LAP 802.1x Authentication

I'm not getting why the LAP username is used in the ACS and dot1x authentication as well as lapuser authentication for the controller. Why are there two usernames for this? Is this because the AP itself has to authenticate to the controller to be considered as part of the controller AP group as well as authenticate to the network using dot1x credentials?

Comments

  • Hi,

       If the question is why are the credentials (username/password) configured on both ACS and WLC, reason is: ACS is the authentication server, so it needs those credentials to validate it; when you configure the credentials on the WLC you are actually configuring the 802.1x supplicant of the LAP to use those supplicants for when the switch will ask for EAP authentication. So the WLC configured credentials are NOT used for the LAP to authenticate against the WLC, there is no such thing.

    Regards,

    Cristian.

  • I think I have that part cleared up: AP does not authenticate to the WLC.

     

    The LAP Supplicant credentials in 'Global Configuration' shows "lapuser" for the 802.1X username but the AP specific in AP > Credentials is "LAP", same as ACS. Is this demonstrating that per AP, you can have different 802.1X credentials than the 'WLC Global' credentials for all other APs? I guess the confusion for me was configuring the global with 'lapuser' and the AP with 'LAP' and not understanding that the AP can have different credentials for 802.1X than the WLC 'global' AP credentials meaning that each AP can be authenticated to ACS with different user/pass combos. I think this all makes sense now.

     

    Thanks!

  • Hi,

     Yes that's exactly the scope; the global credentials are used by all LAP's, unless you override it at LAP level, which gives you the flexibility to have per-LAP different credentials.

    Regards,

    Cristian.

     

Sign In or Register to comment.