Cisco Wireless LAN Controller Configuration Guide, Release 7.4
Configuring Global Credentials for Access Points
Downloads: This chapterpdf (PDF - 1.2MB) The complete bookPDF (PDF - 17.76MB) | The complete bookePub (ePub - 4.37MB) | Feedback

Configuring Global Credentials for Access Points

Configuring Global Credentials for Access Points

Information About Configuring Global Credentials for Access Points

Cisco IOS access points are shipped from the factory with Cisco as the default enable password. This password allows users to log onto the nonprivileged mode and enter show and debug commands, which poses a security threat. The default enable password must be changed to prevent unauthorized access and to enable users to enter configuration commands from the access point’s console port.

The following are some guidelines to configure global credentials for access points:
  • You can set a global username, password, and enable password that all access points that are currently joined to the controller and any that join in the future inherit as they join the controller. If desired, you can override the global credentials and assign a unique username, password, and enable password for a specific access point.
  • After an access point joins the controller, the access point enables console port security, and you are prompted for your username and password whenever you log into the access point’s console port. When you log on, you are in nonprivileged mode, and you must enter the enable password in order to use the privileged mode.
  • The global credentials that you configure on the controller are retained across controller and access point reboots. They are overwritten only if the access point joins a new controller that is configured with a global username and password. If the new controller is not configured with global credentials, the access point retains the global username and password configured for the first controller.
  • You must keep track of the credentials used by the access points. Otherwise, you might not be able to log onto the console port of the access point. If you need to return the access points to the default Cisco/Cisco username and password, you must clear the controller’s configuration and the access point’s configuration to return them to factory-default settings. To clear the controller’s configuration, choose Commands > Reset to Factory Default > Reset on the controller GUI, or enter the clear config command on the controller CLI. To clear the access point’s configuration, choose Wireless > Access Points > All APs, click the AP name and click Clear All Config on the controller GUI, or enter the clear ap config Cisco_AP command on the controller CLI. To clear the access point's configuration except its static IP address, choose Wireless > Access Points > All APs, click the AP name and click Clear Config Except Static IP, or enter the clear ap config ap-name keep-ip-config command on the controller CLI. After the access point rejoins a controller, it adopts the default Cisco/Cisco username and password.

    Note


    Suppose you configure an indoor Cisco AP to go into the mesh mode. If you want to reset the Cisco AP to the local mode, use the test mesh mode local command.
  • To reset the AP hardware, choose Wireless > Access Points > All APs, click the AP name and click Reset AP Now.

Restrictions for Global Credentials for Access Points

  • The controller software features are supported on all access points that have been converted to lightweight mode except the 1100 series. VxWorks access points are not supported.

Configuring Global Credentials for Access Points (GUI)


    Step 1   Choose Wireless > Access Points > Global Configuration to open the Global Configuration page.
    Step 2   In the Username text box, enter the username that is to be inherited by all access points that join the controller.
    Step 3   In the Password text box, enter the password that is to be inherited by all access points that join the controller.

    You can set a global username, password, and enable password that all access points inherit as they join the controller including access points that are currently joined to the controller and any that join in the future. You can override the global credentials and assign a unique username, password, and enable password for a specific access point. The following are requirements enforced on the password:

    • The password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.
    • No character in the password can be repeated more than three times consecutively.
    • The password should not contain the management username or the reverse of the username.
    • The password should not contain words like Cisco, oscic, admin, nimda or any variant obtained by changing the capitalization of letters by substituting 1, |, or ! or substituting 0 for o or substituting $ for s.
    Step 4   In the Enable Password text box, enter the enable password that is to be inherited by all access points that join the controller.
    Step 5   Click Apply to send the global username, password, and enable password to all access points that are currently joined to the controller or that join the controller in the future.
    Step 6   Click Save Configuration to save your changes.
    Step 7   (Optional) Override the global credentials for a specific access point and assign a unique username, password, and enable password to this access point as follows:
    1. Choose Access Points > All APs to open the All APs page.
    2. Click the name of the access point for which you want to override the global credentials.
    3. Choose the Credentials tab. The All APs > Details for (Credentials) page appears.
    4. Select the Over-ride Global Credentials check box to prevent this access point from inheriting the global username, password, and enable password from the controller. The default value is unselected.
    5. In the Username, Password, and Enable Password text boxes, enter the unique username, password, and enable password that you want to assign to this access point.
      Note   

      The information that you enter is retained across controller and access point reboots and if the access point joins a new controller.

    6. Click Apply to commit your changes.
    7. Click Save Configuration to save your changes.
      Note   

      If you want to force this access point to use the controller’s global credentials, unselect the Over-ride Global Credentials check box.


    Configuring Global Credentials for Access Points (CLI)


      Step 1   Configure the global username, password, and enable password for all access points currently joined to the controller as well as any access points that join the controller in the future by entering this command: config ap mgmtuser add username user password password enablesecret enable_password all
      Step 2   (Optional) Override the global credentials for a specific access point and assign a unique username, password, and enable password to this access point by entering this command: config ap mgmtuser add username user password password enablesecret enable_password Cisco_AP

      The credentials that you enter in this command are retained across controller and access point reboots and if the access point joins a new controller.

      Note   

      If you want to force this access point to use the controller’s global credentials, enter the config ap mgmtuser delete Cisco_AP command. The following message appears after you execute this command: “AP reverted to global username configuration.”

      Step 3   Enter the save config command to save your changes.
      Step 4   Verify that global credentials are configured for all access points that join the controller by entering this command:

      show ap summary

      Note   

      If global credentials are not configured, the Global AP User Name text box shows “Not Configured.”

      To view summary of specific access point you can specify the access point name. You can also use wildcard searches when filtering for access points.

      Step 5   See the global credentials configuration for a specific access point by entering this command: show ap config general Cisco_AP
      Note   

      The name of the access point is case sensitive.

      Note   

      If this access point is configured for global credentials, the AP User Mode text boxes shows “Automatic.” If the global credentials have been overwritten for this access point, the AP User Mode text box shows “Customized.”