I'd like to have explicit control over which LAPs can Join a WLC.
With Autonomous AP you can a RADIUS account for the AP (I'm not talking about the wireless client) so AP must auth. to work on the network.
Can a similar thing be done with LAP?
I noticed WLC can be configured with LAP MAC address to restrict which LAPs can LWAPP Join but in v4.1 Config Guide this is only mentioned under the 1500 model AP. Is this also supported for 1131AG & 1242AG LAPs?
Yes you can also block or restrict 1130 an 1242 Lwapp AP using AAA. What you have to do is enable "Authorize APs against AAA" under Security-->AP Policies and then create a user in ACS server where username and password will be your AP ethernet MAC ADDRESS without using any delimeter when defining mac address.
"The controller uses an access point?s MAC address as both the username and password when sending the
information to a RADIUS server." as you said = GOOD.
1) Will this work with IAS as RADIUS server (you mentioned ACS)?
Then it says,
"If you use the MAC address as the username and password for access point authentication on a RADIUS
AAA server, do not use the same AAA server for client authentication."
2) What is the reason behind this?
3) It's not practical for us to have separate RADIUS servers for LAPs & client. Is the above a hard-&-fast rule? Does it erode security by useing the same RADIUS server for both since a user might guess an AP MAC & be able to get onto the network (I'm guessing here)
4) Referring to the above cisco doco,
"Figure 7-23 AP Policies Page"
under "Add Ap to Authorization List" - does this mean I can avoid using RADIUS to authenticate the AP and just enter the APs MAC address (Our APs are new so have MIC certificate type) and WLC will only allow LAP with this MAC address to LWAPP Join?
Is there any answer to your question? I met the same requirement to use AP's MAC address to controll which LAP can joint the WLC. I tested with "Add Ap to Authorization List" , but found it didn't work. I also tested to use MAC-Filter, but it seems it didn't work for 1130, only work for 1510.
The reason that you wouldn't want to use the same radius server for both is that it would be really easy to figure out a MAC address of a device and potentially use said mac address to access the network.
I normally use ACS for device stuff, and then use IAS for user authentication (if it is an Active Directory Environment.)
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...