8-19
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 8 Controlling Mesh Access Points
Adding Mesh Access Points to the Mesh Network
External MAC Filter Authorization
MAC filtering uses the local MAC filter on the
controller by default.
When external MAC filter authorization is
enabled, if the MAC address is not found in the
local MAC filter, then the MAC address in the
external RADIUS server is used.
This protects your network against rogue mesh
access points by preventing access points that are
not defined on the external server from joining.
Before you employ external authentication within
the mesh network, the following configuration is
required:
•
The RADUIS server to be used as an AAA
server must be configured on the controller.
•
The controller must also be configured on the
RADIUS server.
•
The mesh access point configured for
external authorization and authentication
must be added to the user list of the RADIUS
server.
–
For remote authorization and
authentication, EAP-FAST uses the
manufacturer’s certificate (CERT) to
authenticate the child mesh access point.
Additionally, this manufacturer
certificate-based identity serves as the
username for the mesh access point in
user validation.
–
For IOS-based mesh access points (1240,
1522, 1524), the platform name of the
mesh access point is located in front of
the Ethernet address within the
certificate; therefore, the username for
external RADIUS servers is
platform_name_string
–
Ethernet MAC
address
such as
c1240-001122334455
.
•
The certificates must be installed and
EAP-FAST must be configured on the
RADIUS server.
Note
When this capability is not enabled, by
default, the controller authorizes and
authenticates mesh access points using the
MAC address filter.
Default:
Disabled.
Table 8-4
Global Mesh Parameters (continued)
Parameter
Description