Remote LANs

Remote LANs

A remote LAN is a network security feature that

  • enables authentication of wired clients using the wireless controller

  • switches client traffic between central and local switching modes, and

  • treats wired client traffic as wireless client traffic for unified management.

Feature history

Table 1. Feature history for Remote LANs

Feature name

Release information

Feature description

Remote LANs

Cisco IOS XE 16.9.1

Remote LAN (RLAN) is a network security feature that allows authentication of wired clients using a wireless controller. It treats wired client traffic as wireless client traffic for unified management.

The RLAN in an AP sends authentication requests for wired clients, similar to the process for centrally authenticated wireless clients.

The RLAN in an AP sends authentication requests for wired clients. Authentication of a wired client in an RLAN is similar to the process for a centrally authenticated wireless client.

For information about APs that support this feature, see https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html

Ethernet (AUX) port

By default, the second Ethernet port in Cisco Aironet 1850, 2800, and 3800 Series APs functions as a link aggregation (LAG) port. When LAG is disabled, you can use this port as an RLAN port.

These APs models use LAG port as an RLAN port:

  • 1852E

  • 1852I

  • 2802E

  • 2802I

  • 3802E

  • 3802I

  • 3802P

  • 4802

Role of Controller

  • The controller acts as an authenticator, receiving Extensible Authentication Protocol (EAP) over LAN (EAPOL) messages from the wired client sent through an AP.

  • The controller communicates with the configured Authentication, Authorization, and Accounting (AAA) server.

  • The controller configures the LAN ports for an AP and pushes the configuration to the corresponding AP.

Limitations of RLAN

Review these limitations when using RLAN:

  • RLAN supports only a maximum of four wired clients regardless of the AP model.

  • RLAN support with Virtual Routing and Forwarding (VRF) is not available.

  • In the Catalyst 9105 AXW AP operating in OEAP mode, only LAN1 and LAN2 are configured for RLAN. LAN3 is a local-only port and is enabled by default. Even if you disable LAN3 from the controller, the system skips payload processing for LAN3 because it is designated as a local-only port in OEAP mode.

  • The RLAN feature is supported on Fabric.

  • RLAN is supported in APs that have more than one Ethernet port.

  • In RLAN (local mode - local switching mode), if you want to use the AP native VLAN for client IP, the VLAN should be configured as either no vlan or vlan 1 in the RLAN policy profile. For example, if the native VLAN ID is 80, do not use the numeral 80 in the RLAN policy profile. Also, do not use VLAN name VLANxxxx to configure VLAN in the RLAN policy profile.

    When a new client is connected to an AP, the client details are available in the controller initially. However, after the CAPWAP DOWN/UP state, the client details are no longer listed in the controller.

  • APs in local mode with central switching do not support VLAN-tagged traffic from RLAN clients, resulting in dropped traffic.

  • A VLAN name (without any numerals) that is configured in the remote-lan-policy does not provide the mapped VLAN ID for central switching.

  • RLAN does not support these features:

    • Central Web Authentication (CWA)

    • Quality of Service (QoS)

    • Bi-Directional Rate Limiting (BDRL)

    • Identity PSK (iPSK)

Consider these limitations when you use the AUX port in Cisco 2700 APs:

  • RLAN supports the AUX port and a non-native VLAN for this port.

  • Local mode supports wired client traffic on a central switch, but FlexConnect mode does not support a central switch.

  • FlexConnect mode supports wired client traffic on the local switch, but not on the central switch.

  • You cannot use the AUX port as a trunk port, and you cannot add switches or bridges behind the port.

  • The AUX port does not support dot1x.

Configure remote LANs (RLANs)

Enable or disable all RLANs

Enable remote LANs (RLANs) on the device to ensure network access for connected clients, or disable RLANs to restrict access.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enable or disable all RLANs.

Example:

Device(config)# [no] ap remote-lan shutdown

Step 3

Return to privileged EXEC mode.

Example:

Device(config)# end

Alternatively, you can also press Ctrl-Z to exit global configuration mode.

