Cisco Cisco Aironet 1522 Lightweight Outdoor Mesh Access Point Guía De Diseño
140
Cisco Mesh Access Points, Design and Deployment Guide, Release 7.0
OL-21848-01
Connecting the Cisco 1520 Series Mesh Access Point to Your Network
Locally Significant Certificates for Mesh APs
Currently, mesh APs support only the Manufactured Installed Certificate (MIC) to authenticate and get
authenticated by controllers to join the controller. You may want to have your own public key
infrastructure (PKI) to control CAs, to define policies, to define validity periods, to define restrictions
and usages on the certificates that are generated, and get these certificates installed on the APs and
controllers. After these customer generated or locally significant certificates (LSCs) are present on the
APs and controllers, the devices should start using these LSCs, to join, authenticate, and derive a session
key. Cisco supports normal APs from the 5.2 release and later releases and is extending the support for
mesh APs as well from the 7.0 release.
authenticated by controllers to join the controller. You may want to have your own public key
infrastructure (PKI) to control CAs, to define policies, to define validity periods, to define restrictions
and usages on the certificates that are generated, and get these certificates installed on the APs and
controllers. After these customer generated or locally significant certificates (LSCs) are present on the
APs and controllers, the devices should start using these LSCs, to join, authenticate, and derive a session
key. Cisco supports normal APs from the 5.2 release and later releases and is extending the support for
mesh APs as well from the 7.0 release.
Guidelines for Configuration
Follow these guidelines when using LSCs for mesh APs:
•
This feature does not remove any preexisting certificates from an AP. It is possible for an AP to have
both LSC and MIC certificates.
both LSC and MIC certificates.
•
After an AP is provisioned with an LSC, it does not read in its MIC certificate on boot-up. A change
from an LSC to an MIC will require the AP to reboot. APs do it for fallback if they cannot be joined
with LSC.
from an LSC to an MIC will require the AP to reboot. APs do it for fallback if they cannot be joined
with LSC.
•
Provisioning LSC on an AP does not require an AP to turn off its radios, which is vital for mesh
APs, which may get provisioned over-the-air.
APs, which may get provisioned over-the-air.
•
Because mesh APs need a dot1x authentication, a CA and ID certificate is required on the server (in
the controller or third-party server depending on the configuration).
the controller or third-party server depending on the configuration).
•
LSC provisioning will be supported only over Ethernet. You have to connect the mesh AP to the
controller through Ethernet and get the LSC certificate provisioned. After the LSC becomes the
default, AP can be connected over-the-air to the controller using the LSC certificate.
controller through Ethernet and get the LSC certificate provisioned. After the LSC becomes the
default, AP can be connected over-the-air to the controller using the LSC certificate.
Differences Between LSCs for Mesh APs and Normal APs
CAPWAP APs use LSC for DTLS setup during JOIN irrespective of the AP mode. Mesh APs also use
the certificate for mesh security. This involves a dot1x authentication with the controller (or an external
AAA server), through the parent AP. After the mesh APs are provisioned with an LSC, they need to use
the LSC for this purpose because MIC will not be read-in.
the certificate for mesh security. This involves a dot1x authentication with the controller (or an external
AAA server), through the parent AP. After the mesh APs are provisioned with an LSC, they need to use
the LSC for this purpose because MIC will not be read-in.
Mesh APs use a statically configured dot1x profile to authenticate.
This profile is hardcoded to use "cisco" as the certificate issuer. This needs to be made configurable so
that vendor certificates can be used for mesh authentication (Enter the config local-auth eap-profile
cert-issuer vendor "prfMaP1500LlEAuth93" command).
that vendor certificates can be used for mesh authentication (Enter the config local-auth eap-profile
cert-issuer vendor "prfMaP1500LlEAuth93" command).
You must enter the config mesh lsc enable/disable command to enable or disable an LSC for mesh APs.
This command will cause all the mesh APs to reboot.
This command will cause all the mesh APs to reboot.
Note
LSC on mesh is open for very specific Oil and Gas customers with the 7.0 release. Initially, it is a hidden
feature. The config mesh lsc enable/disable is a hidden command. Also, the config local-auth
eap-profile cert-issuer vendor "prfMaP1500LlEAuth93" command is a normal command, but the
"prfMaP1500LlEAuth93" profile is a hidden profile, and is not stored on the controller and is lost after
the controller reboot.
feature. The config mesh lsc enable/disable is a hidden command. Also, the config local-auth
eap-profile cert-issuer vendor "prfMaP1500LlEAuth93" command is a normal command, but the
"prfMaP1500LlEAuth93" profile is a hidden profile, and is not stored on the controller and is lost after
the controller reboot.