Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
4
Replies

Authenticating LAPs (lightweight APs)

MARK HEUZENROEDER
Level 1
Level 1

‎10-14-2007 06:03 PM - edited ‎07-03-2021 02:46 PM

Hi,

I'd like to have explicit control over which LAPs can Join a WLC.

With Autonomous AP you can a RADIUS account for the AP (I'm not talking about the wireless client) so AP must auth. to work on the network.

Can a similar thing be done with LAP?

I noticed WLC can be configured with LAP MAC address to restrict which LAPs can LWAPP Join but in v4.1 Config Guide this is only mentioned under the 1500 model AP. Is this also supported for 1131AG & 1242AG LAPs?

Regards, MH

Labels:
0 Helpful
4 Replies 4

ankbhasi
Cisco Employee
Cisco Employee

‎10-14-2007 09:02 PM

Hi MH,

Yes you can also block or restrict 1130 an 1242 Lwapp AP using AAA. What you have to do is enable "Authorize APs against AAA" under Security-->AP Policies and then create a user in ACS server where username and password will be your AP ethernet MAC ADDRESS without using any delimeter when defining mac address.

Try this and update if it works for you.

HTH

Ankur

*Pls rate all helpfull post

0 Helpful

MARK HEUZENROEDER
Level 1
Level 1
In response to ankbhasi

‎10-15-2007 03:55 AM

Thankyou Ankur

I see in cisco doco,

Cisco WLC_Config Guide_Web & CLI_Release 4.1

P.317 = 7-47.

it says,

"The controller uses an access point?s MAC address as both the username and password when sending the

information to a RADIUS server." as you said = GOOD.

1) Will this work with IAS as RADIUS server (you mentioned ACS)?

Then it says,

"If you use the MAC address as the username and password for access point authentication on a RADIUS

AAA server, do not use the same AAA server for client authentication."

2) What is the reason behind this?

3) It's not practical for us to have separate RADIUS servers for LAPs & client. Is the above a hard-&-fast rule? Does it erode security by useing the same RADIUS server for both since a user might guess an AP MAC & be able to get onto the network (I'm guessing here)

4) Referring to the above cisco doco,

"Figure 7-23 AP Policies Page"

under "Add Ap to Authorization List" - does this mean I can avoid using RADIUS to authenticate the AP and just enter the APs MAC address (Our APs are new so have MIC certificate type) and WLC will only allow LAP with this MAC address to LWAPP Join?

Regards, MH

0 Helpful

bbxie
Level 3
Level 3
In response to MARK HEUZENROEDER

‎01-08-2008 08:39 PM

Hi MH,

Is there any answer to your question? I met the same requirement to use AP's MAC address to controll which LAP can joint the WLC. I tested with "Add Ap to Authorization List" , but found it didn't work. I also tested to use MAC-Filter, but it seems it didn't work for 1130, only work for 1510.

0 Helpful

SHANNON WYATT
Level 1
Level 1
In response to bbxie

‎01-09-2008 03:37 PM

The reason that you wouldn't want to use the same radius server for both is that it would be really easy to figure out a MAC address of a device and potentially use said mac address to access the network.

I normally use ACS for device stuff, and then use IAS for user authentication (if it is an Active Directory Environment.)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card