All RLANs on the device are enabled (or disabled), and corresponding interfaces become active (or inactive).

Create RLAN profile (GUI)

Define a Remote LAN (RLAN) profile so you can enable RLAN services for specific devices.

Procedure

Step 1

Choose Configuration > Tags & Profiles > Remote LAN.

Step 2

Click Add.

Step 3

Enter the Profile Name, RLAN ID. Enable or disable the Status toggle button. The profile name must contain ASCII characters from 32 to 126, without leading and trailing spaces.

Step 4

Click Apply to Device.

The new RLAN profile is created and applied to the selected device.

Create RLAN profile (CLI)

Add a new remote LAN profile for wireless device management using CLI commands.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure remote LAN profile.

Example:

Device(config)# ap remote-lan profile-name remote-lan-profile-name rlan-id

  • remote-lan-profile: The remote LAN profile name. The range is from 1 to 32 alphanumeric characters.

  • rlan-id: The remote LAN identifier. The range is from 1 to 128.

Note

 

You can create a maximum of 128 RLANs. You cannot use the rlan-id of an existing RLAN while creating another RLAN.

RLAN and WLAN profiles cannot have the same names. Similarly, RLAN and WLAN policy profiles must use distinct names.

The system creates the RLAN profile, making it available for configuration and assignment to APs.

Device# configure terminal
Device(config)# ap remote-lan profile-name rlan_profile_name 3

Configure RLAN profile parameters (GUI)

Configure Remote LAN (RLAN) profile parameters to control client associations, authentication methods, and security settings.

Procedure

Step 1

Choose Configuration > Tags & Profiles > Remote LAN.

Step 2

In the RLAN Profile page, click Add.

The Add RLAN Profile page is displayed.

Step 3

In the General tab:

  1. Enter a Name and RLAN ID for the RLAN profile. The name must use ASCII characters with values from 32 to 126 and must not have leading or trailing spaces.

  2. Set how many clients can connect to each RLAN in the Client Association Limit field.

  3. To enable the profile, set the status as Enable.

Step 4

In the Security > Layer2 tab:

  1. To enable 802.1X for an RLAN, set the 802.1x status as Enabled.

    Note

     
    You can activate either web or 802.1x authentication list at a time.

  2. Choose the authorization list name from the MAC Filtering drop-down list.

  3. Choose the 802.1x for an RLAN authentication list name from the Authentication List drop-down list.

Step 5

In the Security > Layer3 tab:

  1. To enable web authentication for an RLAN, set the Web Auth status as Enabled.

    Note

     
    You can activate either web or 802.1X authentication list at a time.

  2. Choose the web authentication parameter map from the Webauth Parameter Map drop-down list.

  3. Choose the web authentication list name from the Authentication List drop-down list.

Step 6

In the Security > AAA tab:

  1. Set the Local EAP Authentication to enabled. Also, choose the required EAP Profile Name from the drop-down list.

Step 7

Save your configuration.

The configured RLAN profile is active. It is available for client associations using the specified security and authentication settings.

Configure RLAN profile parameters (CLI)

Set up and customize Remote LAN (RLAN) profile parameters to control client access and authentication for RLAN interfaces.

Before you begin

The configurations in this section are not mandatory for an RLAN profile.

In case of central switching mode, you need to configure both central switching and central DHCP.


Note

The fabric profile configuration is required only for fabric RLAN support.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure remote LAN profile.

Example:

Device(config)# ap remote-lan profile-name rlan-profile-name rlan-id

The RLAN ID range is from 1 to 128.

Step 3

Configure client connections per RLAN.

Example:

Device(config-remote-lan)# client association limit client-connections

client-connections: Is the maximum client connections per RLAN. The range is from 0 to 10000. 0 refers to unlimited.

Step 4

Configure fabric profile for RLAN.

Example:

Device(config-remote-lan)# fabric-profile fabric-profile-name

Step 5

Configure RLAN IP configuration commands.

Example:

Device(config-remote-lan)# ip access-group web ipv4-acl_name

ipv4-acl-name: Refers to the IPv4 ACL name or ID.

