logging.
The success/failure setting can be found at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server.
Photo of Tim Brumbaugh

Tim Brumbaugh

  • 33 Posts
  • 17 Reply Likes
Here is a youtube from Ruckus that covers it on a ZD and 2012R2 NAP.
https://www.youtube.com/watch?v=QlL777qF95s
Photo of Jeff T

Jeff T

  • 9 Posts
  • 0 Reply Likes
Thank you Tim B.  Just now seeing your Post -