Cisco LWAPP AP do .1X for it's own connectivity to Controller ?

MARK HEUZENROEDER · ‎08-03-2006

Hi,

I'm not talking about STA's doing .1X with AP as Authenticator, but rather, when a new Cisco APs is connected to the wired network, it behaving as a .1X Supplicant and authenticating by .1X and then starting LWAPP discovery etc?

Thanks, MH

fmeetz · ‎08-10-2006

Yes,we can use it by enabling dot1x multiple- hosts command on interface of switch which is connected to AP.Then,all the clients(Supplicant) can authenticate using crediantials thro AP & Switch to authentication server.

jakew · ‎08-10-2006

There is no .1X supplicant on lightweight APs right now, so you can't use .1X to authenticate APs.

The mutual authentication based on X.509 certs is there though, and that provides strong protection.

For .1X, think about the issue of credentials for the initial provisioning. Depending on EAP type, you'd have to install a certificate, PAC file, or user credentials before you ever deploy an AP. That adds to the overall deployment complexity.

MARK HEUZENROEDER · ‎08-10-2006

Hi Jake,

Thanks very much for your useful reply.

If someone buys an LWAPP AP (with MIC X.509 cert.) from eBay, or whatever, won't the WLC be happy to have it LWAPP Join it?

As I understand it, the only mechanism you have on the WLC/WCS to discriminate as to which APs are allows to LWAPP Join the WLC (given that AP doesn't have .1X Supplicant) is to specify the AP MAC address to the WLC, right?

Regards, MH

jakew · ‎08-10-2006

Yes, a Cisco AP with a MIC X.509 cert will join the WLC. If you're concerned about this, you can add RADIUS authentication of the AP MAC address. You can also obfuscate the WLC address.

But then, look at if from the macro level. If someone does this, they've essentially given you a free AP. The configurations and access policies are enforced by the WLC. The AP config is downloaded at runtime to the AP in AES protected LWAPP control messages.