CommScope RUCKUS Community Forums

jeff_tillison · ‎10-15-2019

Goal --> implement 802.1x configuration on ICX Switches/WLAN to support 802.1x Authentication for SmartZone WLAN users.

Currently, users are directed to WebAuth Page where login credentials are Authenticated by RADIUS.

Need to ensure proper configurations are applied and VLANs are available on ICXs/WLAN for initial login and Authenticated user connections

tim_brumbaugh · ‎10-15-2019

Couple of questions? Are you wanting to do 802.1x auth on the ICX and on your WLAN's?

jeff_tillison · ‎10-16-2019

Tim,

Currently utilizing NPS to perform RADIUS Auth for ICXs and RADIUS works with WLAN WebAuth.
Trying to get 802.1x Auth working for WLANs

tim_brumbaugh · ‎10-16-2019

Very common thing to setup. Since you are using NPS you should have a handle on that except that depending on how you configure it each radio is a client or the controller is the client in NPS. We usually add each radio or the subnet that the radios are on for management as the client.

Image_ images_messages_5f91c487135b77e247ad45e5_06729e90af660222beb8bc67ba2057e2_RackMultipart2019101692156d7nx-2f0e5902-83f1-45a6-87e7-3b8a4fc0fb07-256222393.JPG1571263131

Then create a connection request policy. Overview tab is a name and the rest default then the conditions tab is as follows.

Image_ images_messages_5f91c487135b77e247ad45e5_71026f8130fe2e36b6396133257ebb5e_RackMultipart20191016507927ev6-86d551c4-9c87-40d2-8671-b0e69bef2412-1836310709.JPG1571263169

The settings tab is default except for the authentication methods.

Image_ images_messages_5f91c487135b77e247ad45e5_9d73e21b2d813927fd0fb1795263ec25_RackMultipart2019101631164rjcc-2d0f2ffd-a351-4d87-a906-537cdcf8e478-1098178021.JPG1571263266

If you edit the EAP type then you can select the certificate to use.

Image_ images_messages_5f91c487135b77e247ad45e5_0785cb2dc2e6f0cefc8b2e34942afae6_RackMultipart20191016460661s8n-5db75c3f-7a9a-4365-a99c-95444e3134ed-917929179.JPG1571263390

On the VSC or SZ controller it looks like this. Create a Radius Server Connection under Services/Profiles/authentication.

Image_ images_messages_5f91c487135b77e247ad45e5_fe2beb718bd4a44687f34730d3d889a4_RackMultipart20191016189341lr8-39d244b6-3b85-4566-8d2d-dff26b7f7036-1330382334.JPG1571263630

Create a WLAN that uses 802.1x. The picture in this one is named cloupath but disregard as it is one I use for testing lots of different things.

Image_ images_messages_5f91c487135b77e247ad45e5_8d36aa32896e8406acb93c6be06ee294_RackMultipart2019101649234ke9d-b808cbe8-1ffd-4f45-b4d5-c7b103b640e5-506265888.JPG1571263843

You have to watch your logs on the NAP server to see what might be happening if the clients are not able to connect. If the NAP log shows nothing it might have to be enabled.
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
Sometimes the local policy has issues and it can be found here to enable the NAP logging.
The success/failure setting can be found at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server.

tim_brumbaugh · ‎10-16-2019

Here is a youtube from Ruckus that covers it on a ZD and 2012R2 NAP.
https://www.youtube.com/watch?v=QlL777qF95s

jeff_tillison · ‎10-18-2019

Thank you Tim B. Just now seeing your Post -

CommScope RUCKUS Community Forums

What is best resource for steps to implement 802.1x on ICX7450 and SmartZone WLAN