Authenticating LAPs (lightweight APs)

Unanswered Question
Oct 14th, 2007

Hi,

I'd like to have explicit control over which LAPs can Join a WLC.

With Autonomous AP you can a RADIUS account for the AP (I'm not talking about the wireless client) so AP must auth. to work on the network.

Can a similar thing be done with LAP?

I noticed WLC can be configured with LAP MAC address to restrict which LAPs can LWAPP Join but in v4.1 Config Guide this is only mentioned under the 1500 model AP. Is this also supported for 1131AG & 1242AG LAPs?

Regards, MH

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ankbhasi Sun, 10/14/2007 - 21:02

Hi MH,

Yes you can also block or restrict 1130 an 1242 Lwapp AP using AAA. What you have to do is enable "Authorize APs against AAA" under Security-->AP Policies and then create a user in ACS server where username and password will be your AP ethernet MAC ADDRESS without using any delimeter when defining mac address.

Try this and update if it works for you.

HTH

Ankur

*Pls rate all helpfull post

MARK HEUZENROEDER Mon, 10/15/2007 - 03:55

Thankyou Ankur

I see in cisco doco,

Cisco WLC_Config Guide_Web & CLI_Release 4.1

P.317 = 7-47.

it says,

"The controller uses an access point?s MAC address as both the username and password when sending the

information to a RADIUS server." as you said = GOOD.

1) Will this work with IAS as RADIUS server (you mentioned ACS)?

Then it says,

"If you use the MAC address as the username and password for access point authentication on a RADIUS

AAA server, do not use the same AAA server for client authentication."

2) What is the reason behind this?

3) It's not practical for us to have separate RADIUS servers for LAPs & client. Is the above a hard-&-fast rule? Does it erode security by useing the same RADIUS server for both since a user might guess an AP MAC & be able to get onto the network (I'm guessing here)

4) Referring to the above cisco doco,

"Figure 7-23 AP Policies Page"

under "Add Ap to Authorization List" - does this mean I can avoid using RADIUS to authenticate the AP and just enter the APs MAC address (Our APs are new so have MIC certificate type) and WLC will only allow LAP with this MAC address to LWAPP Join?

Regards, MH

bbxie Tue, 01/08/2008 - 20:39

Hi MH,

Is there any answer to your question? I met the same requirement to use AP's MAC address to controll which LAP can joint the WLC. I tested with "Add Ap to Authorization List" , but found it didn't work. I also tested to use MAC-Filter, but it seems it didn't work for 1130, only work for 1510.

SHANNON WYATT Wed, 01/09/2008 - 15:37

The reason that you wouldn't want to use the same radius server for both is that it would be really easy to figure out a MAC address of a device and potentially use said mac address to access the network.

I normally use ACS for device stuff, and then use IAS for user authentication (if it is an Active Directory Environment.)

Actions

This Discussion

 

 

Trending Topics - Security & Network