Step 6

Set EAP profile on an RLAN.

Example:

Device(config-remote-lan)# local-auth profile-name

profile-name: Is the EAP profile on an RLAN.

Step 7

Set MAC filtering support on an RLAN.

Example:

Device(config-remote-lan)# mac-filtering mac-filter-name

mac-filter-name: Is the authorization list name.

Step 8

Configure 802.1X for an RLAN.

Example:

Device(config-remote-lan)# security dot1x authentication-list list-name

list-name: Is the authentication list name.

Step 9

Configure web authentication for an RLAN.

Example:

Device(config-remote-lan)# security web-auth authentication-list list-name

list-name: Is the authentication list name.

Note

 

You can activate either web or dot1x authentication list at a time.

Step 10

Enable or disable RLAN profile.

Example:

Device(config-remote-lan)# [no] shutdown

The RLAN profile is configured with your desired parameters for client access, authentication, and network policies.

Create RLAN policy profile (GUI)

Create a new Remote LAN (RLAN) policy profile for controlled wireless network access.

Procedure

Step 1

Choose Configuration > Wireless > Remote LAN > RLAN Policy.

Step 2

Click Add to create a new RLAN policy profile for the selected device..

Step 3

In the General tab, enter the Policy Name.

Step 4

Click Apply to Device.

The new RLAN policy profile is created and applied to the selected device.

Create RLAN policy profile (CLI)

Configure an RLAN policy profile on a Cisco device. Wireless attributes for the RLAN are defined.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure RLAN policy profile and enter wireless policy configuration mode.

Example:

Device(config)# ap remote-lan-policy policy-name rlan_policy_prof_name

After you complete these steps, the system creates a new RLAN policy profile. You can then assign it to remote LANs.

Configure RLAN policy profile parameters (GUI)

Configure RLAN policy profile parameters to define how Remote LAN (RLAN) networks operate.

Procedure

Step 1

Choose Configuration > Wireless > Remote LAN.

Step 2

On the Remote LAN page, click RLAN Policy tab.

Step 3

On the RLAN Policy page, click the name of the Policy or click Add to create a new one.

The Add/Edit RLAN Policy page is displayed.

Step 4

In the General tab:

  1. Enter a Name and Description for the policy profile.

  2. Set Central Authentication to Enabled state.

  3. Set Central DHCP to Enabled state.

  4. Set the PoE check box to enable or disable power over Ethernet.

  5. Set the status as Enable to activate the policy.

Step 5

In the Access Policies Tab, choose the VLAN name or number from the VLAN drop-down list.

Note

 
When central switching is disabled, the VLAN in the RLAN policy cannot be configured as the AP's native VLAN. To use the AP native VLAN for client IP, the VLAN should be configured as either no vlan or vlan 1 in the RLAN policy profile.

Step 6

From the Host Mode drop-down list, choose the Host Mode for the remote-LAN802.1x from these options:

  • Single-Host Mode: Is the default host mode. In this mode, the switch port allows only a single host to be authenticated and passes traffic one by one.

  • Multi-Host Mode: The first device to authenticate opens the switch port, allowing all other devices to use the port. You do not need to authenticate other devices independently. If the authenticated device becomes unauthorized, the switch port closes.

  • Multi-Domain Mode: The authenticator allows one host from the data domain and another from the voice domain. This is a typical configuration on switch ports with IP phones connected.

Note

 

  • For an RLAN profile with open-auth configuration, you must map the RLAN-policy with single host mode. Mapping RLAN-policy with multi-host or multi-domain mode is not supported.

  • The controller does not assign data versus voice VLAN, based on traffic. RLAN only supports multiple VLAN assignments through 802.1x AAA override. You must create data and voice VLANs and then assign these VLANs to respective clients, based on their authentication through the 802.1x AAA override.

Step 7

Configure IPv6 ACL or Flexible NetFlow.

  • Under the Access Policies > Remote LAN ACL section, choose the IPv6 ACL from the drop-down list.
  • Under the Access Policies > AVC > Flow Monitor IPv6 section, check the Egress Status and Ingress Status check boxes and choose the policies from the drop-down lists.

