802.1x cnpilot ethernet port

Hi,

So far, we have deployed an eduroam network for several universities:

  • via access point (WLAN eduroam), +200 access points
  • via cnmatrix switches (dot1x on Ethernet ports, wired eduroam), dozens of cnmatrix switches, +1000 Ethernet ports with dot1x configuration

The next eduroam network project with the university is looking for a slightly different solution.
The 425H access point (one access point per room) will be used in such a way that eduroam (802.1x auth) must be enabled (except on the WLAN) and on the Ethernet ports on that access point (in other words the AP must be an authenticator for both WLAN and Ethernet ports which are part of the same eduroam network).

Is this scenario even possible with cnpilot? As far as I can see at the moment, cnpilot does not have such a possibility?

1 Like

hi,

glad to hear edroam deployment news. coming 425H requirements, can you precisely list the requirements or work flow when wired host connects to the ethernet port of AP?

in case of 802.1X on WLAN,

  1. AP does authentication for each client
  2. Will enforce RADIUS policy for each client individually
  3. COA is supported for disconnection

Hi,

each student has suplicant on his laptop / PC with settings provided from university and also unique AAI credential (username and password).
When he plug cable to that eth port radius authenticatiin process is started.
Radius is checking credential, certificate (if needed).
VLAN for that is static (cinfigured by admin), same as for WLAN.

Long story short, we need that same feature as it is on cnmatrix switch.

I just saw that radius host can be configured for ethernet port also (attach).
Will try that with the same settings as for WLAN.

Hi,

radius auth on eth ports (eth2 and eth3) on cn pilot e425H doenst work (eth1 is uplink, no need for radius config).
First bug, you cannot put radius server as domain name (there is no error on cnamestro but commands are ignore on AP side, also when you do that with SSH you get en error), only IP address is available, so we did that and that part of config is now visible on AP.

In show events on AP there is no messages for even trying AP to send auth message to radius server, only fow WIFI clients which is forking fine

E425-879558(config)# show events
Oct 20 11:19:13 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:15:49 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:15:37 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:13:25 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:13:13 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:12:11 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:12:06 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth2] status move to up and running state
Oct 20 11:11:28 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth2] status move to up and running state
Oct 20 11:11:23 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth2] status move to up and running state
Oct 20 11:10:11 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth2] status move to up and running state
Oct 20 11:09:55 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth2] status move to up and running state
Oct 20 11:09:53 WIFI-6-CLIENT-AUTH-SUCCESS Authentication success for client[84-EF-18-B1-4C-48] IP [0.0.0.0] User [anonymous@unizd.hr] SSID [eduroam]
Oct 20 11:09:53 WIFI-6-CLIENT-RADIUS-AUTH-SUCCESS RADIUS authentication success for client [84-EF-18-B1-4C-48] on wireless lan [eduroam]
Oct 20 11:09:53 WIFI-6-CLIENT-CONNECTED Client [84-EF-18-B1-4C-48] connected to wireless lan [eduroam]

Please advice, 100 APs are waiting for installation and this is a show stopper!!!

p.s. config file from AP is attachedcnpilot e425H.txt (4.9 KB)

fw 4.2.1r17
cnmaestro cloud

Hi Mixig,
In your config I can see MAC auth is not enabled, can you please enable MAC auth and confirm the observation. Here is the snap shot of MAC auth feature enabled case.

Hi,
I can try that but why would I enabled that feature? Each student has unique AAI credential (username@domain.xyz and password) and that parameter is checked on Radius server, there is nothing about MAC address authentication on radius server.
Second option if I understand correctly will allow all MAC failed users to connect to native vlan, I don’t want that.
What I want is that AP send credentials to radius on the same way as cnmatrix switch.

hi mixig,

cnPilot APs don’t have the capability on Etherent port to do 802.1X authentication for validating users credentials similar to wireless user on WLAN / SSID side.

Thanks for the direct answer to the question.

Based on that answer, I can conclude that cnpilot models (in this case e425 / e430) are not able to replace (correct me if I am wrong) devices that are more then 8 years old (wifi4 and 100mbps eth port) and still have the ability for dot1x authentication (radius) via WLAN and ethernet interface (in this case username / password credentials), and that cnpilot APs are technically insufficient in the true sense at this time for eduroam network that is present worldwide?

Market place for that kind of setups is huge:
https://monitor.eduroam.org/map_service_loc.php

Thank you, if my understanding is correct AP has to do wired authentication for laptops / desktops connecting to wired port of AP.

Can help us to clarify below few points,

  1. The wired hosts (laptops / desktops) do user name and password-based authentication (possibly using certificate also) with external AAA

  2. There is the possibility that more than 1 wired hosts can be connected to AP ethernet port, in this case, AP has to do 802.1x authentication for each of wired host

  3. Each host identified based on MAC and data ready state decided based on 802.1X authentication results

Why do we still see the use case of wired port usage when Wi-Fi interface is common on most end-user devices?