Cisco Wireless Controller Configuration Guide, Release 8.2

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Wireless Controller Configuration Guide, Release 8.2

Chapter Title

Configuring Global Credentials for Access Points

Results

Updated:
September 16, 2016

Chapter: Configuring Global Credentials for Access Points

Configuring Global Credentials for Access Points

Information About Configuring Global Credentials for Access Points

Cisco IOS access points are shipped from the factory with Cisco as the default enable password. This password allows users to log onto the nonprivileged mode and enter show and debug commands, which poses a security threat. The default enable password must be changed to prevent unauthorized access and to enable users to enter configuration commands from the access point’s console port.

The following are some guidelines to configure global credentials for access points:

  • You can set a global username, password, and enable password that all access points that are currently joined to the controller and any that join in the future inherit as they join the controller. If desired, you can override the global credentials and assign a unique username, password, and enable password for a specific access point.

  • After an access point joins the controller, the access point enables console port security, and you are prompted for your username and password whenever you log into the access point’s console port. When you log on, you are in nonprivileged mode, and you must enter the enable password in order to use the privileged mode.

  • The global credentials that you configure on the controller are retained across controller and access point reboots. They are overwritten only if the access point joins a new controller that is configured with a global username and password. If the new controller is not configured with global credentials, the access point retains the global username and password configured for the first controller.

  • You must keep track of the credentials used by the access points. Otherwise, you might not be able to log onto the console port of the access point. If you need to return the access points to the default Cisco/Cisco username and password, you must clear the controller’s configuration and the access point’s configuration to return them to factory-default settings. To clear the controller’s configuration, choose Commands > Reset to Factory Default > Reset on the controller GUI, or enter the clear config command on the controller CLI. To clear the access point’s configuration, choose Wireless > Access Points > All APs, click the AP name and click Clear All Config on the controller GUI, or enter the clear ap config Cisco_AP command on the controller CLI. To clear the access point's configuration except its static IP address, choose Wireless > Access Points > All APs, click the AP name and click Clear Config Except Static IP, or enter the clear ap config ap-name keep-ip-config command on the controller CLI. After the access point rejoins a controller, it adopts the default Cisco/Cisco username and password.


    Note
    Suppose you configure an indoor Cisco AP to go into the mesh mode. If you want to reset the Cisco AP to the local mode, use the test mesh mode local command.

  • To reset the AP hardware, choose Wireless > Access Points > All APs, click the AP name and click Reset AP Now.

Restrictions for Global Credentials for Access Points

  • The controller software features are supported on all access points that have been converted to lightweight mode except the 1100 series. VxWorks access points are not supported.

  • Telnet is not supported on Cisco Aironet 1830 and 1850 Series Access Points.

  • A global Access Point login credentials once configured in WLC cannot be removed.

Configuring Global Credenitals for Access Points

Configuring Global Credentials for Access Points (GUI)

    Step 1   Choose Wireless > Access Points > Global Configuration to open the Global Configuration page.
    Step 2   In the Username text box, enter the username that is to be inherited by all access points that join the controller.
    Step 3   In the Password text box, enter the password that is to be inherited by all access points that join the controller.

    You can set a global username, password, and enable password that all access points inherit as they join the controller including access points that are currently joined to the controller and any that join in the future. You can override the global credentials and assign a unique username, password, and enable password for a specific access point. The following are requirements enforced on the password:

    • The password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.

    • No character in the password can be repeated more than three times consecutively.

    • The password should not contain the management username or the reverse of the username.

    • The password should not contain words like Cisco, oscic, admin, nimda or any variant obtained by changing the capitalization of letters by substituting 1, |, or ! or substituting 0 for o or substituting $ for s.

    Step 4   In the Enable Password text box, enter the enable password that is to be inherited by all access points that join the controller.
    Step 5   Click Apply to send the global username, password, and enable password to all access points that are currently joined to the controller or that join the controller in the future.
    Step 6   Click Save Configuration to save your changes.
    Step 7   (Optional) Override the global credentials for a specific access point and assign a unique username, password, and enable password to this access point as follows:
    1. Choose Access Points > All APs to open the All APs page.
    2. Click the name of the access point for which you want to override the global credentials.
    3. Choose the Credentials tab. The All APs > Details for (Credentials) page appears.
    4. Select the Over-ride Global Credentials check box to prevent this access point from inheriting the global username, password, and enable password from the controller. The default value is unselected.
    5. In the Username, Password, and Enable Password text boxes, enter the unique username, password, and enable password that you want to assign to this access point.
      Note   

      The information that you enter is retained across controller and access point reboots and if the access point joins a new controller.

    6. Click Apply to commit your changes.
    7. Click Save Configuration to save your changes.
      Note   

      If you want to force this access point to use the controller’s global credentials, unselect the Over-ride Global Credentials check box.

    Configuring Global Credentials for Access Points (CLI)

      Step 1   Configure the global username, password, and enable password for all access points currently joined to the controller as well as any access points that join the controller in the future by entering this command: config ap mgmtuser add username user password password enablesecret enable_password all
      Step 2   (Optional) Override the global credentials for a specific access point and assign a unique username, password, and enable password to this access point by entering this command: config ap mgmtuser add username user password password enablesecret enable_password Cisco_AP

      The credentials that you enter in this command are retained across controller and access point reboots and if the access point joins a new controller.

      Note   

      If you want to force this access point to use the controller’s global credentials, enter the config ap mgmtuser delete Cisco_AP command. The following message appears after you execute this command: “AP reverted to global username configuration.”

      Step 3   Enter the save config command to save your changes.
      Step 4   Verify that global credentials are configured for all access points that join the controller by entering this command:

      show ap summary

      Note   

      If global credentials are not configured, the Global AP User Name text box shows “Not Configured.”

      To view summary of specific access point you can specify the access point name. You can also use wildcard searches when filtering for access points.

      Step 5   See the global credentials configuration for a specific access point by entering this command: show ap config general Cisco_AP
      Note   

      The name of the access point is case sensitive.

      Note   

      If this access point is configured for global credentials, the AP User Mode text boxes shows “Automatic.” If the global credentials have been overwritten for this access point, the AP User Mode text box shows “Customized.”

      Configuring Telnet and SSH for Access Points

      Configuring Telnet and SSH for APs (GUI)

        Step 1   Global configuration:
        1. Choose Wireless > Access Points > Global Configuration.
        2. In the Global Telnet SSH area, select or unselect Telnet and SSH check boxes.

          When you enable Telnet or SSH for all APs, the functionality is allowed on APs that are yet to associate with the Cisco WLC regardless of their mode.

        3. Click Apply.
        4. Click Save Configuration.
        Step 2   Configuration for a specific AP:
        1. Choose Wireless > Access Points > All APs.
        2. Click an AP name.
        3. Click the Advanced tab.
        4. From the Telnet drop-down list, choose AP Specific and select the check box to enable the functionality for the AP.
        5. From the SSH drop-down list, choose AP Specific and select the check box to enable the functionality.
        6. Click Apply.
        7. Click Save Configuration.

        Configuring Telnet and SSH for APs (CLI)

        • Configure Telnet or SSH for all APs or a specific AP by entering this command: config ap {telnet | ssH} {enable | disable} {ap-name | all}

        • Replace the Telnet or SSH configuration for a specific AP with the global configuration by entering this command: config ap {telnet | ssH} default ap-name

        Was this Document Helpful?

        FeedbackFeedback

        Contact Cisco