11-28-2012 05:01 AM - edited 07-03-2021 11:07 PM
Is it possible to authenticate an autonomous AP against ACS so no valid AP can be deployed inside the network infraestructure?
I mean, we wnt to configure APs to validate not only wireless clients through RADIUS but itself with it's own hostname. Any idea on how to deploy it?
Thank you guys in advanced.
12-17-2012 11:04 PM
You need to configure the switch for port-based authentication then provide the correct credentials on the AP. When the AP is attached to the switch the AP will authenticate via the radius server (that is configured on the switch). only correctly authenticated APs will be allowed on the network.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
12-18-2012 03:35 AM
Thank you Amjad, I knew that but my question is far beyond. Is it possible to authenticate an OfficeExtend AP remotely with RADIUS?
This means, is it WLC capable of authenticate remote APs agains RADIUS or is this feature not under specifications?
Regards.
12-18-2012 03:35 AM
Hi,
For AP to autheticate wireless users you would be adding the AP's on the ACS as a aaa client. You will have to specify a shared key on ACS and the same key has to be used on AP as well.
So by default AP's can autheticate wireless clients only when the both ACS and AP has the same shared key. So why do you need to autheticate the AP again on ACS since the shared key authetication is already happening between AP and ACS.
Sorry i didnt get your point here :-(
Regard
Najaf
12-18-2012 04:21 AM
I already have APs authenticated against ACS and the clients are authenticating too, but the customer told me about aditional AP authentication, like AP-switch pair throug dot1x.
I know from your response that the only way to authenticate the remote AP in ACS is through shared secret. Now I see this is not possible to add aditional security for this registration.
Kind regards again.
12-18-2012 04:56 AM
OfficeExtend!!!! Your better off just using an MAC address filter list then for the AP's to join. So what we do for our engineer lab is add a Mac filter for every AP that is allowed to join a 5508 dedicated for OfficeExtend. This may not work for you, but there is no way you can use ACS to auth the AP if you don't control the switches at the users home.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide