Cisco 2100 Series Configuration Manual page 471

Chapter 8 Controlling Mesh Access Points
Table 8-4
Parameter
External MAC Filter Authorization
OL-17037-01
Global Mesh Parameters (continued)
Adding Mesh Access Points to the Mesh Network
Description
MAC filtering uses the local MAC filter on the
controller by default.
When external MAC filter authorization is
enabled, if the MAC address is not found in the
local MAC filter, then the MAC address in the
external RADIUS server is used.
This protects your network against rogue mesh
access points by preventing access points that are
not defined on the external server from joining.
Before you employ external authentication within
the mesh network, the following configuration is
required:
The RADUIS server to be used as an AAA
•
server must be configured on the controller.
• The controller must also be configured on the
RADIUS server.
• The mesh access point configured for
external authorization and authentication
must be added to the user list of the RADIUS
server.
For remote authorization and
–
authentication, EAP-FAST uses the
manufacturer's certificate (CERT) to
authenticate the child mesh access point.
Additionally, this manufacturer
certificate-based identity serves as the
username for the mesh access point in
user validation.
For IOS-based mesh access points (1240,
–
1522, 1524), the platform name of the
mesh access point is located in front of
the Ethernet address within the
certificate; therefore, the username for
external RADIUS servers is
platform_name_string–Ethernet MAC
address such as c1240-001122334455.
The certificates must be installed and
•
EAP-FAST must be configured on the
RADIUS server.
When this capability is not enabled, by
Note
default, the controller authorizes and
authenticates mesh access points using the
MAC address filter.
Default: Disabled.
Cisco Wireless LAN Controller Configuration Guide
8-19