Step 8

Click the Advanced tab.

  1. Configure the violation mode for Remote-LAN 802.1x from the Violation Mode drop-down list, choose the violation mode type from these options:

    • Shutdown: Disables the port

    • Replace: Removes the current session and initiates authentication for the new host. This is the default behavior.

    • Protect: Drops packets with unexpected MAC addresses without generating a system message.

  2. Enter the Session Timeout (sec) value to define the client's duration of a session.

    The range is from 20 to 86400 seconds.

  3. Under AAA Policy Params section, check the AAA Override check box to enable AAA override.

  4. Under the Exclusionlist Params section, check the Exclusionlist check box and enter the Exclusionlist Timeout value.

    This sets the exclusion time for a client. The range is from 0 to 2147483647 seconds. 0 refers to no timeout.

Step 9

Save the configuration.

The RLAN policy profile is created or modified with the specified parameters, enabling precise control of RLAN behavior, access policies, and operational modes.

Configure RLAN policy profile parameters (CLI)

Set up and customize a Remote LAN (RLAN) policy profile on your device.

Procedure

Step 1

Configure central switching.

Example:

Device(config-remote-lan-policy)# central switching

Step 2

Configure central DHCP.

Example:

Device(config-remote-lan-policy)# central dhcp

Step 3

Set exclusion-listing on RLAN.

Example:

Device(config-remote-lan-policy)# exclusionlist timeout timeout-value

timeout: Sets the duration that the client remains in the excluded state. The range is from 0 to 2147483647 seconds. 0 refers to no timeout.

Step 4

Configures VLAN name or ID.vlanvlan

Example:

Device(config-remote-lan-policy)# vlan vlan

vlan: Represents the VLAN name or VLAN ID.

Step 5

Configure AAA policy override.

Example:

Device(config-remote-lan-policy)# aaa-override

Step 6

Configure client session timeout.

Example:

Device(config-remote-lan-policy)# session-timeout timeout in seconds

timeout in seconds: Specifies the duration of a session. The range is from 20 to 86,400 seconds.

Note

 

If the session timeout is less than 300 seconds for Dot1x clients, the session timeout is set to one day (86,400 seconds).

Step 7

Configure host mode for remote-LAN 802.1x.

Example:

Device(config-remote-lan-policy)# host-mode {multidomain voice domain | multihost | singlehost}

voice domain: Specifies the RLAN voice domain VLAN ID. The range is from 0 to 65,535.

You can configure these IEEE 802.1X authentication modes:

  • Multi-Domain Mode: The authenticator allows one host from the data domain and another from the voice domain. This is a typical configuration on switch ports with IP phones connected.

  • Multi-Host Mode: The first device to authenticate opens up to the switch port, so that all other devices can use the port. You need not authenticate other devices independently, if the authenticated device becomes authorized the switch port is closed.

  • Single-Host Mode: This is the default host mode. In this mode, the switch port allows only a single host to be authenticated and passes traffic one by one.

Step 8

Configure a fabric RLAN profile by entering a name for the fabric profile.

Example:

Device(config-remote-lan-policy)# fabric fabric-profile-name

Step 9

Configure violation mode for Remote-LAN 802.1x.

Example:

Device(config-remote-lan-policy)# violation-mode {protect | replace | shutdown}

When a security violation occurs, a port is protected based on these configured violation actions:

  • Shutdown: Disables the port.

  • Replace: Removes the current session and initiates authentication for the new host. This is the default behavior.

  • Protect: Drops packets with unexpected MAC addresses without generating a system message. In the single-host authentication mode, a violation is triggered when more than one device is detected in data VLAN. In a multi-host authentication mode, a violation is triggered when more than one device is detected in data VLAN or voice VLAN.

Step 10

Enables or disables PoE.

Example:

Device(config-remote-lan-policy)# [no] poe

Step 11

Enable or disable an RLAN policy profile.

Example:

Device(config-remote-lan-policy)# shutdown

Step 12

Return to privileged EXEC mode.

