Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Authorise APs Against AAA problem

I hope you had a good Christmas and New year.

Can you help with this

It is recommended to try and prevent Cisco Lightweight Access Points (LWAPs) from being able to associate with the Wireless LAN Controllers (WLCs) without some form of control or authentication mechanism. One recommendation is to authorise the LWAPs against Authentication, Authorisation and Accounting (AAA) servers.

Check the “Authorise AP against AAA” checkbox.

In theory Now when a LWAP associates with the WLC a RADIUS authentication access-request with the username and password set to the MAC address of LWAP is sent to the AAA servers. If the AAA server has the LWAP credentials (username and password set to the MAC address of the LWAP) in the local database the AAA server replies to the WLC with an authentication access-accept and the LWAP is allowed to associate with the controller.

On the AAA Server all that's required is that a user group is created “Cisco LWAPs” for example and then users are created with the username and PAP passwords are set to the LWAP MAC address.

A problem exists when trying to implement this on our prodcution AAA Servers in that the local password management policy prevents the username and password from being the same.

“Password may not contain the username”

This is the Cisco ACS AAA Server version information 4.1.4.13.12

At present I am not allowed to change the Local Password Management settings as this is a security requirement for existing applications of the AAA servers.

Questions on Cisco ACS

1. Is there a configuration option on the current version of Cisco ACS's that will allow different Local Password Management settings on different user groups?

2. Will future Cisco ACS releases support the functionality detailed in question 1?

If the answer to the above question is NO, what options do I have

Options

1. Do nothing leave the implementation as it is, when a Cisco LWAP is connected to the network it is allowed to associate with the controller. Not really a security risk as the controller will have full control over the LWAP but it could create performance issues with co-channel and adjacent channel interference.

2. Implement access lists on the Cisco switches hosting the WLC's. Only allow traffic with certain source and destination addresses through to the controllers.

3. Use DHCP options for LWAP discovery and only implement the options on certain VLANs

1 REPLY
New Member

Re: Authorise APs Against AAA problem

1. Is there a configuration option on the current version of Cisco ACS's that will allow different Local Password Management settings on different user groups?

No.

2. Will future Cisco ACS releases support the functionality detailed in question 1?

No.

One option is to configure the APs in an LDAP db and have ACS access the LDAP for AP authentication.

148
Views
4
Helpful
1
Replies
CreatePlease to create content