AP Device as an 802.1X Client
When an 802.1X (supplicant) device is connected to a Unified Network Port (UNP) port on which 802.1X authentication is enabled, the switch will attempt to authenticate the device using 802.1X EAP frames. If after a configurable amount of time the device does not respond to the EAP frames sent by the switch, the device is identified as a non-802.1X (non-supplicant) device and undergoes MAC address authentication.
When a Stellar AP is connected to an OmniSwitch UNP port on which the AP Mode and 802.1X authentication is enabled, the switch starts to send EAP frames to the AP device. If the AP device does not respond to the EAP frames, the switch will identify the AP as a non-supplicant and will attempt to authenticate the AP with other methods. To ensure that the switch will identify the AP device as a supplicant (802.1X client), enable 802.1X functionality for the Provisioning Configuration associated with the AP Group to which the AP belongs and specify an 802.1X client certificate to install on the APs in the group. A built-in 802.1X client certificate is provided by default or you can generate and upload a custom client certificate.
Notes:
OAW-AP1101 does not support the AP 802.1X client feature due to low flash size. All other APs, including other low-end APs (OAW-AP1201H, OAW-AP1201L, OAW-AP1201HL), support this feature.
When an AP is operating as an 802.1X client, the AP does not support untagged WLAN/SSID/client and cannot participate in a Mesh deployment.
802.1X Authentication Use Cases
The following use case examples document the steps for configuring 802.1X authentication for the AP.
OmniVista UPAM 802.1X Server with Built-In Certificate on the AP
Enable 802.1X Supplicant functionality for the AP Group.
Select the Built-In Certificate from the drop-down menu.
OmniVista UPAM 802.1X Server with a Custom Client Certificate on the AP
Generate the client certificate (Cert, Private Key, CA cert) externally.
Import the client certificate into the UPAM database in OmniVista.
Import the client certificate from the Wireless - Certificate screen and assign the certificate a name.
Push the custom client certificate to the APs.
Enable 802.1X Supplicant functionality for the AP Group.
Select the custom certificate name that was imported in Step 2(a).
Use an External Radius 802.1x Server with Built-In Certificate on the AP
This is the CA used to validate the AP as an 802.1x client. Import this CA into the external Radius server.
Push the built-in certificate to the APs.
Enable 802.1X Supplicant functionality for the AP Group.
Select the Built-in Certificate.
Use an External RADIUS 802.1X Server with a Custom Client Certificate on the AP
Generate the client certificate (Cert, Private Key, CA cert) externally.
Import the client CA certificate into the external RADIUS server database so the RADIUS server will trust the AP.
Push the custom client certificate to the APs.
Import the client certificate from Wireless - Certificate screen and assign the certificate a name.
Enable 802.1X Supplicant functionality for the Provisioning Configuration associated with the AP Group.
Select the custom certificate name that was imported in Step 3(a).
802.1X Authentication with Username (AP MAC Address)
An 802.1X (supplicant) AP device can undergo certificate-based (see use cases above) or username-based 802.1X authentication. For username-based authentication, the user/pass = AP MAC address is configured in the UPAM database. When the AP MAC address attempting to authenticate matches the configured user/pass MAC address, UPAM returns a UNP profile/VLAN ID to the switch. This is often done when the user wants to assign a different VLAN based on the authentication result.
Note that when configuring username-based 802.1X authentication, the 802.1X Supplicant option for the Provisioning Configuration associated with the AP Group should be set to "Disabled" and Secure Mode is enabled on the switch port. This will ensure that the switch will learn the AP MAC address and perform the 802.1X authentication according to the configuration (Access Auth Profile) on the switch.
AP Security Recommendations
Do not rely on the Default Client Certificate on APs and the Default Server Certificate on UPAM. It is recommended that you install Custom Client Certificates on APs/AP Groups and a Custom Server Certificate on UPAM for improved security.
It is recommended that you set up an 802.1X Failure Policy on the switch port depending on whether you want the AP (and its clients) to have connectivity to the network even if the AP fails 802.1X authentication; or if you want the AP (and its clients) to be completely blocked from network access if the AP fails 802.1X authentication.
To learn about 802.1X authentication failures where AP is the client, check your RADIUS Server's Authentication Records.