Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco LWAPP AP do .1X for it's own connectivity to Controller ?

Hi,

I'm not talking about STA's doing .1X with AP as Authenticator, but rather, when a new Cisco APs is connected to the wired network, it behaving as a .1X Supplicant and authenticating by .1X and then starting LWAPP discovery etc?

Thanks, MH

4 REPLIES
Bronze

Re: Cisco LWAPP AP do .1X for it's own connectivity to Controlle

Yes,we can use it by enabling dot1x multiple- hosts command on interface of switch which is connected to AP.Then,all the clients(Supplicant) can authenticate using crediantials thro AP & Switch to authentication server.

Bronze

Re: Cisco LWAPP AP do .1X for it's own connectivity to Controlle

There is no .1X supplicant on lightweight APs right now, so you can't use .1X to authenticate APs.

The mutual authentication based on X.509 certs is there though, and that provides strong protection.

For .1X, think about the issue of credentials for the initial provisioning. Depending on EAP type, you'd have to install a certificate, PAC file, or user credentials before you ever deploy an AP. That adds to the overall deployment complexity.

Community Member

Re: Cisco LWAPP AP do .1X for it's own connectivity to Controlle

Hi Jake,

Thanks very much for your useful reply.

If someone buys an LWAPP AP (with MIC X.509 cert.) from eBay, or whatever, won't the WLC be happy to have it LWAPP Join it?

As I understand it, the only mechanism you have on the WLC/WCS to discriminate as to which APs are allows to LWAPP Join the WLC (given that AP doesn't have .1X Supplicant) is to specify the AP MAC address to the WLC, right?

Regards, MH

Bronze

Re: Cisco LWAPP AP do .1X for it's own connectivity to Controlle

Yes, a Cisco AP with a MIC X.509 cert will join the WLC. If you're concerned about this, you can add RADIUS authentication of the AP MAC address. You can also obfuscate the WLC address.

But then, look at if from the macro level. If someone does this, they've essentially given you a free AP. The configurations and access policies are enforced by the WLC. The AP config is downloaded at runtime to the AP in AES protected LWAPP control messages.

132
Views
10
Helpful
4
Replies
CreatePlease to create content