We will configure WLCs to use RADIUS servers to authorize APs. The WLC uses a LAP's MAC address as both the username and password when sending the information to a RADIUS server.
For example, if the MAC address of the AP is aa:bb:cc:dd:ee:ff, both the username and password used by the controller to authorize the AP is aa:bb:cc:dd:ee:ff.
Note: If you use the MAC address as the username and password for AP authentication on a RADIUS AAA server, do not use the same AAA server for client authentication. The reason for this is if hackers find out the AP MAC address, then they can use that MAC as the username and password credentials to get onto the network.
WLC Configuration
Go to WLC GUI, click Security > AP Policies.
The AP Policies page appears.
Under Policy Configuration, check the box for Authorize MIC APs against auth-list or AAA.
When this parameter is selected, the WLC checks the local MAC database first. For this reason, make sure the Local database is empty by clearing the MAC addresses under the AP Authorization List. If the LAP MAC address is not present, it then checks the RADIUS server.
Click Security and RADIUS Authentication from the controller GUI to display the RADIUS Authentication Servers page. Then, click New in order to define a RADIUS server.
Define the RADIUS server parameters on the RADIUS Authentication Servers > New page. These parameters include the RADIUS Server IP Address, Shared Secret, Port Number, and Server Status.
ACS Configuration
Click Network Configuration > Add AAA Client.
The Add AAA Client page appears.
On this page, define the WLC system name, Management Interface IP address, Shared Secret
Click Submit + Apply.
Add the LAP MAC Addresses to the User Database on the Cisco Secure ACS.
Complete these steps in order to add the LAP MAC addresses to the Cisco Secure ACS:
Choose User and Identity Stores from the ACS GUI, create new user.
The username should be the MAC address of the LAP that you want to authorize.
The password should also be the LAP's MAC address.
Repeat this procedure to add more LAPs to the Cisco Secure ACS database.
No comments:
Post a Comment