How do I authenticate and authorize aerohive ap to switchport via 802.1x

  • 3
  • Question
  • Updated 5 years ago
  • Answered
I have the ability to force devices physically connecting to my switchports to authenticate themselves to our external store. Wondering if I have to use MAB with the ethernet MAC or if aerohive AP has a supplicant profile I can fill in with username and passwd.

Cheers
Andrew
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes

Posted 5 years ago

  • 3
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You cannot today as the functionality to do this is missing. I have already suggested this as an idea.

Regards,

Nick

http://community.aerohive.com/aerohive/topics/implement_and_offer_802_1x_supplicant_for_the_wired_interfaces
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Andrew,

Nick is absolutely correct, our APs do not currently have the capability to perform wired 802.1X auth. The APs do support MAC authentication (both PAP and MA-CHAPv2) using their Eth0 or Eth1 MAC address without delimiters as the username/password.

As I'm sure Nick would agree, MAC Authentication is an inferior authentication method when compared to 802.1X. However, if it is absolutely critical that you have some sort of RADIUS gatekeeper on your switchports, it would be an option that the APs currently support.

Hope this helps.
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Thanks for the info.

A supplicant would be nice, but I suppose MAB will have to do for now.

Cheers
A
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Hi again

I had some time to think about this. Not sure that 802.1x or MAB will work on switch ports, unless you have the AP authenticate and then allow all other devices access after the AP sucessfully authenticates. Since I have other APs that have a controller, there is only one MAC addresses on the port since the AP tunnels back to the controller,but with the Aerohive AP all the client MAC addresses show up in the CAM for the port.

so this would be a Multi-host situation, which would require 1 host to authenticate and then the others would be allowed through. Not a ideal situation.

Cheers
A
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
This all depends on how the switch operates and how granular the configuration of 802.1X is on the port. If the software running it is too lacking, of course it cannot work properly.

The key part here is that you are after securing the port, not caring about which MAC addresses subsequently use the port.

For example, on a Comware switch (HP/H3C/3Com), you can configure as follows:

"port-security port-mode userlogin

In this mode, a port performs 802.1X authentication and implements port-based access control.

If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication."

Separation of concerns applies here, the AP is responsible for authenticating clients under its auspices. The switch merely cares that its port has been authenticated to via 802.1X and not about the traffic that subsequently flows over it.

Nick