04-03-2012 09:37 PM - edited 07-03-2021 09:56 PM
Hi All,
Just a basic question regarding MAC based authenitcation of AP with ACS.
The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
When working in a LAN I know its possible, but how will it work over the WAN.
Pls. suggest ASAP.
Thanks in Advance.
Regards
Harish
Solved! Go to Solution.
04-04-2012 09:35 AM
What are you asking for specifically?
The AP boots finds the WLC. The WLC in turn sends a auth request to the AAA. if AAA sends accept the Ap is allowed to join. If AAA sends a reject the AP is not allowed to join.
So for a new AP you would need to know the Mac address to build the account in AAA prior to it coming online. Or I suppose you oils pull it from the logs and add it after rd in the network, but IMO is get the Mac upfront
Steve
Sent from Cisco Technical Support iPhone App
04-04-2012 01:12 AM
You are correct that the MAC of the packet is changed in every subnet that you pass from the remote to the central site but the message in the packet didn't change - and the message includes the question could MAC XX-AP-XX get in or not.
Ron
04-04-2012 05:43 AM
Harish:
As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
CAPWAP RFC metniones that you can do AP authorization by two ways:
- with certificates
- with PSK.
The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
2.4.4.4. PSK Usage When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST contain the "PSK identity hint" field and the ClientKeyExchange message MUST contain the "PSK identity" field. These fields are used to help the WTP select the appropriate PSK for use with the AC, and then indicate to the AC which key is being used. When PSKs are provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for the key MUST be specified. The PSK Hint SHOULD uniquely identify the AC and the PSK Identity SHOULD uniquely identify the WTP. It is RECOMMENDED that these hints and identities be the ASCII HEX-formatted MAC addresses of the respective devices, since each pairwise combination of WTP and AC SHOULD have a unique PSK. The PSK Hint and Identity SHOULD be sufficient to perform authorization, as simply having knowledge of a PSK does not necessarily imply authorization. If a single PSK is being used for multiple devices on a CAPWAP network, which is NOT RECOMMENDED, the PSK Hint and Identity can no longer be a MAC address, so appropriate hints and identities SHOULD be selected to identify the group of devices to which the PSK is provisioned
you may spend more time reading the CAPWAP RFC if you are interested
CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
Hope this answers your concern.
Amjad
04-04-2012 06:17 AM
I'd be wrong but I assume that the author of this thread likes to enable 802.1X authentication for the AP MAC on the LAN port of the remote switch.
So in case someone disconnect the AP he is not able to connect to the network with onther device on this port.
The message is send from the AAA client (=the LAN switch/authenticator) to the ACS (auth server).
Cheers,
Ron
04-04-2012 06:32 AM
I think he is referring to ap authorization
04-04-2012 09:19 AM
Hi Amjad,
Thanks for your reply.
But I am still confused about this.
If the AP is new and just started booting up. The First thing it should do is - Going to the ACS and get itself verified and authenicated to join the controller. After the successful Authentication, the CAPWAP tunnel establishes. Post that, all the traffic goes to WLC for processing.
So, What exactly happens after the AP boots up and initiates the WLC hunting processing. Prior to this, it has to get itself validated from ACS.
Pls. suggest, if my understanding to this is correct.
Thanks everyone for your time and replying to posts.
04-04-2012 07:18 AM
It would work the same. When you do ap authorization the packet sent ti the AAA is sent from the WLC. So the AP needs to attempt to join the WLC for it to work. So long as you have reachability from the AP subnet to the WLC management it won't matter where the AP is
Steve
Sent from Cisco Technical Support iPhone App
04-04-2012 09:20 AM
Hi Steve,
Can you pls. shed some more light on this. Thanks !
04-04-2012 09:35 AM
What are you asking for specifically?
The AP boots finds the WLC. The WLC in turn sends a auth request to the AAA. if AAA sends accept the Ap is allowed to join. If AAA sends a reject the AP is not allowed to join.
So for a new AP you would need to know the Mac address to build the account in AAA prior to it coming online. Or I suppose you oils pull it from the logs and add it after rd in the network, but IMO is get the Mac upfront
Steve
Sent from Cisco Technical Support iPhone App
04-04-2012 08:09 PM
Thanks Steve. That was simple one liner answer to my question. It clears my confussion now.
Earlier I was thinking that AP MAC will be verfied first by ACS and then only it will be allowed to talk to WCL. I was wrong in that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide