Knowledge Search


×
 

[WLC] How to use Wireless Controller for MAC and dot1x authentication

  [KB33980] Show Article Properties


Summary:

This article explains how to use Wireless Controller (WLC) for MAC + dot1x authentication.

Solution:
  1. Create a service-profile and configure the auth-fallthru as none.

    set service-profile dmac ssid-name dmac
    set service-profile dmac wpa-ie auth-dot1x disable
    set service-profile dmac rsn-ie cipher-ccmp enable
    set service-profile dmac rsn-ie enable
    set service-profile dmac attr vlan-name default
  2. Create a radio-profile, then associate service-profile to radio-profile.

     set radio-profile default service-profile dmac
  3. Create authentication rule as indicated below:

    1. Configure dot1x as peap-mschapv2 local and map SSID.

      set authentication dot1x ssid dmac * peap-mschapv2 local
    2. Configure MAC group and map SSID.

      set mac-usergroup dm attr vlan-name default
      set mac-usergroup dm attr ssid dmac
    3. Add client devices to MAC-group

      set mac-user <mac-id-of-client> group dm
      set mac-user <mac-id-of-client> attr vlan-name default
  4. Create AAA profile and map mac authentication and dot1x authentication

    set aaa-profile dma
    set aaa-profile dma mac local
    set aaa-profile dma dot1x peap-mschapv2 local
  5. Map SSID to AAA profile

     set authentication profile ssid dmac dma
  6. Create Local user on the controller and map it to SSID

    set user test password <password>
    set user test attr ssid dmac


To verify, use the following command:

WLC# show session
 
1 sessions total
 
User Name     SessID  Type  Address           VLAN         AP/Rdo
------------- ------  ----- ----------------- -----------  -------
test           57*    prof  10.9.221.212,V6   default      9999/1
 
Related Links: