Cisco Mesh Access Points Deployment Manual page 131

Connecting the Cisco 1500 Series Mesh Access Points to the Network
Parameter
Security Mode
External MAC Filter
Authorization
Force External
Authorization
OL-27593-01
Description
Defines the security mode for mesh access points: Pre-Shared Key (PSK) or Extensible
Authentication Protocol (EAP).
EAP must be selected if external MAC filter authorization using a RADIUS server
Note
is configured.
Local EAP or PSK authentication is performed within the controller if the External
Note
MAC Filter Authorization parameter is disabled (check box unchecked).
Options: PSK or EAP
Default: EAP
MAC filtering uses the local MAC filter on the controller by default.
When external MAC filter authorization is enabled, if the MAC address is not found in the
local MAC filter, then the MAC address in the external RADIUS server is used.
This protects your network against rogue mesh access points by preventing mesh access
points that are not defined on the external server from joining.
Before employing external authentication within the mesh network, the following
configuration is required:
• The RADIUS server to be used as an AAA server must be configured on the controller.
• The controller must also be configured on the RADIUS server.
• The mesh access point configured for external authorization and authentication must
be added to the user list of the RADIUS server.
◦ For remote authorization and authentication, EAP-FAST uses the manufacturer's
certificate (CERT) to authenticate the child mesh access point. Additionally, this
manufacturer certificate-based identity serves as the username for the mesh
access point in user validation.
◦ For IOS-based mesh access points (1130, 1240, 1522, 1524), the platform name
of the mesh access point is located in front of its Ethernet address within the
certificate; therefore, their username for external RADIUS servers is
platform_name_string–Ethernet MAC address such as c1520-001122334455.
• The certificates must be installed and EAP-FAST must be configured on the RADIUS
server.
Note When this capability is not enabled, by default, the controller authorizes and
authenticates mesh access points using the MAC address filter.
Default: Disabled.
When enabled along with EAP and External MAC Filter Authorization parameters, external
authorization and authentication of mesh access points is done by default by an external
RADIUS server (such as Cisco 4.1 and later). The RADIUS server overrides local
authentication of the MAC address by the controller which is the default.
Default: Disabled.
Cisco Mesh Access Points, Design and Deployment Guide, Release 7.3
Configuring Global Mesh Parameters
115