Access Point Onboarding Scenario

Deployment Sequences - IAP connected to access switch

  • A branch deployment that involves small network setup including IAP/wireless access points, access switch, and external radius-server ClearPass.

  • Instant Access Point (IAP) connected to switch triggers mac-auth.

  • If mac-auth is successful:

    • IAP is on-boarded with mac-auth role.

    • When 802.1x is initiated:
      • If 802.1x is initiated successfully, remove mac-auth role and apply 802.1x role.

      • If 802.1x initiation fails, the device must stay with mac-auth until it triggers to reauthenticate.

    • IAP can be connected to external server ClearPass for authentication of all wireless clients that connected with existing user-role support. With the existing user-role support, the clients must go through authentication even at switch level after IAP.

    • The enhanced attribute port-mode is configured and all wireless clients VLANs are tagged as a part of mac-auth role with tagged-vid-list. Then device is successfully deployed by opening the connected port to allow all wireless clients behind AP.

    • Clients from AP do not require authentication because the attribute port-mode allows all the clients behind the IAP and validates successful communication between the clients.

Advantages

  • User roles can be downloaded for clients connected to different ports other than the wireless clients coming through AP with port-mode user-role.

  • Device-specific poe attributes can be managed centrally from ClearPass. It prevents higher power consumption by allocating the power based on its device class and priority control mechanism.

Limitations

  • The device-specific attributes can be supported for only one client per port.
  • Once the port-mode is applied, all the clients in the port will be de-authenticated.
  • When applying user-role with PoE allocation by class, the power allocation must be set based on PD class detection and/or LLDP negotiation.