It is recommended to try and prevent Cisco Lightweight Access Points (LWAPs) from being able to associate with the Wireless LAN Controllers (WLCs) without some form of control or authentication mechanism. One recommendation is to authorise the LWAPs against Authentication, Authorisation and Accounting (AAA) servers.
Check the âAuthorise AP against AAAâ checkbox.
In theory Now when a LWAP associates with the WLC a RADIUS authentication access-request with the username and password set to the MAC address of LWAP is sent to the AAA servers. If the AAA server has the LWAP credentials (username and password set to the MAC address of the LWAP) in the local database the AAA server replies to the WLC with an authentication access-accept and the LWAP is allowed to associate with the controller.
On the AAA Server all that's required is that a user group is created âCisco LWAPsâ for example and then users are created with the username and PAP passwords are set to the LWAP MAC address.
A problem exists when trying to implement this on our prodcution AAA Servers in that the local password management policy prevents the username and password from being the same.
âPassword may not contain the usernameâ
This is the Cisco ACS AAA Server version information 220.127.116.11.12
At present I am not allowed to change the Local Password Management settings as this is a security requirement for existing applications of the AAA servers.
Questions on Cisco ACS
1. Is there a configuration option on the current version of Cisco ACS's that will allow different Local Password Management settings on different user groups?
2. Will future Cisco ACS releases support the functionality detailed in question 1?
If the answer to the above question is NO, what options do I have
1. Do nothing leave the implementation as it is, when a Cisco LWAP is connected to the network it is allowed to associate with the controller. Not really a security risk as the controller will have full control over the LWAP but it could create performance issues with co-channel and adjacent channel interference.
2. Implement access lists on the Cisco switches hosting the WLC's. Only allow traffic with certain source and destination addresses through to the controllers.
3. Use DHCP options for LWAP discovery and only implement the options on certain VLANs