802.1x Wired Authentication is an IEEE standard that enhances the security of wired networks by providing port-based network access control. It ensures that only authorized users and devices can connect to the network, preventing unauthorized access and potential security breaches.
The Ethernet ports on the Cambium Access Points support 802.1x authentication, which will enhance the network security features of the Access Points.
Two modes are supported by this feature:
Single-host: When Single-host is enabled, only one wired client is allowed to authenticate on the AP’s ethernet port. If you are connecting multiple clients using a hub or an unmanaged switch to the single-host enabled port, the first client will get authenticated, and other clients will not get connected.
Multi-auth: When multi-auth is enabled, multiple clients are allowed to authenticate. All the clients need to complete the authentication process to gain connectivity.
Note: The multi-auth feature in the Cambium Access Point is presently in a beta version. As a result, it’s possible that the functionality of the multi-auth feature may not align with your expectations or function as intended.
AP assigns the VLAN received from the radius server when single-host or multi-auth is enabled. If the Radius server doesn’t send any VLAN as part of the client authentication, then the client will be part of the VLAN configured on the Ethernet port.
In the multi-auth scenario, all the clients connected to the AP Ethernet port are assigned the same VLAN (which is determined when the first client is connected). By default, when the feature is enabled, single-host is enabled.
Note:
- Accounting is supported only for a single host.
- CoA support is not added for wired 802.1x
Configuration:
XV2-22H-E53DE2(config)# interface eth 2
XV2-22H-E53DE2(config-eth-2)# dot1x-authentication single-host
XV2-22H-E53DE2(config-eth-2)# exit
XV2-22H-E53DE2(config)#
XV2-22H-E53DE2(config)# interface eth 3
XV2-22H-E53DE2(config-eth-3)# dot1x-authentication multi-auth
XV2-22H-E53DE2(config-eth-3)# exit
XV2-22H-E53DE2(config)#
In the above configuration, the Ethernet 2 interface is configured for single-host dot1x authentication, and the Ethernet 3 interface is configured for multi-auth dot1x authentication.
Single-host: Enable 802.1x RADIUS authentication for only one wired client in this port.*
Multi-auth: Enable 802.1x RADIUS authentication for all wired clients in this port.*
To add the RADIUS server configuration, please follow the below commands:
XV2-22H-E53DE2(config)#
XV2-22H-E53DE2(config)# interface eth 2
XV2-22H-E53DE2(config-eth-2)# radius-server authentication host 1 <Hostname | IP Address>
XV2-22H-E53DE2(config-eth-2)# radius-server authentication secret 1 <Password>
XV2-22H-E53DE2(config-eth-2)# exit
XV2-22H-E53DE2(config)# save
[Config Save OK]
XV2-22H-E53DE2(config)#
*Apply the same commands for the other interfaces if you have multiple ports configured for Dot1x authentication.
To view the Dot1x configuration:
XV2-22H-E53DE2(config)# show config
!
interface eth 2
switchport mode access
switchport access vlan 1
radius-server authentication host 1 X.XX.XXX.XX
radius-server authentication secret 1 $crypt$1$0XiuxAk1AkColO5ccIChaMkmxX5vAGFR
dot1x-authentication
dot1x-authentication single-host
!
interface eth 3
switchport mode access
switchport access vlan 1
radius-server authentication host 1 X.XX.XXX.XX
radius-server authentication secret 1 $crypt$1$JOPuowZsgKJlQRdgSMamTX2SdRXilBJ6
dot1x-authentication
dot1x-authentication multi-auth
!
Packet capture:
