cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1172
Views
5
Helpful
6
Replies

SSC and Authorization - question

nenad_2007
Level 1
Level 1

I have 1250 LAP and I want to install my own Sertificate on LAP because I want to have secure LWAPP communication between LAP 1252 and WLC 4400. How to install may own certificate from MS CA to LAP?

I have already installed certificate from my MS CA to WLC in .pem format without any problem

Please help,

Nenad

1 Accepted Solution

Accepted Solutions

Once you LAP has registered with a wlc. That LAP will have the information it need to find the primary, secondary and or tertiary wlc. This info is from the mobility group configuration and ap configuration. This will not prevent any fat ap's from connecting to your network. Wired security is what you need for that. IDS, port security, shut down of ports, etc.

-Scott
*** Please rate helpful posts ***

View solution in original post

6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

Don't think that is possible since the ap has a manufacturer installed certificate and uses that to join with the wlc.

-Scott
*** Please rate helpful posts ***

Then what is the most secure solution for LAP authorization, with minimum risk for my wireless network? I dont have problem with registering LAP to WLC (Authorize AP against AAA or MIC certificate), but I dont understand how to achieve full mutual authorization?What is the most recommended solution?

Not too many organizations will authorize ap against a AAA since it becomes another device they have to manage. Both the ap and wlc has a manufacture installed certificate which is an x509 certificate. This is the mutual authentication method used by the LAP and WLC. You can't change this. The only way you can prevent an LAP to not join a WLC is to use the following methods posted earlier. If someone connects a LAP to your network, but the LAP has no way of joining because you removed dhcp, dhcp option 43, dns, etc, the LAP will not be an issue. Even if the LAP joins your network, you then have full control of that LAP. What you worry about more is when someone connects a fat ap to you network... now this becomes a rouge and you have to find it.

-Scott
*** Please rate helpful posts ***

1. Ok, you recommended to me to register all my LAP through LWAPP (dhcp, dhcp option 43, dns), and then after I have registered all my LAP to WLC, to remove dhcp option 43, dns, dhcp, etc.

2. If for some reason my LAP lose network connection I must add all parametars (dhcp option 43, dns, dhcp, etc..) again? Yes?

3. If I remove dhcp option 43, dns, dhcp, etc.., does that mean that even the fat ap would not be able to register to my network?

Once you LAP has registered with a wlc. That LAP will have the information it need to find the primary, secondary and or tertiary wlc. This info is from the mobility group configuration and ap configuration. This will not prevent any fat ap's from connecting to your network. Wired security is what you need for that. IDS, port security, shut down of ports, etc.

-Scott
*** Please rate helpful posts ***

Thank you very much for your answers

Regards, Nenad

Review Cisco Networking for a $25 gift card