Example:

Device(config-remote-lan-policy)# end
The RLAN policy profile is configured as specified. Devices governed by this profile will now operate according to the parameters you set. 
Device(config-remote-lan-policy)# central switching
Device(config-remote-lan-policy)# central dhcp
Device(config-remote-lan-policy)# exclusionlist timeout 200
Device(config-remote-lan-policy)# vlan vlan1
Device(config-remote-lan-policy)# aaa-override
Device(config-remote-lan-policy)# session-timeout 21
Device(config-remote-lan-policy)# host-mode multihost
Device(config-remote-lan-policy)# fabric fabric-profile-name
Device(config-remote-lan-policy)# violation-mode protect
Device(config-remote-lan-policy)# poe
Device(config-remote-lan-policy)# shutdown
Device(config-remote-lan-policy)# end

Configure policy tag and map an RLAN policy profile to an RLAN profile (CLI)

Define a policy tag and associate your RLAN policy profile with an RLAN profile.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a policy tag and enter policy tag configuration mode.

Example:

Device(config)# wireless tag policy policy-tag-name

Step 3

Map your RLAN policy profile to an RLAN profile.

Example:

Device(config-policy-tag)# remote-lan rlan-profile-name policy rlan_profile_name policy rlan_policy_profile port-id port-id

  • remote-lan-profile-name: The name of the RLAN profile.

  • rlan-policy-profile-name: The name of the policy profile.

  • port-id: The LAN port number on the AP. The port number can be any integer from 1 to 4.

Step 4

Return to privileged EXEC mode.

Example:

Device(config-policy-tag)# end

You can press Ctrl-Z to exit global configuration mode.

The controller maps your specified RLAN policy profile to the RLAN profile under the policy tag.

Device# configure terminal
Device(config)# wireless tag policy remote-lan-policy-tag
Device(config-policy-tag)# remote-lan remote-lan1 policy rlan_profile_name port-id 2
Device(config-policy-tag)# end

Configure a LAN port (CLI)

Enable or disable a LAN port on an AP using commands.

Procedure

Configure a LAN port.

Example:

Device# ap name ap-name lan port-id lan-port-id {disable | enable}
Device# ap name L2_1810w_2 lan port-id 1 enable

  • enable : Enables the LAN port.

  • disable : Disables the LAN port.

The selected LAN port on the AP is enabled or disabled as specified.

Attach policy tag to an access point (GUI)

Assign a specific policy to an AP to enforce wireless configurations.

Procedure

Step 1

Choose Configuration > Wireless > Access Points.

Step 2

Select an AP.

Step 3

Under the Tags section, use the Policy drop-down to select a policy tag.

Step 4

Click Update & Apply to Device.

The AP is associated with the policy tag, and the new configuration is enforced.

Attach policy tag to an access point (CLI)

Assign a predefined policy tag to a specific AP.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure an Ethernet MAC address for an AP and enter the AP configuration mode.

Example:

device(config)# ap ap-ethernet-mac

Step 3

Attach a policy tag to the AP.

Example:

Device(config-ap-tag)# policy-tag remote-lan-policy-tag

policy-tag-name: The name of the policy tag defined earlier.

Step 4

Return to privileged EXEC mode.

Example:

Device(config-ap-tag)# end

Alternatively, you can also press Ctrl-Z to exit global configuration mode.

The AP is now associated with the specified policy tag. 

Device# configure terminal
Device(config)# ap 00a2.891c.21e0
Device(config-ap-tag)# policy-tag remote-lan-policy-tag
Device(config-ap-tag)# end

Verify RLAN configuration

Use this command to display the summary of all RLANs:

Device# show remote-lan summary

Number of RLANs: 1

RLAN        Profile Name                      Status    
----------------------------------------------------------------
1            rlan_test_1                       Enabled

Use this command to display the RLAN configuration by ID:

