Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] [WLC] How to use Wireless Controller for MAC and dot1x authentication

0

0

Article ID: KB33980 KB Last Updated: 10 Oct 2020Version: 2.0
Summary:

This article explains how to use Wireless Controller (WLC) for MAC + dot1x authentication.

Solution:
  1. Create a service-profile and configure the auth-fallthru as none.

    set service-profile dmac ssid-name dmac
    set service-profile dmac wpa-ie auth-dot1x disable
    set service-profile dmac rsn-ie cipher-ccmp enable
    set service-profile dmac rsn-ie enable
    set service-profile dmac attr vlan-name default
  2. Create a radio-profile, then associate service-profile to radio-profile.

     set radio-profile default service-profile dmac
  3. Create authentication rule as indicated below:

    1. Configure dot1x as peap-mschapv2 local and map SSID.

      set authentication dot1x ssid dmac * peap-mschapv2 local
    2. Configure MAC group and map SSID.

      set mac-usergroup dm attr vlan-name default
      set mac-usergroup dm attr ssid dmac
    3. Add client devices to MAC-group

      set mac-user <mac-id-of-client> group dm
      set mac-user <mac-id-of-client> attr vlan-name default
  4. Create AAA profile and map mac authentication and dot1x authentication

    set aaa-profile dma
    set aaa-profile dma mac local
    set aaa-profile dma dot1x peap-mschapv2 local
  5. Map SSID to AAA profile

     set authentication profile ssid dmac dma
  6. Create Local user on the controller and map it to SSID

    set user test password <password>
    set user test attr ssid dmac


To verify, use the following command:

WLC# show session
 
1 sessions total
 
User Name     SessID  Type  Address           VLAN         AP/Rdo
------------- ------  ----- ----------------- -----------  -------
test           57*    prof  10.9.221.212,V6   default      9999/1
 
Modification History:
2020-10-10: Archived article.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search