Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1211
Views
0
Helpful
9
Replies

AP Authentication via ACS.

Go to solution
chopra.harish1
Level 1
Level 1

‎04-03-2012 09:37 PM - edited ‎07-03-2021 09:56 PM

Hi All,

Just a basic question regarding MAC based authenitcation of AP with ACS.

The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.

My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.

When working in a LAN I know its possible, but how will it work over the WAN.

Pls. suggest ASAP.

Thanks in Advance.

Regards

Harish

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to chopra.harish1

‎04-04-2012 09:35 AM

What are you asking for specifically?

The AP boots finds the WLC. The WLC in turn sends a auth request to the AAA. if AAA sends accept the Ap is allowed to join. If AAA sends a reject the AP is not allowed to join.

So for a new AP you would need to know the Mac address to build the account in AAA prior to it coming online. Or I suppose you oils pull it from the logs and add it after rd in the network, but IMO is get the Mac upfront

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

0 Helpful
9 Replies 9

Go to solution
rdvorak
Level 1
Level 1

‎04-04-2012 01:12 AM

You are correct that the MAC of the packet is changed in every subnet that you pass from the remote to the central site but the message in the packet didn't change - and the message includes the question could MAC XX-AP-XX get in or not.

Ron

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎04-04-2012 05:43 AM

Harish:
As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.

CAPWAP RFC metniones that you can do AP authorization by two ways:

- with certificates

- with PSK.

The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.

2.4.4.4.  PSK Usage
   When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
   contain the "PSK identity hint" field and the ClientKeyExchange
   message MUST contain the "PSK identity" field.  These fields are used
   to help the WTP select the appropriate PSK for use with the AC, and
   then indicate to the AC which key is being used.  When PSKs are
   provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
   the key MUST be specified.
   The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
   SHOULD uniquely identify the WTP.  It is RECOMMENDED that these hints
   and identities be the ASCII HEX-formatted MAC addresses of the
   respective devices, since each pairwise combination of WTP and AC
   SHOULD have a unique PSK.  The PSK Hint and Identity SHOULD be
   sufficient to perform authorization, as simply having knowledge of a
   PSK does not necessarily imply authorization.

   If a single PSK is being used for multiple devices on a CAPWAP
   network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
   longer be a MAC address, so appropriate hints and identities SHOULD
   be selected to identify the group of devices to which the PSK is
   provisioned

you may spend more time reading the CAPWAP RFC if you are interested

CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt

Hope this answers your concern.

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
rdvorak
Level 1
Level 1
In response to Amjad Abdullah

‎04-04-2012 06:17 AM

I'd be wrong but I assume that the author of this thread likes to enable 802.1X authentication for the AP MAC on the LAN port of the remote switch.

So in case someone disconnect the AP he is not able to connect to the network with onther device on this port.

The message is send from the AAA client (=the LAN switch/authenticator) to the ACS (auth server).

Cheers,

Ron

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to rdvorak

‎04-04-2012 06:32 AM

I think he is referring to ap authorization

http://tiny.cc/83s8bw

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
chopra.harish1
Level 1
Level 1
In response to Amjad Abdullah

‎04-04-2012 09:19 AM

Hi Amjad,

Thanks for your reply.

But I am still confused about this.

If the AP is new and just started booting up. The First thing it should do is - Going to the ACS and get itself verified and authenicated to join the controller. After the successful Authentication, the CAPWAP tunnel establishes. Post that, all the traffic goes to WLC for processing.

So, What exactly happens after the AP boots up and initiates the WLC hunting processing. Prior to this, it has to get itself validated from ACS.

Pls. suggest, if my understanding to this is correct.

Thanks everyone for your time and replying to posts.

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎04-04-2012 07:18 AM

It would work the same. When you do ap authorization the packet sent ti the AAA is sent from the WLC. So the AP needs to attempt to join the WLC for it to work. So long as you have reachability from the AP subnet to the WLC management it won't matter where the AP is

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
chopra.harish1
Level 1
Level 1
In response to Stephen Rodriguez

‎04-04-2012 09:20 AM

Hi Steve,

Can you pls. shed some more light on this. Thanks !

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to chopra.harish1

‎04-04-2012 09:35 AM

What are you asking for specifically?

The AP boots finds the WLC. The WLC in turn sends a auth request to the AAA. if AAA sends accept the Ap is allowed to join. If AAA sends a reject the AP is not allowed to join.

So for a new AP you would need to know the Mac address to build the account in AAA prior to it coming online. Or I suppose you oils pull it from the logs and add it after rd in the network, but IMO is get the Mac upfront

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
chopra.harish1
Level 1
Level 1
In response to Stephen Rodriguez

‎04-04-2012 08:09 PM

Thanks Steve. That was simple one liner answer to my question. It clears my confussion now.

Earlier I was thinking that AP MAC will be verfied first by ACS and then only it will be allowed to talk to WCL. I was wrong in that.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card