Device# show remote-lan id <id>

Remote-LAN Profile Name     	        : rlan_test_1
====================================================
Identifier                                 : 1
Status                                     : Enabled
Mac-filtering                              : Not Configured
Number of Active Clients                   : 1
Security_8021X                             : Disabled
8021.x Authentication list name            : Not Configured
Local Auth eap Profile Name                : Not Configured
Web Auth Security                          : Disabled
Webauth Authentication list name           : Not Configured
Web Auth Parameter Map                     : Not Configured
Client association limit                   : 0
Ipv4 Web Pre Auth Acl                      : Not Configured
Ipv6 Web Pre Auth Acl                      : Not Configured

Use this command to display the RLAN configuration by profile name:

Device# show remote-lan name <profile-name>

Remote-LAN Profile Name     : rlan_test_1
================================================
Identifier                                     : 1
Status                                         : Enabled
Mac-filtering                                  : mac-auth
Number of Active Clients                       : 0
Security_8021x_dot1x                           : Enabled
8021.x Authentication list name                : Not Configured
Local Auth eap Profile Name                    : Not Configured
Web Auth Security                              : Disabled
Webauth Authentication list name               : Not Configured
Web Auth Parameter Map                         : Not Configured
Client association limit                       : 0
Ipv4 Web Pre Auth Acl                          : Not Configured
Ipv6 Web Pre Auth Acl                          : Not Configured
mDNS Gateway Status                            : Bridge
Fabric Profile Name	                     : rlan-fabric-profile

Use this command to display detailed output for all RLANs:

Device# show remote-lan all

Remote-LAN Profile Name            : rlan_test_1
==================================================
Identifier                         : 1
Status                             : Enabled
Mac-filtering                      : Not Configured
Number of Active Clients           : 1
Security_8021X                     : Disabled
8021.x Authentication list name    : Not Configured
Local Auth eap Profile Name        : Not Configured
Web Auth Security                  : Disabled
Webauth Authentication list name   : Not Configured
Web Auth Parameter Map             : Not Configured
Client association limit           : 0
Ipv4 Web Pre Auth Acl              : Not Configured
Ipv6 Web Pre Auth Acl              : Not Configured

Remote-LAN Profile Name            : rlan_test_2
==================================================
Identifier                         : 2
Status                             : Enabled
Mac-filtering                      : Not Configured
Number of Active Clients           : 1
Security_8021X                     : Disabled
8021.x Authentication list name    : Not Configured
Local Auth eap Profile Name        : Not Configured
Web Auth Security                  : Disabled
Webauth Authentication list name   : Not Configured
Web Auth Parameter Map             : Not Configured
Client association limit           : 0
Ipv4 Web Pre Auth Acl              : Not Configured
Ipv6 Web Pre Auth Acl              : Not Configured
Device# show remote-lan policy summary
Number of Policy Profiles: 1

Profile Name                      Description                           Status           
---------------------------------------------------------------------------------------------
rlan_named_pp1                 Testing RLAN policy profile              Enabled

Use this command to display the LAN port configuration of a Cisco AP:

Device# show ap name <ap_name> lan port summary
LAN Port status for AP L2_1815w_1
Port ID      status       vlanId      poe
---------------------------------------------
LAN1         Enabled       20          Disabled
LAN2         Enabled       20          NA
LAN3         Disabled      0           NA

Use this command to display the summary of all clients:

Device# show wireless client summary
Number of Local Clients: 1

MAC Address       AP Name        WLAN         State    Protocol    Method     Role
---------------------------------------------------------------------------------------
d8eb.97b6.fcc6    L2_1815w_1      1           * Run     Ethernet    None      Local

Use this command to display client details for the specified username:

Device# show wireless client username cisco
MAC Address        AP Name          Status      WLAN      Auth Protocol 
----------------------------------------------------------------------------------------------------
0014.d1da.a977    L2_1815w_1        Run 1 *      Yes        Ethernet 
d8eb.97b6.fcc6    L2_1815w_1        Run 1 *      Yes        Ethernet

Use this command to display detailed information for a client by MAC address:

