I'd like to setup RADIUS Authentication for management session to CAPWAP (lightweitgh) AP itself. For example, I setup switches when establishing SSH-session to it RADIUS authenticates my user account.
- I have WLC-managed Access Point;
- I have RADIUS configured;
- I have my user account in RADIUS;
and I'd like to enter AP using my credentials stored in RADIUS.
For now I should rememeber LOCAL ACCOUNT for AP -> PER AP, this is inconvinient awfully. I've enabled SSH to all APS through Wireless -> Global Configuration.
Again, the speech is not about how to authenticate AP itself via RADIUS (MACs and so on). The question: How to enable AAA for login/enable as for other devices like switches or routers.
- I consider this requirement to be 'serious overkill' and doubt it is possible. The reason being that CAPWAP-based AP's are intended to be managed and configured from the controller (or Prime for instance).
At this point it is not possible for RADIUS auth to the APs for SSH sessions. I agree it would be something nice to have, even though it may be "overkill" essentially every other piece of network hardware I manage uses RADIUS auth with my AD account and I still have to log in to an AP to look at things from time to time.
You can set a global username/password which is what we do under Wireless > Access Points > Global Configuration. At least this way we only have to remember one username/password for all APs.
Ok, ok.. :-)
But, could you, please, tell me whye they still have SSH ENABLED if we control them COMPLETELY from WLC? Why do they might have independent local accounts enabled for the SSH connections to them?
In order to disable SSH connections on your controller go to Wireless > Access Points > Global Configuration. and unselect the SSH (and Telnet) boxes.