Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Officeextend AP600 authentication to WLC

Hello folks,

Is there any way to authenticate AP600 to WLC when it joins the WLC over CAPWAP tunnel ?

I didn't find any good methods to controll this process. Technically, anyone who knows the public IP of WLC can easily join their AP and get connected to the internal office environment.

And secondly, will 801.x work against the AD if I set Layer 2 security to 801.x ?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Officeextend AP600 authentication to WLC

Take a look at the link I posted as it shows you where you have to enter the mac address and whay you need to check.

1-22-2014 8-54-24 AM.jpg

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
18 REPLIES
Hall of Fame Super Silver

Officeextend AP600 authentication to WLC

Best practice is to use mac fliters.  If you have OEAP's and regular AP's on the same WLC, then you will need to add all the mac address to each WLC's.  I have not tried to see if 802.1x works or not.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Officeextend AP600 authentication to WLC

I should say... per this guide:)

http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml#config-steps

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Officeextend AP600 authentication to WLC

Thank you, Scott

I thought that MAC filtering is already history and the least secure method as MAC address can be easily spoofed. How would I do it?

WLC: Security -> AAA -> MAC Filtering -> MAC Filters ?

Once it is enabled then all wireless clients will be filtered as well ?

Hall of Fame Super Silver

Officeextend AP600 authentication to WLC

Take a look at the link I posted as it shows you where you have to enter the mac address and whay you need to check.

1-22-2014 8-54-24 AM.jpg

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Officeextend AP600 authentication to WLC

I remember reading this guide but didn't find how exactly it is done

The guide is missing what MAC address I enter in that filter and what are those certificate types, i.e. MIC, SSC, LSC

New Member

Officeextend AP600 authentication to WLC

And another question that may of course sound stupid but still valid.

What about split tunneling ? Let's say I don't want to send all internet bound traffic into the CAPWAP tunnel

Hall of Fame Super Silver

Officeextend AP600 authentication to WLC

Take a look at this support doc... I haven't had to deploy this yet but I have tested it when it initially came out, not with newer code though:

https://supportforums.cisco.com/docs/DOC-27758

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Officeextend AP600 authentication to WLC

The OEAP 600 ethernet mac address and all your AP mac address.  Then enable or check: Authorize MIC APs against auth-list or AAA

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Officeextend AP600 authentication to WLC

The only MAC address I see on AP600 is the one on the back on the sticker. What's "all your AP mac address" ?

Didn't understand

Hall of Fame Super Silver

Officeextend AP600 authentication to WLC

Once you enable "Authorize MIC APs against auth-list or AAA", then all AP's that join that WLC will need to have their mac address added or else, if they bounce, get rebooted or whatever, they will fail to join.  You just need to add the mac address on the sticker.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Officeextend AP600 authentication to WLC

Ok, thanks again, Scott.

Quite a lot of things to test and validate. Will update if I had progress or stumbled upon something new

Hall of Fame Super Silver

Officeextend AP600 authentication to WLC

Sounds good... hopefully that info helped.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Officeextend AP600 authentication to WLC

Hello Scott,

I ran into a problem while testing 801.x user authentication. The WLAN on the controller is set for 801.x under layer 2 security but when the user tries to connect to the SSID he is challenged with PSK. Weird, I remember it was working before I upgraded the controller from 7.3 code to the latest 7.6 (I did it to test split tunneling)

I don't believe it is related to the upgrade but who knows, just wanted to ask for a fresh opinion.

And by the way MAC based authentication for AP works perfect !

Hall of Fame Super Silver

Re: Officeextend AP600 authentication to WLC

I would verify the WLAN setting and the AP Group if you have any created. I would also check what the uses are actually seeing.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Officeextend AP600 authentication to WLC

WLAN3.JPGThese are settings for the WLAN

WLAN1.JPGWLAN2.JPG

These are settings for the WLAN in question. There's nothing set to Layer 3

Hall of Fame Super Silver

Re: Officeextend AP600 authentication to WLC

Do you have anyone able to connect to that SSID internally not using the OEAP 600? When people want to use 802.1x, I don't typically see what you have configured. I set the layer 2 security to WPA + WPA2, and then just enable WPA2 and AES and set Authentication Key Management to 802.1x.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Officeextend AP600 authentication to WLC

Hello Scott and everyone else who will read it.

Confirming or rather summarizing my events.

OEAP600 doesn't support split tunneling in the context the normal person would think about it.

Only local printing is supported as splittunneling. Check this out

http://mrncciew.com/2013/09/10/split-tunneling-in-oeap600/

And dot1x is unfortunately not supported for wireless WLAN, only remote LAN.

Thanks again for your time and input

VIP Purple

Re: Officeextend AP600 authentication to WLC

one more...

Here is the nice post by Rasika

https://supportforums.cisco.com/thread/2238105

Regards

404
Views
5
Helpful
18
Replies