Cisco Support Community
Community Member

Authenticating LAPs (lightweight APs)


I'd like to have explicit control over which LAPs can Join a WLC.

With Autonomous AP you can a RADIUS account for the AP (I'm not talking about the wireless client) so AP must auth. to work on the network.

Can a similar thing be done with LAP?

I noticed WLC can be configured with LAP MAC address to restrict which LAPs can LWAPP Join but in v4.1 Config Guide this is only mentioned under the 1500 model AP. Is this also supported for 1131AG & 1242AG LAPs?

Regards, MH

Cisco Employee

Re: Authenticating LAPs (lightweight APs)

Hi MH,

Yes you can also block or restrict 1130 an 1242 Lwapp AP using AAA. What you have to do is enable "Authorize APs against AAA" under Security-->AP Policies and then create a user in ACS server where username and password will be your AP ethernet MAC ADDRESS without using any delimeter when defining mac address.

Try this and update if it works for you.



*Pls rate all helpfull post

Community Member

Re: Authenticating LAPs (lightweight APs)

Thankyou Ankur

I see in cisco doco,

Cisco WLC_Config Guide_Web & CLI_Release 4.1

P.317 = 7-47.

it says,

"The controller uses an access point?s MAC address as both the username and password when sending the

information to a RADIUS server." as you said = GOOD.

1) Will this work with IAS as RADIUS server (you mentioned ACS)?

Then it says,

"If you use the MAC address as the username and password for access point authentication on a RADIUS

AAA server, do not use the same AAA server for client authentication."

2) What is the reason behind this?

3) It's not practical for us to have separate RADIUS servers for LAPs & client. Is the above a hard-&-fast rule? Does it erode security by useing the same RADIUS server for both since a user might guess an AP MAC & be able to get onto the network (I'm guessing here)

4) Referring to the above cisco doco,

"Figure 7-23 AP Policies Page"

under "Add Ap to Authorization List" - does this mean I can avoid using RADIUS to authenticate the AP and just enter the APs MAC address (Our APs are new so have MIC certificate type) and WLC will only allow LAP with this MAC address to LWAPP Join?

Regards, MH


Re: Authenticating LAPs (lightweight APs)

Hi MH,

Is there any answer to your question? I met the same requirement to use AP's MAC address to controll which LAP can joint the WLC. I tested with "Add Ap to Authorization List" , but found it didn't work. I also tested to use MAC-Filter, but it seems it didn't work for 1130, only work for 1510.

Community Member

Re: Authenticating LAPs (lightweight APs)

The reason that you wouldn't want to use the same radius server for both is that it would be really easy to figure out a MAC address of a device and potentially use said mac address to access the network.

I normally use ACS for device stuff, and then use IAS for user authentication (if it is an Active Directory Environment.)

CreatePlease to create content