Device# show wireless client mac-address 2cea.7f18.5bb3 detail
Client MAC Address : 2cea.7f18.5bb3
Client MAC Type : Universally Administered Address
Client DUID: NA
Client IPv4 Address : 10.56.33.21
Client IPv6 Addresses : fe80::d60:2e8:4cc2:6212
Client Username: N/A
AP MAC Address : 4ca6.4d22.1a80
AP Name: AP3C57.31C5.799C
AP slot : 16
Client State : Associated
Policy Profile : fabric-rlan-policy
Flex Profile : default-flex-profile
Remote LAN Id: 1 <----------
Remote LAN Name: fabric-rlan <--------
Wireless LAN Network Name (SSID): fabric-rlan <----------
BSSID : 4ca6.4d22.1a81
Connected For : 211 seconds
Protocol : Ethernet <--------
Channel : 0
Port ID: 1 <-----------
Client IIF-ID : 0xa0000002
Association Id : 0
Authentication Algorithm : Open System
<--------o/p trimmed ------>

Use this command to display the summary of all AP tags:

Device# show ap tag summary
Number of APs: 2
 
AP Name             AP Mac               Site Tag Name         Policy Tag Name         RF Tag Name               Misconfigured     Tag Source   
------------------------------------------------------------------------------------------------------------------------------------------------
L2_1810d_1        0008.3296.24c0       default-site-tag        default-policy-tag        default-rf-tag             No               Default      
L2_1810w_2        00b0.e18c.5880       rlan-site-tag              rlan_pt_1              default-rf-tag             No               Static

Use this command to display the summary of all policy tags:

Device# show wireless tag policy summary
Number of Policy Tags: 2

Policy Tag Name                   Description                             
------------------------------------------------------------------------
rlan_pt_1                                                                 
default-policy-tag                default policy-tag

Use this command to display details of a specific policy tag:

Device# show wireless tag policy detailed <rlan_policy_tag_name>
Policy Tag Name : rlan_pt_1
Description     : 

Number of WLAN-POLICY maps: 0

Number of RLAN-POLICY maps: 2
REMOTE-LAN Profile Name           Policy Name                             Port Id             
--------------------------------------------------------------------------------------------
rlan_test_1                       rlan_named_pp1                              1                   
rlan_test_1                       rlan_named_pp1                              2

Use this command to display the fabric client summary:

Device# show wireless fabric client summary

Number of Fabric Clients : 0

MAC Address    AP Name                          WLAN State              Protocol Method     L2 VNID    RLOC IP

Use this command to display the RLAN client summary:

Device# show wireless client summary

Number of Clients: 1

MAC Address        AP Name       Type  ID  State    Protocol   Method   Role
-------------------------------------------------------------------------------------------------------------------------
2cea.7f18.5bb3 AP3C57.31C5.799C  RLAN   1    Run    Ethernet   None    Local

Number of Excluded Clients: 0

RLAN authentication fallback

An RLAN authentication fallback is a WLAN authentication mechanism that

  • enables client authentication to switch between 802.1X and MAC authentication bypass (MAB) when the initial method fails

  • supports dynamic fallback from 802.1X to MAB and vice versa according to client status and registration, and

  • requires that both 802.1X and MAB are enabled for fallback support.

Feature history

Table 2. Feature history for RLAN authentication fallback

Feature name

Release information

Feature description

RLAN authentication fallback

Cisco IOS XE 17.8.x

RLAN authentication fallback alternates client authentication between 802.1X and MAC authentication bypass (MAB) when the initial method fails. It dynamically switches based on client status and registration, requiring both 802.1X and MAB to be enabled.

From Cisco IOS XE Cupertino 17.8.1, Remote LAN (RLAN) ports on OfficeExtend Access Points (OEAPs) support authentication fallback.

How RLAN authentication fallback works

From Cisco IOS XE Cupertino 17.8.1, Remote LAN (RLAN) ports on OfficeExtend Access Points (OEAPs) support authentication fallback. If a client using IEEE 802.1X fails to authenticate, the system attempts MAC authentication bypass (MAB). Conversely, if the client's MAC address is not registered for MAC authentication bypass, the system falls back to IEEE 802.1X. Enable both methods to ensure successful authentication.

