Authorizing access points, Authorizing access points using sscs, Authorizing access points using mics – Cisco WIRELESS LAN CONTROLLER OL-17037-01 User Manual

7-19

Cisco Wireless LAN Controller Configuration Guide

OL-17037-01

Chapter 7 Controlling Lightweight Access Points

Autonomous Access Points Converted to Lightweight Mode

Step 8

Wait until the access point reboots as indicated by all LEDs turning green followed by the Status LED
blinking green.

Step 9

After the access point reboots, reconfigure the access point using the GUI or the CLI.

Authorizing Access Points

In controller software releases prior to 5.2, the controller may either use self-signed certificates (SSCs)
to authenticate access points or send the authorization information to a RADIUS server (if access points
have manufactured-installed certificates [MICs]). In controller software release 5.2, you can configure
the controller to use a local significant certificate (LSC).

Authorizing Access Points Using SSCs

The Control and Provisioning of Wireless Access Points protocol (CAPWAP) secures the control
communication between the access point and controller by means of a secure key distribution requiring
X.509 certificates on both the access point and controller. CAPWAP relies on a priori provisioning of
the X.509 certificates. Cisco Aironet access points shipped before July 18, 2005 do not have a MIC, so
these access points create an SSC when upgraded to operate in lightweight mode. Controllers are
programmed to accept local SSCs for authentication of specific access points and do not forward those
authentication requests to a RADIUS server. This behavior is acceptable and secure.

Authorizing Access Points Using MICs

You can configure controllers to use RADIUS servers to authorize access points using MICs. The
controller uses an access point’s MAC address as both the username and password when sending the
information to a RADIUS server. For example, if the MAC address of the access point is 000b85229a70,
both the username and password used by the controller to authorize the access point are 000b85229a70.

Note

The lack of a strong password by the use of the access point’s MAC address should not be an issue
because the controller uses MIC to authenticate the access point prior to authorizing the access point
through the RADIUS server. Using MIC provides strong authentication.

Note

If you use the MAC address as the username and password for access point authentication on a RADIUS
AAA server, do not use the same AAA server for client authentication.