Access Point Onboarding Scenario

Deployment Sequences - IAP connected to access switch

A branch deployment that involves small network setup including IAP/wireless access points, access switch, and external radius-server ClearPass.
Instant Access Point (IAP) connected to switch triggers mac-auth.
If mac-auth is successful:
- IAP is on-boarded with mac-auth role.
- When 802.1x is initiated:
  - If 802.1x is initiated successfully, remove mac-auth role and apply 802.1x role.
  - If 802.1x initiation fails, the device must stay with mac-auth until it triggers to reauthenticate.
- IAP can be connected to external server ClearPass for authentication of all wireless clients that connected with existing user-role support. With the existing user-role support, the clients must go through authentication even at switch level after IAP.
- The enhanced attribute port-mode is configured and all wireless clients VLANs are tagged as a part of mac-auth role with tagged-vid-list. Then device is successfully deployed by opening the connected port to allow all wireless clients behind AP.
- Clients from AP do not require authentication because the attribute port-mode allows all the clients behind the IAP and validates successful communication between the clients.

User roles can be downloaded for clients connected to different ports other than the wireless clients coming through AP with port-mode user-role.
Device-specific poe attributes can be managed centrally from ClearPass. It prevents higher power consumption by allocating the power based on its device class and priority control mechanism.

The device-specific attributes can be supported for only one client per port.
Once the port-mode is applied, all the clients in the port will be de-authenticated.
When applying user-role with PoE allocation by class, the power allocation must be set based on PD class detection and/or LLDP negotiation.