C-01 | AGNI and WiFi EAP-TLS 802.1X¶
Overview¶
In this lab we will be working within the WiFi configuration section of CV-CUE. Create an SSID (WPA2 802.1X) with your ATD-##-EAP as the name (where ## is a 2 digit character between 01-12 that was assigned to your lab/Pod).
CV-CUE Login¶
If you're not already logged into CV-CUE, navigate to the Arista Launchpad for your lab.
Provide your assigned lab/pod email address and password and click Sign In
You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into CV-CUE (CloudVision WiFi) tile to begin this lab.
Create an EAP-TLS SSID¶
The Configure section of CV-CUE is composed of multiple parts, including WiFi, Alerts, WIPS, etc. In this lab we are focused on the WiFi section.
Other configuration sections
- Alerts: Where syslog and other alert related settings are configured
- WIPS: Where the policies are configured for the WIPS sensor.
-
Let's go through the steps to create a new SSID
Hover your cursor over the
Configuremenu option on the left side of the screen, then clickWiFi
At the top of the screen, you will see where you are in the location hierarchy. Click on your respective
Corp(ACorporBCorp),
Expand Hierarchy
If you do not see the hierarchy, click on the three lines next to
Locationsto expand choose/highlight the appropriateCorpfolder.Let's disable the previous SSIDs from the prior labs bey toggling the
On/Offbutton
Now click the
Add SSIDbutton on the right hand side of the screen.
-
Once on the “SSID” page, configuration sub-category menu options will appear across the top of the page related to WiFi (the defaults are
Basic,Security, andNetwork). You can click on these sub-category names to change configuration items related to that area of the configuration. -
To make additional categories visible, click on the 3 dots next to
Networkand you can see the other categories that are available to configure (Analytics,Captive Portal, etc.). -
In the
Basicsub-category option, name the SSID using the settings below. TheProfile Nameis used to describe the SSID and should have been auto-filled for you.Settings
Student Name Student 1 ATD-##-EAPStudent 2 ATD-##-EAPwhere ## is a 2 digit character between 01-20 that was assigned to your lab/Pod
-
Since this is our corporate SSID, leave the
Select SSID Typeset toPrivate - Select
Nextat the bottom. -
In the
Securitysub-category, set the following selectWPA2and change the association type to “802.1X”.Settings
Field Value Security Method WPA2 / 802.1X Radius Settings Select RadSecAuthentication Server AGNI-##Accounting Server AGNI-##
-
Select
Nextat the bottom of the screen. -
In the
Networkconfiguration sub-category, we’ll leave theVLAN IDset to0, which means it will use the native VLAN. If the switchport the AP is attached to is trunked, you could change this setting to whichever VLAN you want the traffic mapped to. The rest of the settings can be left at the default values.Alternative Settings
Instead of
BridgedYou could useNAT(often done for Guest) orL2 Tunnel/L3 Tunnel, as we completed in the wireless lab.
-
Click the
Save & Turn SSID Onbutton at the bottom of the page. -
Only select the
5 GHzoption on the next screen (deselect the 2.4 GHz box if it’s checked), then clickTurn SSID On.
-
After you turn on the SSID, hover your cursor over
Monitorin the left hand side menu, and then clickWiFi. -
Now, in the menu options at the top of the page, look at the
Radiosmenu option. Is the 5 GHz radio (Up) and 2.4 GHz radio (down)? It may take a minute or two for the radio to become active.
-
Check the
Active SSIDsmenu at the top of the screen. Is your SSID listed?
-
Now that we have a 802.1X backed SSID, let's go to AGNI to configure the policy.
CloudVision AGNI Access¶
AGNI Login¶
If you're not already logged into AGNI, navigate to the Arista Launchpad for your lab.
Provide your assigned lab/pod email address and password and clieck Sign In
You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into AGNI (Beta) tile to begin this lab.
Create AGNI Networks & Segments for the EAP-TLS Wireless Policy¶
-
Click on
Networksand select+ Add Network
-
Configure the network with the following settings
Network Settings
Field Student 1 Student 2 Name ATD-##-SSID-EAP-TLSATD-##-SSID-EAP-TLSConnection Type Wireless Wireless SSID ATD-##-EAPATD-##-EAPAuthentication Type Client Certificate (EAP-TLS) Client Certificate (EAP-TLS) 
-
Click on
Add Networkat the bottom of the screen. -
Next, click on
Segmentsand then+ Add Segment
-
Configure the segment with the following settings
Network Settings
Field Student 1 Student 2 Name ATD-##-SSID-EAP-TLSATD-##-SSID-EAP-TLSDescription ATD-##-SSID-EAP-TLSATD-##-SSID-EAP-TLS
-
Next, let’s add two conditions to match the network we've defined (tied to the SSID) and the authentication type
Conditions
Conditions for segments must MATCH ALL conditions line by line.
- Select,
Network,Name,is,ATD-##X-SSID-EAP-TLSfrom the drop down lists. Chose yourAorBpolicy accordingly. - Select,
Network,Authentication Type,is,Client Certificate (EAP-TLS)from the drop down lists. - Your Conditions should now look like this.
- Select,
-
Under Actions select
Add Actionand selectAllow Access
-
Finally, select
Add Segmentat the bottom of the page. -
You should now be able to expand and review your segment.
-
Next, click on
Sessionsto see if your ATD Raspberry Pi has a connection via the Wireless connection.Client Connectivity
The Client Certificate has already been applied to the Raspberry Pi and is configured to connect to the SSID ATD-##A-EAP.
-
Click on the session and explore the information we learn about the client, we're going to come back to this in more detail later.
-
If you don’t see any new sessions within 2 minutes AGNI, power cycle the Raspberry Pi.
🎉 CONGRATS! You have completed this lab! 🎉