Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
4
Helpful
1
Replies

Authorise APs Against AAA problem

mark.cronin
Level 2
Level 2

‎01-05-2009 01:40 AM - edited ‎03-10-2019 04:15 PM

I hope you had a good Christmas and New year.

Can you help with this

It is recommended to try and prevent Cisco Lightweight Access Points (LWAPs) from being able to associate with the Wireless LAN Controllers (WLCs) without some form of control or authentication mechanism. One recommendation is to authorise the LWAPs against Authentication, Authorisation and Accounting (AAA) servers.

Check the “Authorise AP against AAA” checkbox.

In theory Now when a LWAP associates with the WLC a RADIUS authentication access-request with the username and password set to the MAC address of LWAP is sent to the AAA servers. If the AAA server has the LWAP credentials (username and password set to the MAC address of the LWAP) in the local database the AAA server replies to the WLC with an authentication access-accept and the LWAP is allowed to associate with the controller.

On the AAA Server all that's required is that a user group is created “Cisco LWAPs” for example and then users are created with the username and PAP passwords are set to the LWAP MAC address.

A problem exists when trying to implement this on our prodcution AAA Servers in that the local password management policy prevents the username and password from being the same.

“Password may not contain the username”

This is the Cisco ACS AAA Server version information 4.1.4.13.12

At present I am not allowed to change the Local Password Management settings as this is a security requirement for existing applications of the AAA servers.

Questions on Cisco ACS

1. Is there a configuration option on the current version of Cisco ACS's that will allow different Local Password Management settings on different user groups?

2. Will future Cisco ACS releases support the functionality detailed in question 1?

If the answer to the above question is NO, what options do I have

Options

1. Do nothing leave the implementation as it is, when a Cisco LWAP is connected to the network it is allowed to associate with the controller. Not really a security risk as the controller will have full control over the LWAP but it could create performance issues with co-channel and adjacent channel interference.

2. Implement access lists on the Cisco switches hosting the WLC's. Only allow traffic with certain source and destination addresses through to the controllers.

3. Use DHCP options for LWAP discovery and only implement the options on certain VLANs

Labels:
Preview file
221 KB
0 Helpful
1 Reply 1

jhillend
Level 1
Level 1

‎01-05-2009 12:22 PM

1. Is there a configuration option on the current version of Cisco ACS's that will allow different Local Password Management settings on different user groups?

No.

2. Will future Cisco ACS releases support the functionality detailed in question 1?

No.

One option is to configure the APs in an LDAP db and have ACS access the LDAP for AP authentication.

Customers Also Viewed These Support Documents