So far, we have deployed an eduroam network for several universities:
via access point (WLAN eduroam), +200 access points
via cnmatrix switches (dot1x on Ethernet ports, wired eduroam), dozens of cnmatrix switches, +1000 Ethernet ports with dot1x configuration
The next eduroam network project with the university is looking for a slightly different solution.
The 425H access point (one access point per room) will be used in such a way that eduroam (802.1x auth) must be enabled (except on the WLAN) and on the Ethernet ports on that access point (in other words the AP must be an authenticator for both WLAN and Ethernet ports which are part of the same eduroam network).
Is this scenario even possible with cnpilot? As far as I can see at the moment, cnpilot does not have such a possibility?
glad to hear edroam deployment news. coming 425H requirements, can you precisely list the requirements or work flow when wired host connects to the ethernet port of AP?
in case of 802.1X on WLAN,
AP does authentication for each client
Will enforce RADIUS policy for each client individually
each student has suplicant on his laptop / PC with settings provided from university and also unique AAI credential (username and password).
When he plug cable to that eth port radius authenticatiin process is started.
Radius is checking credential, certificate (if needed).
VLAN for that is static (cinfigured by admin), same as for WLAN.
Long story short, we need that same feature as it is on cnmatrix switch.
radius auth on eth ports (eth2 and eth3) on cn pilot e425H doenst work (eth1 is uplink, no need for radius config).
First bug, you cannot put radius server as domain name (there is no error on cnamestro but commands are ignore on AP side, also when you do that with SSH you get en error), only IP address is available, so we did that and that part of config is now visible on AP.
In show events on AP there is no messages for even trying AP to send auth message to radius server, only fow WIFI clients which is forking fine
E425-879558(config)# show events
Oct 20 11:19:13 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:15:49 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:15:37 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:13:25 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:13:13 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:12:11 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth1] status move to up and running state
Oct 20 11:12:06 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth2] status move to up and running state
Oct 20 11:11:28 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth2] status move to up and running state
Oct 20 11:11:23 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth2] status move to up and running state
Oct 20 11:10:11 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth2] status move to up and running state
Oct 20 11:09:55 NETWORK-5-RENEW-INTERFACE-IP Renewed the interface IP on ethernet link [eth2] status move to up and running state
Oct 20 11:09:53 WIFI-6-CLIENT-AUTH-SUCCESS Authentication success for client[84-EF-18-B1-4C-48] IP [0.0.0.0] User [anonymous@unizd.hr] SSID [eduroam]
Oct 20 11:09:53 WIFI-6-CLIENT-RADIUS-AUTH-SUCCESS RADIUS authentication success for client [84-EF-18-B1-4C-48] on wireless lan [eduroam]
Oct 20 11:09:53 WIFI-6-CLIENT-CONNECTED Client [84-EF-18-B1-4C-48] connected to wireless lan [eduroam]
Please advice, 100 APs are waiting for installation and this is a show stopper!!!
Hi Mixig,
In your config I can see MAC auth is not enabled, can you please enable MAC auth and confirm the observation. Here is the snap shot of MAC auth feature enabled case.
Hi,
I can try that but why would I enabled that feature? Each student has unique AAI credential (username@domain.xyz and password) and that parameter is checked on Radius server, there is nothing about MAC address authentication on radius server.
Second option if I understand correctly will allow all MAC failed users to connect to native vlan, I don’t want that.
What I want is that AP send credentials to radius on the same way as cnmatrix switch.
cnPilot APs don’t have the capability on Etherent port to do 802.1X authentication for validating users credentials similar to wireless user on WLAN / SSID side.
Based on that answer, I can conclude that cnpilot models (in this case e425 / e430) are not able to replace (correct me if I am wrong) devices that are more then 8 years old (wifi4 and 100mbps eth port) and still have the ability for dot1x authentication (radius) via WLAN and ethernet interface (in this case username / password credentials), and that cnpilot APs are technically insufficient in the true sense at this time for eduroam network that is present worldwide?
Thank you, if my understanding is correct AP has to do wired authentication for laptops / desktops connecting to wired port of AP.
Can help us to clarify below few points,
The wired hosts (laptops / desktops) do user name and password-based authentication (possibly using certificate also) with external AAA
There is the possibility that more than 1 wired hosts can be connected to AP ethernet port, in this case, AP has to do 802.1x authentication for each of wired host
Each host identified based on MAC and data ready state decided based on 802.1X authentication results
Why do we still see the use case of wired port usage when Wi-Fi interface is common on most end-user devices?
