802.1X Authentication Profile

The Unified Profile 802.1X Authentication Profile Screen displays all configured Wireless 802.1X Authentication Profiles and used to create, clone, edit, and delete 802.1X Authentication Profiles. An 802.1X Profile can be created and included in an Access Authentication Profile that can be assigned to wireless devices on the network.

802.1X is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an authentication framework for WLANs. 802.1x uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1X framework that are suitable for wireless networks include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAPTunneled TLS (EAP-TTLS). These protocols allow the network to authenticate the client while also allowing the client to authenticate the network. 802.1x authentication consists of three components:

• Client - The device attempting to gain access to the network.
• Authenticator - The gatekeeper to the network and permits or denies access to the clients. The wireless controller acts as the authenticator, relaying information between the authentication server and the client. Note that the EAP type must be consistent between the authentication server and supplicant, and is transparent to the controller.
• Authentication Server - Provides a database of information required for authentication, and informs the Authenticator to deny or permit access to the client. The 802.1X authentication server is typically an EAP-compliant Remote Access Dial-In User Service (RADIUS) Server which can authenticate either users (through passwords or certificates) or the client computer.

Creating an 802.1X Authentication Profile

Click on the Create icon and enter a Profile Name. Configure the Profile as described below, then click on the Create button.

Settings

Complete the fields below to configure the basic settings for the profile.

• Max Authentication Failures - The number of times a user can try to log in with the wrong credentials after which the user is blocklisted as a security threat. Set to 0 to disable blocklisting, otherwise enter a non-zero integer to blocklist the user after the specified number of failures. (Range = 0 - 5, Default = 0)
• Reauthentication - Enables/Disables re-authentication. If enabled, the client must perform an 802.1X re-authentication after the expiration of the default timer for re-authentication (default value of the timer is 24 hours). If the user fails to re-authenticate with valid credentials, the state of the user is cleared. If derivation rules are used to classify 802.1x-authenticated users, the re-authentication timer per role overrides this setting. (Default = Disabled)
• Max Reauthentication Attempts - The number of times a user can try to re-authenticate. (Range = 1 - 10, Default = 3)
• Termination - Enables/Disables 802.1X authentication termination on the controller. (Default = Disabled)
• Termination EAP-Type - If you enable termination, click either EAP-PEAP or EAP-TLS to select a Extensible Authentication Protocol (EAP) method.
• Termination Inner EAP-Type - If you use EAP-PEAP as the EAP method, select one of the following inner EAP types:
  • EAP-GTC - Described in RFC 2284, this EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the controller as a backup to an external authentication server.
  • EAP MSCHAPV2 - Described in RFC 2759, this EAP method is widely supported by Microsoft clients.
• Enforce Machine Authentication - Enables/Disables Machine Authentication. If enabled, machine authentication is enforced before user authentication, and either the machine-default-role or the user-default-role is assigned to the user, depending on which authentication is successful. (Default = Disabled)
• Default Machine Role - The default role (Access Role Profile) assigned to the user after completing only machine authentication. Select an Access Role Profile from the drop-down menu or click on the Add icon to go to the Access Role Profile Screen and creat a new one. The default role for this setting is the “guest” role.
• Default User Role - The default role (Access Role Profile) assigned to the user after 802.1x authentication. Select an Access Role Profile from the drop-down menu or click on the Add icon to go to the Access Role Profile Screen and creat a new one. The default role for this setting is the “guest” role.

Instant Access Authentication Settings

Complete the fields below to configure RADIUS accounting settings for the profile.

• Radius Accounting Mode - The RADIUS Accounting Mode (User Authentication/User Association).

Cloning an 802.1X Authentication Profile

To save time in creating an 802.1X Authentication Profile, you can copy and modify an existing profile. Select the profile you want to copy and click on the Clone button. Enter a Profile Name, configure the settings you want to change, then click on the Copy button to save the changes to the server.

Editing an 802.1X Authentication Profile

Select the Profile in the 802.1X Authentication Profile Screen and click on the Edit icon to bring up the Edit Access 802.1X Authentication Profile Screen. Edit the fields as described above then click on the Save button to save the changes to the server. Note that you cannot edit the profile name. To edit the name, copy the profile and configure a new name.

Deleting an 802.1X Authentication Profile

To delete a profile(s), select the Profile(s) in the table and click on the Delete icon, then click OK at the confirmation prompt. If the profile is associated with an Access Authentication Profile, you will be presented with warning prompt that you must remove the 802.1X Authentication Profile(s) from the Access Authentication Profile before it can be deleted. Remove the 802.1X Authentication Profile(s) from the Access Authentication Profile, and then delete the profile(s).