AP as a Wired 802.1X Supplicant

My customer was already granting their end devices network access by means of 802.1X using EAP-TLS and certificates issued by an in-house managed PKI for EAP-TLS, so it seemed only natural to do the same for their Cisco 2802i lightweight wireless access points (AP). However, they expressed that they did not believe that the APs qualified for issuance of in-house certificates per security policy.

According to the referenced security policies, network infrastructure components are not eligible for certificates issued by a local certificate authority (CA). The local CA may issue certificates to things like workstations, printers, etc. I do believe that their assumption was reasonable, but incomplete and warranted deeper consideration.

I submitted to them that the role of the AP in the environment could be looked at contextually. The more straightforward perspective that they took was of the AP as an infrastructure device to which end devices connect. The end device is an 802.1X supplicant, the AP effectively extends the wire via RF signals, and the wireless controller is the 802.1X authenticator. We might look at the AP as a media converter of sorts, converting between wired and wireless. On the other hand, the context that we are concerned about for this discussion is of the AP as an 802.1X supplicant to the wired network and the connected switch is the 802.1X authenticator. Armed with this distinction, we can more effectively consider the role that a certificate plays in the appropriate context and thus draw a more appropriate conclusion.

The benefits of device certificates include:

• Improving confidence that you are connecting to the devices you intend to connect to
• Enable authentication of network-connected devices
• Authorization to appropriate network resources

If we are to entertain the notion of the AP being an infrastructure device, we can see that issuing an identity certificate to the AP does not improve the confidence a wireless client would have that it is connecting to a legitimate AP, nor does it facilitate the authentication or authorization of wireless clients or if/how they interact with the network.

When we consider the AP as an 802.1X supplicant to the network, it may be viewed as any other wired client device being allow it access to the network. An identity certificate would be used to allow an authentication server, the connected switch, to validate that the AP is not a rogue device as well as authorize it access to appropriate network resources, for example, appropriate VLAN assignment.

The discussion presented above resulted in concurrence by our Information Assurance (IA) office that certificates issued by the local CA would be appropriate for this use case.