Mist APs have the ability to authenticate to their uplink wired switch utilizing 802.1X. Starting in 0.14 firmware, Mist APs have 802.1X supplicant functionality to authenticate to the network or MAC auth in any firmware version. For dot1x, the AP utilizes EAP-TLS to authenticate on the uplink switchport of the AP. There are three pieces in your network that will need appropriate configuration to get this feature working: Mist UI, the edge switch, and your RADIUS server.
Deployment Considerations
While utilizing 802.1X for network access control at the edge increases security posture, it can also increase the friction to deploy Mist APs. There are a few strategies to deploy Mist APs with wired network access control. With a little planning, you can still have a ZTP experience.
- Pre-provision APs – let APs connect to the cloud before they are deployed so they can receive a configuration and then deploy into the field. This is doable, especially if your deployment workflow already includes a pre-provision step, but would be tedious at scale.
- The second method and preferred method to deploy into environment with 802.1X at the edge is to leverage a “guest” VLAN on the switch side. When a new AP boots up out of the box, it won’t have the 802.1X configuration or certs. So utilize a guest VLAN which is completely locked down, except for access to the Mist cloud. The AP can then connect to the cloud and receive it’s config and download the correct AP firmware version (if required). Then once it has the supplicant configuration, the AP will attempt to authenticate to the network and RADIUS or DPC can be utilized to configure the correct VLANs on the port. Alternatively dot1x + MAC auth flow can be used.
- Other deployment options could include leveraging Dynamic Port Configuration for Mist managed switches, or to leverage MAC auth only on the port instead of 802.1X
Configuration in Mist
To enable 802.1X supplicant on APs simply enable the 802.1X Supplicant option under Ethernet Properties from the individual AP page or from Device Profiles. If you want to enable supplicant functionality on many APs, configuring in a device profile is a great option. Please note AP firmware version 0.14.x or higher is required. You can apply the configuration even before the AP is online, so that way once the AP connects to the cloud for the first time, it will receive the supplicant configuration straight away.
You may also want to ensure auto upgrade is set in the site settings to a firmware version 0.14.x or higher. To ensure APs automatically upgrade to the required version to support the supplicant feature.
Configuration on your Switch
On your switch, for ports APs connect to, you would need to enable 802.1X authentication. As mentioned previously, it is suggested to utilize a Guest VLAN, server reject VLAN, or MAC auth fallback with a default VLAN that allows AP connectivity to the Mist Cloud, at least for initial deployment of the site. This way APs can still ZTP to the cloud to receive the initial supplicant config and necessary AP firmware version.
802.1X + Guest VLAN
For Mist managed switches, the configuration is simplified. You would configure the RADIUS servers into your switch template. Create your VLANs and create a Port Profile with 802.1X and Guest Network enabled. And then apply the port profile to the desired ports on the switch or use switch matching to apply to specific switch models or roles.
Here’s an example port profile with 802.1X enabled as well as the Guest Network, which is used in case a device does not attempt 802.1X auth, such as what would happen with a new out of box AP before it connects to the cloud.
The flow would be:
- Configure 802.1X + Guest VLAN on the port
- Connect AP, it is placed in the Guest VLAN
- AP connects to cloud, downloads firmware if necessary, and receives supplicant configuration
- AP will then automatically begin to do RADIUS auths and switch will place the AP in the desired VLAN(s).
802.1X + MAC Auth
Alternatively, if you would like your RADIUS server to have full visibility and control, you can enable Mac auth on the wired port, in addition to 802.1X and leverage a default or unknown devices VLAN. In Mist you would check Use dot1x authentication as well as Mac authentication boxes in the port profile.
The flow would be:
- Configure 802.1X + MAC auth on the port
- Connect AP, the switch will perform MAC auth. RADIUS should return a default/unknown device VLAN with access to the Mist Cloud.
- AP connects to cloud, downloads firmware if necessary, and receives supplicant configuration
- AP will then automatically begin to do RADIUS 802.1X auths and switch will place the AP in the desired VLAN(s).
Assigning VLANs via RADIUS
Please note, if you use Mist Edge and tunnel all of your WLANs, then likely an AP connecting to a switch port configured as access will suffice. However if you don’t use Mist Edge, or have WLANs local traffic breakout, then you probably need the switch port to be a trunk. Most switch operating systems allow you to return multiple VLANs from RADIUS. For Junos, you can either return multiple Egress-VLANID or Egress-VLAN-Name.
Here’s an example pulled from this document
For Egress-VLAN-Name:
- 1 = tagged
- 2 = untagged
- vlan-2 and vlan-3 are the VLAN names on the switch
In the example below, VLAN 1vlan-2 is tagged, and VLAN 2vlan-3 is untagged:
001094001144 Cleartext-Password := "001094001144“ Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Egress-VLAN-Name += 1vlan-2, Egress-VLAN-Name += 2vlan-3,
For Mist Access Assurance, this is an example of how to return the egress VLAN to a Juniper switch to dynamically configure the port as a trunk port.
The untagged VLAN is named default, and three tagged VLANs are returned: iot, vlan3, and vlan5
Assigning VLANS via DPC
Another option to assign the AP once authenticated to the correct VLANs/port profile could be to leverage Mist Dynamic Port Configurations (DPC). Where you follow one of the two RADIUS auth options above (802.1X + Guest Network, 802.1X + MAC auth) but then once the AP is authenticated, return a pre-defined Filter-ID from RADIUS and to trigger DPC. For example, here is a DPC rule that could be used:
Mist Access Assurance Configuration
If you are a Mist Access Assurance customer, the configuration is extremely simple. You only need to create a label and a policy to match on for the AP authentications and optionally return configuration back to the switch. Mist Access assurance automatically knows about the Org CA, and does not need to be manually added into the certificate store.
Auth Policy Label
Here is an example label to match the AP authentications. The label type is Certificate Attribute with the value set to Issuer. The value is your Org ID.
/C=US/O=Mist/OU=OrgCA/CN=d3280c38-e446-4bed-bd2d-f7fa52f223a2
Auth Label
After you make your matching label, you can create your policy. In this example, the rule is to match on the AP certificate, wired authentication, and EAP-TLS. Upon successful authentication, a trunk VLAN configuration is returned to the switch.
Validation
If all goes well, you will see your AP authenticated.
RADIUS Server Configuration
On your non Mist RADIUS server, you will need to add your Mist org certificate. Which can be found under Organization->Settings. Mist by default generates a unique per Organization CA certificate. You add this certificate into your RADIUS server to validate the certificate the Mist AP presents. For 802.1X supplicant authentication, the APs utilize a Mist generated unique per AP certificate, signed by your Org CA certificate. Mist handles certificate created and lifecycle
On Cisco ISE, for example you are able to import the certificate into the certificate store and trust for client authentication. To import a certificate into ISE, navigate to Administration->System->Certificates->Certificate Management->Trusted Certificates->Import
Here are example fields that will be presented to your RADIUS server by the AP’s certificate. Please note the username/identity follows the format MistAP-<ap_mac>.
"cert_serial": "01", "auth_type": "802.1X", "nas_vendor": "Mist", "eap_type": "EAP-TLS", "cert_issuer": "/C=US/O=Mist/OU=OrgCA/CN=d3280c38-e446-4bed-bd2d-f7fa52f1b3a2", "cert_cn": "ac2316fc0226", "cert_expiry": "2024-03-27T12:25:23Z", "cert_san_dns": [ "ac2316fc0226" ], "username": "MistAP-ac-23-16-fc-02-26"