Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
569
Views
0
Helpful
3
Replies

Cisco 4404 default AP group

LCC-IT
Level 1
Level 1

‎11-04-2008 07:28 AM - edited ‎07-03-2021 04:43 PM

Cisco have been kind enough to lend us a 4404 WLC and I've got to grips with setting up our WLANS on it and I can get an AP to pick up config from anywhere in our extended network.

I am, however having a problem trying to get an access point to join the WLC _without_ picking up every WLAN that I have configured on the WLC.

Once the AP is on the network I can maually put it into a group - restart it and it's all fine, but it doesn't feel secure at all when anyone can put a blank AP on the network and have it supplying our wifi without any IT input.

I suppose my question is, how can I setup a default AP group that all new APs have to join with a non-service-delivering config (at which point i can move them into whichever group they need to be).

Thanks

Labels:
0 Helpful
3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

‎11-04-2008 05:53 PM

If you are afraid of someone attaching a LAP to your network and that joining one of your WLC, then you have these choices to prevent an AP from joining a WLC:

1. Remove any dhcp on the wlc management vlan

2. Remove DNS to resolve the ip of the wlc's

3. Disable OTAP on the lwc's

4. Remove any ip helper address using the wlc management ip and upd forwarding of ports 12222 & 12223.

5. COnfigure the LAP's to authorize against a AAA server.

Hope this explains it.

-Scott
*** Please rate helpful posts ***
0 Helpful

LCC-IT
Level 1
Level 1
In response to Scott Fella

‎11-05-2008 03:29 AM

Thanks for the reply. you'll have to excuse me I'm not too hot on this so I'm going to go through each and tell you what I think about them.

1. Remove DHCP on management vlan

I'm not sure why this would be an issue. I've put APs onto the same lan as the managemnet interface and on other lans as well and the AP behavior is the same.

2. Remove DNS

I originally planned to use DHCP opt 43 to tell the APs where the WLC was, but I can't use this because of overlaps with voice services across some of the network. In any case this would still leave entire dhcp scoped lans succeptable to the same problem.

3 OTAP

Already disabled on the WLC

4 Remove IP helper

I'm not sure what this would do. Can you elaborate how I can do this and why?

5 Configure Auth against an AAA server

I like the look of this solution, but I'm a bit unsure about how it might be implemented without putting some config on the AP first. Do I need to configure shared secrets (on the AP) before I send the AP out for install? I really wanted and hands-off approach for the APs. If this can't be done, then so be it.

Again, thanks for your replies.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to LCC-IT

‎11-05-2008 04:49 AM

1-4 are way's in which an ap can join a wlc. So if you remove these after a deployment, then there is no way an ap can accidentally join a wlc. 5 is just another way you can prevent an ap from joining a wlc if you can't remove 1-4.

Also... I forgot.... you should also remove the option 43. There is no reason to have these after the ap has joined the wlc. After an ap joins, it will have the wlc info and any other wlc in that mobility group.

-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card