Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authorise APs Against AAA problem

I hope you had a good Christmas and New year.

Can you help with this

It is recommended to try and prevent Cisco Lightweight Access Points (LWAPs) from being able to associate with the Wireless LAN Controllers (WLCs) without some form of control or authentication mechanism. One recommendation is to authorise the LWAPs against Authentication, Authorisation and Accounting (AAA) servers.

Check the “Authorise AP against AAA” checkbox.

In theory Now when a LWAP associates with the WLC a RADIUS authentication access-request with the username and password set to the MAC address of LWAP is sent to the AAA servers. If the AAA server has the LWAP credentials (username and password set to the MAC address of the LWAP) in the local database the AAA server replies to the WLC with an authentication access-accept and the LWAP is allowed to associate with the controller.

On the AAA Server all that's required is that a user group is created “Cisco LWAPs” for example and then users are created with the username and PAP passwords are set to the LWAP MAC address.

A problem exists when trying to implement this on our prodcution AAA Servers in that the local password management policy prevents the username and password from being the same.

“Password may not contain the username”

This is the Cisco ACS AAA Server version information

At present I am not allowed to change the Local Password Management settings as this is a security requirement for existing applications of the AAA servers.

Questions on Cisco ACS

1. Is there a configuration option on the current version of Cisco ACS's that will allow different Local Password Management settings on different user groups?

2. Will future Cisco ACS releases support the functionality detailed in question 1?

If the answer to the above question is NO, what options do I have


1. Do nothing leave the implementation as it is, when a Cisco LWAP is connected to the network it is allowed to associate with the controller. Not really a security risk as the controller will have full control over the LWAP but it could create performance issues with co-channel and adjacent channel interference.

2. Implement access lists on the Cisco switches hosting the WLC's. Only allow traffic with certain source and destination addresses through to the controllers.

3. Use DHCP options for LWAP discovery and only implement the options on certain VLANs

New Member

Re: Authorise APs Against AAA problem


Cisco advice not to use shared Server. You should use separate server for AP authentication (as you mentioned same username/password).

You can build local database on controller. However in this case you can not use radius server to authenticate user (global settings).