Authorise APs Against AAA problem

Unanswered Question
Jan 5th, 2009

I hope you had a good Christmas and New year.

Can you help with this

It is recommended to try and prevent Cisco Lightweight Access Points (LWAPs) from being able to associate with the Wireless LAN Controllers (WLCs) without some form of control or authentication mechanism. One recommendation is to authorise the LWAPs against Authentication, Authorisation and Accounting (AAA) servers.

Check the “Authorise AP against AAA” checkbox.

In theory Now when a LWAP associates with the WLC a RADIUS authentication access-request with the username and password set to the MAC address of LWAP is sent to the AAA servers. If the AAA server has the LWAP credentials (username and password set to the MAC address of the LWAP) in the local database the AAA server replies to the WLC with an authentication access-accept and the LWAP is allowed to associate with the controller.

On the AAA Server all that's required is that a user group is created “Cisco LWAPs” for example and then users are created with the username and PAP passwords are set to the LWAP MAC address.

A problem exists when trying to implement this on our prodcution AAA Servers in that the local password management policy prevents the username and password from being the same.

“Password may not contain the username”

This is the Cisco ACS AAA Server version information 4.1.4.13.12

At present I am not allowed to change the Local Password Management settings as this is a security requirement for existing applications of the AAA servers.

Questions on Cisco ACS

1. Is there a configuration option on the current version of Cisco ACS's that will allow different Local Password Management settings on different user groups?

2. Will future Cisco ACS releases support the functionality detailed in question 1?

If the answer to the above question is NO, what options do I have

Options

1. Do nothing leave the implementation as it is, when a Cisco LWAP is connected to the network it is allowed to associate with the controller. Not really a security risk as the controller will have full control over the LWAP but it could create performance issues with co-channel and adjacent channel interference.

2. Implement access lists on the Cisco switches hosting the WLC's. Only allow traffic with certain source and destination addresses through to the controllers.

3. Use DHCP options for LWAP discovery and only implement the options on certain VLANs

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
grzegorz.ciolek Tue, 01/06/2009 - 00:30

Hi,

Cisco advice not to use shared Server. You should use separate server for AP authentication (as you mentioned same username/password).

You can build local database on controller. However in this case you can not use radius server to authenticate user (global settings).

Cheers

Greg

Actions

This Discussion

 

 

Trending Topics - Security & Network