By default, the RLAN fallback mechanism is disabled. You must explicitly enable this mechanism. When both 802.1X and MAB are enabled, the device must succeed in both authentication methods for successful authentication.

Configure RLAN authentication fallback (CLI)

Enable authentication fallback for remote LAN (RLAN) profiles on your device.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a remote LAN profile.

Example:

Device(config)# ap remote-lan profile-name rlan_profile_name rlan-id

Step 3

Enable 802.1X authentication on MAC filter failure.

Example:

Device(config-remote-lan)# security {dot1x on-macfilter-failure | mac-filter on-dot1x-failure}

Note

 

You can either configure 802.1X authentication on MAC filter failure or MAC filter authentication on 802.1X failure. You cannot configure both.

Step 4

Return to privileged EXEC mode.

Example:

Device(config-remote-lan)# end
If the primary authentication method fails, the RLAN profile attempts an alternative authentication method."
Device# configure terminal
Device(config)# ap remote-lan profile-name rlan_profile_name 3
Device(config-remote-lan)# security dot1x on-macfilter-failure
Device(config-remote-lan)# end

Modify 802.1X EAP timers for RLAN clients

Adapt 802.1X EAP authentication timers for remote LAN (RLAN) clients to ensure successful endpoint authentication.

To adapt the 802.1X EAP timers for RLAN clients, use this procedure:


Note

When you modify the 802.1X EAP timers, ensure that the timer is long enough to allow 802.1X-capable endpoints to authenticate. A timer that is too short may result in 802.1X-capable endpoints being subject to a fallback authentication or authorization technique.

If 802.1X EAP timers are not configured using this procedure, the timer configuration done using the wireless security dot1x request and wireless security dot1x identity-request commands are applied.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the remote LAN profile.

Example:

Device(config)# ap remote-lan profile-name rlan_profile_name rlan-id

Step 3

Configure the maximum number of EAP ID request retransmissions.

Example:

Device(config-remote-lan)# security dot1x identity-request retries retry-num

The valid range is from 1 to 20.

Step 4

Configure the EAP ID request-timeout value in seconds.

Example:

Device(config-remote-lan)# security dot1x identity-request timeout timeout-value

The valid range is from 1 to 120.

Step 5

Configure the maximum number of EAP request retransmissions.

Example:

Device(config-remote-lan)# security dot1x request retries retry-num

The valid range is from 0 to 20.

Step 6

Configure the EAP request retransmission timeout value in seconds.

Example:

Device(config-remote-lan)# security dot1x request timeout timeout-value

The valid range is from 1 to 120.

Step 7

Return to privileged EXEC mode.

Example:

Device(config-remote-lan)# end
The EAP authentication timers for RLAN clients are adapted to your specified values, improving authentication reliability for 802.1X-capable endpoints. 
Device# configure terminal
Device(config)# ap remote-lan profile-name rlan_profile_name 3
Device(config-remote-lan)# security dot1x identity-request retries 20
Device(config-remote-lan)# security dot1x identity-request timeout 120
Device(config-remote-lan)# security dot1x request retries 20
Device(config-remote-lan)# security dot1x request timeout 120
Device(config-remote-lan)# end

Verify RLAN authentication fallback

Use this command to check the status of the fallback authentication mechanism.

Device# show remote-lan all

Remote-LAN Profile Name     : rlan_profile_name
================================================
Identifier                                     : 3
Status                                         : Disabled
Mac-filtering                                  : Not Configured
Number of Active Clients                       : 0
Security_8021x_dot1x                           : Enabled
8021.x Authentication list name                : Not Configured
Local Auth eap Profile Name                    : Not Configured
Web Auth Security                              : Disabled
Webauth Authentication list name               : Not Configured
Web Auth Parameter Map                         : Not Configured
Client association limit                       : 0
Ipv4 Web Pre Auth Acl                          : Not Configured
Ipv6 Web Pre Auth Acl                          : Not Configured
mDNS Gateway Status                            : Bridge
Authentication Fallback Status                 : MAC-filtering to Dot1X