Cisco Wireless LAN Controller Configuration Guide, Release 7.5
Configuring Authentication for Access Points
Downloads: This chapterpdf (PDF - 1.26MB) The complete bookPDF (PDF - 19.52MB) | The complete bookePub (ePub - 4.58MB) | Feedback

Configuring Authentication for Access Points

Information About Configuring Authentication for Access Points

You can configure 802.1X authentication between a lightweight access point and a Cisco switch. The access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous PAC provisioning.

You can configure global authentication settings that all access points that are currently associated with the controller and any that associate in the future. You can also override the global authentication settings and assign unique authentication settings for a specific access point.

Prerequisites for Configuring Authentication for Access Points


    Step 1   If the access point is new, do the following:
    1. Boot the access point with the installed recovery image.
    2. If you choose not to follow this suggested flow and instead enable 802.1X authentication on the switch port connected to the access point prior to the access point joining the controller, enter this command:

      lwapp ap dot1x username username password password

      Note   

      If you choose to follow this suggested flow and enable 802.1X authentication on the switch port after the access point has joined the controller and received the configured 802.1X credentials, you do not need to enter this command.

      Note   

      This command is available only for access points that are running the 5.1, 5.2, 6.0, or 7.0 recovery image.

      Connect the access point to the switch port.

    Step 2   Install the 5.1, 5.2, 6.0, or 7.0 image on the controller and reboot the controller.
    Step 3   Allow all access points to join the controller.
    Step 4   Configure authentication on the controller. See the Configuring Authentication for Access Points (GUI) section or the Configuring Authentication for Access Points (CLI) section for information about configuring authentication on the controller.
    Step 5   Configure the switch to allow authentication. See the Configuring the Switch for Authentication section for information about configuring the switch for authentication.

    Restrictions for Authenticating Access Points

    • The OEAP 600 Series access points do not support LEAP.

    Configuring Authentication for Access Points (GUI)


      Step 1   Choose Wireless > Access Points > Global Configuration to open the Global Configuration page.
      Step 2   Under 802.1x Supplicant Credentials, select the 802.1x Authentication check box.
      Step 3   In the Username text box, enter the username that is to be inherited by all access points that join the controller.
      Step 4   In the Password and Confirm Password text boxes, enter the password that is to be inherited by all access points that join the controller.
      Note   
      You must enter a strong password in these text boxes. Strong passwords have the following characteristics:
      • They are at least eight characters long
      • They contain a combination of uppercase and lowercase letters, numbers, and symbols
      • They are not a word in any language
      Step 5   Click Apply to send the global authentication username and password to all access points that are currently joined to the controller and to any that join the controller in the future.
      Step 6   Click Save Configuration to save your changes.
      Step 7   If desired, you can choose to override the global authentication settings and assign a unique username and password to a specific access point as follows:
      1. Choose Access Points > All APs to open the All APs page.
      2. Click the name of the access point for which you want to override the authentication settings.
      3. Click the Credentials tab to open the All APs > Details for (Credentials) page.
      4. Under 802.1x Supplicant Credentials, select the Over-ride Global Credentials check box to prevent this access point from inheriting the global authentication username and password from the controller. The default value is unselected.
      5. In the Username, Password, and Confirm Password text boxes, enter the unique username and password that you want to assign to this access point.
        Note   

        The information that you enter is retained across controller and access point reboots and whenever the access point joins a new controller.

      6. Click Apply to commit your changes.
      7. Click Save Configuration to save your changes.
        Note   

        If you want to force this access point to use the controller’s global authentication settings, unselect the Over-ride Global Credentials check box.


      Configuring Authentication for Access Points (CLI)


        Step 1   Configure the global authentication username and password for all access points currently joined to the controller as well as any access points that join the controller in the future by entering this command: config ap 802.1Xuser add username ap-username password ap-password all
        Note   

        You must enter a strong password for the ap-password parameter. Strong passwords have the following characteristics:

        • They are at least eight characters long.
        • They contain a combination of uppercase and lowercase letters, numbers, and symbols.
        • They are not a word in any language.
        Step 2   (Optional) Override the global authentication settings and assign a unique username and password to a specific access point. To do so, enter this command: config ap 802.1Xuser add username ap-username password ap-password Cisco_AP
        Note   

        You must enter a strong password for the ap-password parameter. See the note in Step 1 for the characteristics of strong passwords.

        The authentication settings that you enter in this command are retained across controller and access point reboots and whenever the access point joins a new controller.

        Note   

        If you want to force this access point to use the controller’s global authentication settings, enter the config ap 802.1Xuser delete Cisco_AP command. The following message appears after you execute this command: “AP reverted to global username configuration.”

        Step 3   Enter the save config command to save your changes.
        Step 4   (Optional) Disable 802.1X authentication for all access points or for a specific access point by entering this command:

        config ap 802.1Xuser disable { all | Cisco_AP}

        Note   

        You can disable 802.1X authentication for a specific access point only if global 802.1X authentication is not enabled. If global 802.1X authentication is enabled, you can disable 802.1X for all access points only.

        Step 5   See the authentication settings for all access points that join the controller by entering this command:

        show ap summary

        Information similar to the following appears:

        
                    
                  
        Number of APs.................................... 1
        Global AP User Name.............................. globalap
        Global AP Dot1x User Name........................ globalDot1x
        
        
        Step 6   See the authentication settings for a specific access point by entering this command:

        show ap config general Cisco_AP

        Note   

        The name of the access point is case sensitive.

        Note   

        If this access point is configured for global authentication, the AP Dot1x User Mode text boxes shows “Automatic.” If the global authentication settings have been overwritten for this access point, the AP Dot1x User Mode text box shows “Customized.”


        Configuring the Switch for Authentication

        To enable 802.1X authentication on a switch port, on the switch CLI, enter these commands:

        • Switch# configure terminal
        • Switch(config)# dot1x system-auth-control
        • Switch(config)# aaa new-model
        • Switch(config)# aaa authentication dot1x default group radius
        • Switch(config)# radius-server host ip_addr auth-port port acct-port port key key
        • Switch(config)# interface fastethernet2/1
        • Switch(config-if)# switchport mode access
        • Switch(config-if)# dot1x pae authenticator
        • Switch(config-if)# dot1x port-control auto
        • Switch(config-if)# end