Cisco Systems OL-17037-01 manual Authorizing Access Points Using SSCs

Page 18

Chapter 7 Controlling Lightweight Access Points

Autonomous Access Points Converted to Lightweight Mode

Step 8 Wait until the access point reboots as indicated by all LEDs turning green followed by the Status LED blinking green.

Step 9 After the access point reboots, reconfigure the access point using the GUI or the CLI.

Authorizing Access Points

In controller software releases prior to 5.2, the controller may either use self-signed certificates (SSCs) to authenticate access points or send the authorization information to a RADIUS server (if access points have manufactured-installed certificates [MICs]). In controller software release 5.2, you can configure the controller to use a local significant certificate (LSC).

Authorizing Access Points Using SSCs

The Control and Provisioning of Wireless Access Points protocol (CAPWAP) secures the control communication between the access point and controller by means of a secure key distribution requiring X.509 certificates on both the access point and controller. CAPWAP relies on a priori provisioning of the X.509 certificates. Cisco Aironet access points shipped before July 18, 2005 do not have a MIC, so these access points create an SSC when upgraded to operate in lightweight mode. Controllers are programmed to accept local SSCs for authentication of specific access points and do not forward those authentication requests to a RADIUS server. This behavior is acceptable and secure.

Authorizing Access Points Using MICs

You can configure controllers to use RADIUS servers to authorize access points using MICs. The controller uses an access point’s MAC address as both the username and password when sending the information to a RADIUS server. For example, if the MAC address of the access point is 000b85229a70, both the username and password used by the controller to authorize the access point are 000b85229a70.

Note The lack of a strong password by the use of the access point’s MAC address should not be an issue because the controller uses MIC to authenticate the access point prior to authorizing the access point through the RADIUS server. Using MIC provides strong authentication.

Note If you use the MAC address as the username and password for access point authentication on a RADIUS AAA server, do not use the same AAA server for client authentication.

 

Cisco Wireless LAN Controller Configuration Guide

7-18

OL-17037-01

Page 17 Page 19
Image 18
Page 17 Page 19
Contents Controlling Lightweight Access Points Access Point Communication Protocols Guidelines for Using CapwapController Discovery Process Page Verifying that Access Points Join the Controller Config network master-base enableConfig network master-base disable Configuring Global Credentials for Access Points Viewing Capwap MTU InformationDebugging Capwap Global Configuration All APs Details for Credentials Save config Show ap config general CiscoAPShow ap summary Configuring Authentication for Access Points Lwapp ap dot1x username username password passwordUsing the GUI to Configure Authentication for Access Points ControllerCisco Wireless LAN Controller Configuration Guide Using the CLI to Configure Authentication for Access Points Config ap dot1xuser add username user password password allConfig ap dot1xuser disable all CiscoAP AP Dot1x User Mode field shows CustomizedEmbedded Access Points Configuring the Switch for AuthenticationDns-server ipaddress Default-router ipaddress Ip dhcp pool poolnameAutonomous Access Points Converted to Lightweight Mode Reverting from Lightweight Mode to Autonomous Mode Using a Controller to Return to a Previous ReleaseAuthorizing Access Points Authorizing Access Points Using SSCsAuthorizing Access Points Using MICs Authorizing Access Points Using LSCs Using the GUI to Configure LSCConfig certificate lsc ca-cert add delete Config certificate lsc enable disableConfig certificate lsc ca-server http//urlport/path Config certificate lsc other-params keysizeConfig certificate lsc ap-provision auth-list add APmacaddr Config certificate lsc ap-provision revert-cert retriesShow certificate lsc summary Using the GUI to Authorize Access Points Show certificate lsc ap-provisionConfig auth-list add mic ssc lsc apmac apkey Using the CLI to Authorize Access PointsConfig auth-list ap-policy mic ssc lsc enable disable Show auth-listUsing Dhcp Option 43 and Dhcp Option Troubleshooting the Access Point Join ProcessControlling Lightweight Access Points Show ap config global Configuring the Syslog Server for Access PointsViewing Access Point Join Information Show ap join stats summary allJoined Converted Access Points Send Radio Core Dumps to Controller Debug ap enable disable command cmd CiscoAPUsing the CLI to Retrieve Radio Core Dumps Using the GUI to Upload Radio Core DumpsShow ap crash-file Using the CLI to Upload Radio Core Dumps Transfer upload startUploading Memory Core Dumps from Converted Access Points Using the GUI to Upload Access Point Core DumpsDisplay of MAC Addresses for Converted Access Points Using the CLI to Upload Access Point Core DumpsSupporting Oversized Access Point Images Config ap reset-button enable disable ap-nameallCisco Workgroup Bridges WGB ExampleGuidelines for Using WGBs Configure terminal Sample WGB Configuration Using the GUI to View the Status of Workgroup BridgesShow dot11 association 11 Clients Detail 12 WGB Wired Clients Debug dhcp message enable Debug dhcp packet enable Using the CLI to View the Status of Workgroup BridgesUsing the CLI to Debug WGB Issues Debug dot11 mobile enable Debug dot11 state enableConfiguring Backup Controllers Using the GUI to Configure Backup Controllers 14 Global Configuration15 All APs Details for High Availability Using the CLI to Configure Backup Controllers Config advanced timers ap-discovery-timeout interval Config advanced timers auth-timeout intervalConfiguring Failover Priority for Access Points 130016 Global Configuration Using the CLI to View Failover Priority Settings EnabledConfiguring Country Codes Guidelines for Configuring Multiple Country CodesUsing the GUI to Configure Country Codes 19 All APs Details for Advanced Using the CLI to Configure Country Codes Show country supportedShow country Show country channels Config 802.11a enable network config 802.11b enable network Controlling Lightweight Access Points Guidelines for Migration Migrating Access Points to the -U Regulatory DomainConfig country J3 Show ap migrateConfig ap migrate j52w52 all apname Using the W56 Band in Japan Dynamic Frequency SelectionOptimizing Rfid Tracking on Access Points Using the GUI to Optimize Rfid Tracking on Access Points20 802.11b/g/n Cisco APs Configure Using the CLI to Optimize Rfid Tracking on Access Points Config ap monitor-mode tracking-opt CiscoAPConfig 802.11b enable CiscoAP Config advanced probe limit numprobes interval Configuring Probe Request ForwardingConfig advanced probe filter enable disable Show ap monitor-mode summaryInventory Performing a Link Test 22 All APs Details for InventoryUsing the GUI to Perform a Link Test Link Test Configuring Link Latency Using the CLI to Perform a Link TestUsing the GUI to Configure Link Latency 25 All APs Details for AdvancedUsing the CLI to Configure Link Latency Config ap link-latency enable disable CiscoAP allConfiguring Power over Ethernet Config ap link-latency reset CiscoAPUsing the GUI to Configure Power over Ethernet EPoE Power EPoE Mode 15.4 W Optimized 20 WCisco Wireless LAN Controller Configuration Guide Using the CLI to Configure Power over Ethernet Config ap power injector enable CiscoAP all installedConfig ap power injector enable CiscoAP all override Debug ap command led flash seconds CiscoAP Configuring Flashing LEDsUsing the GUI to View Clients Viewing ClientsControlling Lightweight Access Points Viewing Clients 28 Search Clients 29 Clients Detail Using the CLI to View Clients AP MACS69 OL-17037-01
Top Page Image Contents