topic Re: AP Authentication via ACS. in Wireless

AP Authentication via ACS.

chopra.harish1 — Sun, 04 Jul 2021 04:56:37 GMT

Hi All,

Just a basic question regarding MAC based authenitcation of AP with ACS.

The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.

My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.

When working in a LAN I know its possible, but how will it work over the WAN.

Pls. suggest ASAP.

Thanks in Advance.

Regards

Harish

AP Authentication via ACS.

rdvorak — Wed, 04 Apr 2012 08:12:36 GMT

You are correct that the MAC of the packet is changed in every subnet that you pass from the remote to the central site but the message in the packet didn't change - and the message includes the question could MAC XX-AP-XX get in or not.

Ron

Re: AP Authentication via ACS.

Amjad Abdullah — Wed, 04 Apr 2012 12:43:34 GMT

Harish:
As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.

CAPWAP RFC metniones that you can do AP authorization by two ways:

- with certificates

- with PSK.

The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.

2.4.4.4.  PSK Usage
   When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
   contain the "PSK identity hint" field and the ClientKeyExchange
   message MUST contain the "PSK identity" field.  These fields are used
   to help the WTP select the appropriate PSK for use with the AC, and
   then indicate to the AC which key is being used.  When PSKs are
   provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
   the key MUST be specified.
   The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
   SHOULD uniquely identify the WTP.  It is RECOMMENDED that these hints
   and identities be the ASCII HEX-formatted MAC addresses of the
   respective devices, since each pairwise combination of WTP and AC
   SHOULD have a unique PSK.  The PSK Hint and Identity SHOULD be
   sufficient to perform authorization, as simply having knowledge of a
   PSK does not necessarily imply authorization.

   If a single PSK is being used for multiple devices on a CAPWAP
   network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
   longer be a MAC address, so appropriate hints and identities SHOULD
   be selected to identify the group of devices to which the PSK is
   provisioned

you may spend more time reading the CAPWAP RFC if you are interested

CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt

Hope this answers your concern.

Amjad

Re: AP Authentication via ACS.

rdvorak — Wed, 04 Apr 2012 13:17:46 GMT

I'd be wrong but I assume that the author of this thread likes to enable 802.1X authentication for the AP MAC on the LAN port of the remote switch.

So in case someone disconnect the AP he is not able to connect to the network with onther device on this port.

The message is send from the AAA client (=the LAN switch/authenticator) to the ACS (auth server).

Cheers,

Ron

Re: AP Authentication via ACS.

Amjad Abdullah — Wed, 04 Apr 2012 13:32:11 GMT

I think he is referring to ap authorization

http://tiny.cc/83s8bw

Re: AP Authentication via ACS.

Stephen Rodriguez — Wed, 04 Apr 2012 14:18:14 GMT

It would work the same. When you do ap authorization the packet sent ti the AAA is sent from the WLC. So the AP needs to attempt to join the WLC for it to work. So long as you have reachability from the AP subnet to the WLC management it won't matter where the AP is

Steve

Sent from Cisco Technical Support iPhone App

Re: AP Authentication via ACS.

chopra.harish1 — Wed, 04 Apr 2012 16:19:14 GMT

Hi Amjad,

Thanks for your reply.

But I am still confused about this.

If the AP is new and just started booting up. The First thing it should do is - Going to the ACS and get itself verified and authenicated to join the controller. After the successful Authentication, the CAPWAP tunnel establishes. Post that, all the traffic goes to WLC for processing.

So, What exactly happens after the AP boots up and initiates the WLC hunting processing. Prior to this, it has to get itself validated from ACS.

Pls. suggest, if my understanding to this is correct.

Thanks everyone for your time and replying to posts.

Re: AP Authentication via ACS.

chopra.harish1 — Wed, 04 Apr 2012 16:20:16 GMT

Hi Steve,

Can you pls. shed some more light on this. Thanks !

Re: AP Authentication via ACS.

Stephen Rodriguez — Wed, 04 Apr 2012 16:35:33 GMT

What are you asking for specifically?

The AP boots finds the WLC. The WLC in turn sends a auth request to the AAA. if AAA sends accept the Ap is allowed to join. If AAA sends a reject the AP is not allowed to join.

So for a new AP you would need to know the Mac address to build the account in AAA prior to it coming online. Or I suppose you oils pull it from the logs and add it after rd in the network, but IMO is get the Mac upfront

Steve

Sent from Cisco Technical Support iPhone App

Re: AP Authentication via ACS.

chopra.harish1 — Thu, 05 Apr 2012 03:09:04 GMT

Thanks Steve. That was simple one liner answer to my question. It clears my confussion now.

Earlier I was thinking that AP MAC will be verfied first by ACS and then only it will be allowed to talk to WCL. I was wrong in that.