10-14-2007 06:03 PM - edited 07-03-2021 02:46 PM
Hi,
I'd like to have explicit control over which LAPs can Join a WLC.
With Autonomous AP you can a RADIUS account for the AP (I'm not talking about the wireless client) so AP must auth. to work on the network.
Can a similar thing be done with LAP?
I noticed WLC can be configured with LAP MAC address to restrict which LAPs can LWAPP Join but in v4.1 Config Guide this is only mentioned under the 1500 model AP. Is this also supported for 1131AG & 1242AG LAPs?
Regards, MH
10-14-2007 09:02 PM
Hi MH,
Yes you can also block or restrict 1130 an 1242 Lwapp AP using AAA. What you have to do is enable "Authorize APs against AAA" under Security-->AP Policies and then create a user in ACS server where username and password will be your AP ethernet MAC ADDRESS without using any delimeter when defining mac address.
Try this and update if it works for you.
HTH
Ankur
*Pls rate all helpfull post
10-15-2007 03:55 AM
Thankyou Ankur
I see in cisco doco,
Cisco WLC_Config Guide_Web & CLI_Release 4.1
P.317 = 7-47.
it says,
"The controller uses an access point?s MAC address as both the username and password when sending the
information to a RADIUS server." as you said = GOOD.
1) Will this work with IAS as RADIUS server (you mentioned ACS)?
Then it says,
"If you use the MAC address as the username and password for access point authentication on a RADIUS
AAA server, do not use the same AAA server for client authentication."
2) What is the reason behind this?
3) It's not practical for us to have separate RADIUS servers for LAPs & client. Is the above a hard-&-fast rule? Does it erode security by useing the same RADIUS server for both since a user might guess an AP MAC & be able to get onto the network (I'm guessing here)
4) Referring to the above cisco doco,
"Figure 7-23 AP Policies Page"
under "Add Ap to Authorization List" - does this mean I can avoid using RADIUS to authenticate the AP and just enter the APs MAC address (Our APs are new so have MIC certificate type) and WLC will only allow LAP with this MAC address to LWAPP Join?
Regards, MH
01-08-2008 08:39 PM
Hi MH,
Is there any answer to your question? I met the same requirement to use AP's MAC address to controll which LAP can joint the WLC. I tested with "Add Ap to Authorization List" , but found it didn't work. I also tested to use MAC-Filter, but it seems it didn't work for 1130, only work for 1510.
01-09-2008 03:37 PM
The reason that you wouldn't want to use the same radius server for both is that it would be really easy to figure out a MAC address of a device and potentially use said mac address to access the network.
I normally use ACS for device stuff, and then use IAS for user authentication (if it is an Active Directory Environment.)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide