Following my previous ISE post on phones authentication using EAP-TLS, in this new post I’ll show you how to quickly configure the access points for 802.1x authC. This require some specific configurations:
- They need to enable EAP-FAST as authentication protocol in addition to EAP-TLS and PEAP-MS-CHAPv2.
- If credentials are stored in the ISE servers, then the internal group must be added to the sequence of internal groups to be checked during the authentication.
- Authorization rule checks user credentials, authentication tunnel and endpoint profiling:
For this to work, previously the Identity Group must be generated from the profiling policy:
- Create an internal identity group for the credentials the access points will use to authenticate:
- You can enable 802.1x supplicant per AP or in a global basis. Add the credentials you configured in the previous step:
- Modify the protocols set and ensure you accept EAP-FAST + EAP-MS-CHAPv2 + EAP-GTC + EAP-TLS: using PACs:
- Your identity source sequence must include the internal user repository, otherwise it won’t find the “airuser” you just created:
- Finally, your authentication policy must include the “Wireless 802.1x” condition and should look like this: