1. Documentation
  3. Wireless
  5. WiFi Design Guides
  7. AP 802.1X Supplicant

AP 802.1X Supplicant

Modified on

Mist APs have the ability to authenticate to their uplink wired switch utilizing 802.1X. Starting in 0.14 firmware, Mist APs have 802.1X supplicant functionality to authenticate to the network or MAC auth in any firmware version.  For dot1x, the AP utilizes EAP-TLS to authenticate on the uplink switchport of the AP.  There are three pieces in your network that will need appropriate configuration to get this feature working: Mist UI, the edge switch, and your RADIUS server.

Deployment Considerations

While utilizing 802.1X for network access control at the edge increases security posture, it can also increase the friction to deploy Mist APs.  There are a few strategies to deploy Mist APs with wired network access control.  With a little planning, you can still have a ZTP experience.

  • Pre-provision APs – let APs connect to the cloud before they are deployed so they can receive a configuration and then deploy into the field.  This is doable, especially if your deployment workflow already includes a pre-provision step, but would be tedious at scale.
  • The second method and preferred method to deploy into environment with 802.1X at the edge is to leverage a “guest” VLAN on the switch side.  When a new AP boots up out of the box, it won’t have the 802.1X configuration or certs.  So utilize a guest VLAN which is completely locked down, except for access to the Mist cloud.  The AP can then connect to the cloud and receive it’s config and download the correct AP firmware version (if required).  Then once it has the supplicant configuration, the AP will attempt to authenticate to the network and RADIUS or DPC can be utilized to configure the correct VLANs on the port.  Alternatively dot1x + MAC auth flow can be used.
  • Other deployment options could include leveraging Dynamic Port Configuration for Mist managed switches, or to leverage MAC auth only on the port instead of 802.1X

Configuration in Mist

To enable 802.1X supplicant on APs simply enable the 802.1X Supplicant option under Ethernet Properties from the individual AP page or from Device Profiles.  If you want to enable supplicant functionality on many APs, configuring in a device profile is a great option.  Please note AP firmware version 0.14.x or higher is required.  You can apply the configuration even before the AP is online, so that way once the AP connects to the cloud for the first time, it will receive the supplicant configuration straight away.

You may also want to ensure auto upgrade is set in the site settings to a firmware version 0.14.x or higher.  To ensure APs automatically upgrade to the required version to support the supplicant feature.

Configuration on your Switch

On your switch, for ports APs connect to, you would need to enable 802.1X authentication.  As mentioned previously, it is suggested to utilize a Guest VLAN, server reject VLAN, or MAC auth fallback with a default VLAN that allows AP connectivity to the Mist Cloud, at least for initial deployment of the site.  This way APs can still ZTP to the cloud to receive the initial supplicant config and necessary AP firmware version.

802.1X + Guest VLAN

For Mist managed switches, the configuration is simplified.  You would configure the RADIUS servers into your switch template.  Create your VLANs and create a Port Profile with 802.1X and Guest Network enabled.  And then apply the port profile to the desired ports on the switch or use switch matching to apply to specific switch models or roles.

Here’s an example port profile with 802.1X enabled as well as the Guest Network, which is used in case a device does not attempt 802.1X auth, such as what would happen with a new out of box AP before it connects to the cloud.

The flow would be:

  1. Configure 802.1X + Guest VLAN on the port
  2. Connect AP, it is placed in the Guest VLAN
  3. AP connects to cloud, downloads firmware if necessary, and receives supplicant configuration
  4. AP will then automatically begin to do RADIUS auths and switch will place the AP in the desired VLAN(s).

802.1X + MAC Auth

Alternatively, if you would like your RADIUS server to have full visibility and control, you can enable Mac auth on the wired port, in addition to 802.1X and leverage a default or unknown devices VLAN.  In Mist you would check Use dot1x authentication as well as Mac authentication boxes in the port profile.

The flow would be:

  1. Configure 802.1X + MAC auth on the port
  2. Connect AP, the switch will perform MAC auth.  RADIUS should return a default/unknown device VLAN with access to the Mist Cloud.
  3. AP connects to cloud, downloads firmware if necessary, and receives supplicant configuration
  4. AP will then automatically begin to do RADIUS 802.1X auths and switch will place the AP in the desired VLAN(s).

Assigning VLANs via RADIUS

Please note, if you use Mist Edge and tunnel all of your WLANs, then likely an AP connecting to a switch port configured as access will suffice.  However if you don’t use Mist Edge, or have WLANs local traffic breakout, then you probably need the switch port to be a trunk.  Most switch operating systems allow you to return multiple VLANs from RADIUS.  For Junos, you can either return multiple Egress-VLANID or Egress-VLAN-Name.

Here’s an example pulled from this document

For Egress-VLAN-Name:

  • 1 = tagged
  • 2 = untagged
  • vlan-2 and vlan-3 are the VLAN names on the switch

In the example below, VLAN 1vlan-2 is tagged, and VLAN 2vlan-3 is untagged:

       001094001144 Cleartext-Password := "001094001144“
             Tunnel-Type = VLAN,
             Tunnel-Medium-Type = IEEE-802,
             Egress-VLAN-Name += 1vlan-2,  
             Egress-VLAN-Name += 2vlan-3,

Assigning VLANS via DPC

Another option to assign the AP once authenticated to the correct VLANs/port profile could be to leverage Mist Dynamic Port Configurations (DPC).  Where you follow one of the two RADIUS auth options above (802.1X + Guest Network, 802.1X + MAC auth) but then once the AP is authenticated, return a pre-defined Filter-ID from RADIUS and to trigger DPC.  For example, here is a DPC rule that could be used:

RADIUS Server Configuration

On your RADIUS server, you will need to add your Mist org certificate.  Which can be found under Organization->Settings.  Mist by default generates a unique per Organization CA certificate.  You add this certificate into your RADIUS server to validate the certificate the Mist AP presents.  For 802.1X supplicant authentication, the APs utilize a Mist generated unique per AP certificate, signed by your Org CA certificate.  Mist handles certificate created and lifecycle

On Cisco ISE, for example you are able to import the certificate into the certificate store and trust for client authentication.  To import a certificate into ISE, navigate to Administration->System->Certificates->Certificate Management->Trusted Certificates->Import

Here are example fields that will be presented to your RADIUS server by the AP’s certificate.  Please note the username/identity follows the format MistAP-<ap_mac>.

            "cert_serial": "01",
            "auth_type": "802.1X",
            "nas_vendor": "Mist",
            "eap_type": "EAP-TLS",
            "cert_issuer": "/C=US/O=Mist/OU=OrgCA/CN=d3280c38-e446-4bed-bd2d-f7fa52f1b3a2",
            "cert_cn": "ac2316fc0226",
            "cert_expiry": "2024-03-27T12:25:23Z",
            "cert_san_dns": [
                "ac2316fc0226"
            ],
            "username": "MistAP-ac-23-16-fc-02-26"