Protecting AP with 802.1x

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Protecting AP with 802.1x

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Protecting AP with 802.1x
Protecting AP with 802.1x
2023-06-13 15:50:21
Model: EAP245  
Hardware Version: V2
Firmware Version:

Hello,

 

Sometimes AP are installed in corridors or common rooms where you can't prevent people from unplugging them and plugging their own PC instead.

In my opinion, the most efficient method to guard against is require all AP to authenticate themselves with 802.1X so that any device not providing appropriate credentials can be directed to a dedicated VLAN.

 

1. Is this feature implemented in EAP245 or other Omada AP ?

 

2. Which is the best method or documentation source to find such answers without asking in this forum ?

 

Best reg

  0      
  0      
#1
Options
3 Reply
Re:Protecting AP with 802.1x
2023-06-14 03:21:06

  @Oliv2831 

 

Hi, if you wanna protect AP with 802.1x, you also need a switch to set this on its ports.

 

Or if you can set VLAN, tagged the port between the EAP and the front device, the tagged data can pass through the AP but PC can not handle the tagged data.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:Protecting AP with 802.1x
2023-06-14 12:23:45

  @Virgo 

Yes, of course: enabling 802.1X requires compliant switches the screenshot you kindly included, highlight it.

 

Anyway, my question was rather related to 802.1X support by EAP AP management stack.

I know that now, thanks to 802.1X/EAP, one WiFi guest can be authenticated through an Omada AP but looking at OC200 web app, I didn't find any form where you can edit 802.1X credentials for a given AP.

With such credentials, a booting AP could be moved into a specific management VLAN (or just remain in default VLAN) depending on the credentials it provides while the guests connecting through this AP would also be moved to their own VLANs.

 

With MAC Auth Bypass feature, you can associate a given AP to a specific VLAN but MAC is easy to spoof and I would much rather trust credentials.

 

For a long time, I exclusively used AP from a different vendor and this 802.1X auth feature is one of most requested.

 

 

  0  
  0  
#3
Options
Re:Protecting AP with 802.1x
2023-06-14 23:52:30

  @Oliv2831 

 

If you look at the TP-Link AP User Guide, you will see that the AP support for 802.1x does not go beyond WPA-Enterprise. You are absolutely right expecting an AP to be able to provide its credential for authentication in a secure way, especially when it is meant to be used in business, and potentially public, environments. Unfortunately this essential security future is not present there. What is even worst, at least one TP-Link AP, namely the EAP655-Wall, has a switch where its ports cannot be secured at all.

Kris K
  0  
  0  
#4
Options

Information

Helpful: 0

Views: 615

Replies: 3

Related Articles