Cisco 4404 default AP group

Unanswered Question
Nov 4th, 2008

Cisco have been kind enough to lend us a 4404 WLC and I've got to grips with setting up our WLANS on it and I can get an AP to pick up config from anywhere in our extended network.

I am, however having a problem trying to get an access point to join the WLC _without_ picking up every WLAN that I have configured on the WLC.

Once the AP is on the network I can maually put it into a group - restart it and it's all fine, but it doesn't feel secure at all when anyone can put a blank AP on the network and have it supplying our wifi without any IT input.

I suppose my question is, how can I setup a default AP group that all new APs have to join with a non-service-delivering config (at which point i can move them into whichever group they need to be).

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Tue, 11/04/2008 - 17:53

If you are afraid of someone attaching a LAP to your network and that joining one of your WLC, then you have these choices to prevent an AP from joining a WLC:

1. Remove any dhcp on the wlc management vlan

2. Remove DNS to resolve the ip of the wlc's

3. Disable OTAP on the lwc's

4. Remove any ip helper address using the wlc management ip and upd forwarding of ports 12222 & 12223.

5. COnfigure the LAP's to authorize against a AAA server.

Hope this explains it.

LCC-IT Wed, 11/05/2008 - 03:29

Thanks for the reply. you'll have to excuse me I'm not too hot on this so I'm going to go through each and tell you what I think about them.

1. Remove DHCP on management vlan

I'm not sure why this would be an issue. I've put APs onto the same lan as the managemnet interface and on other lans as well and the AP behavior is the same.

2. Remove DNS

I originally planned to use DHCP opt 43 to tell the APs where the WLC was, but I can't use this because of overlaps with voice services across some of the network. In any case this would still leave entire dhcp scoped lans succeptable to the same problem.

3 OTAP

Already disabled on the WLC

4 Remove IP helper

I'm not sure what this would do. Can you elaborate how I can do this and why?

5 Configure Auth against an AAA server

I like the look of this solution, but I'm a bit unsure about how it might be implemented without putting some config on the AP first. Do I need to configure shared secrets (on the AP) before I send the AP out for install? I really wanted and hands-off approach for the APs. If this can't be done, then so be it.

Again, thanks for your replies.

Scott Fella Wed, 11/05/2008 - 04:49

1-4 are way's in which an ap can join a wlc. So if you remove these after a deployment, then there is no way an ap can accidentally join a wlc. 5 is just another way you can prevent an ap from joining a wlc if you can't remove 1-4.

Also... I forgot.... you should also remove the option 43. There is no reason to have these after the ap has joined the wlc. After an ap joins, it will have the wlc info and any other wlc in that mobility group.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode