cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
875
Views
27
Helpful
16
Replies

Prevent Access Points from authenticating with my WLC?

abrrymnvette
Level 1
Level 1

I have a WLC 2112 and currently if you plug in a Cisco access point, it will connect to the controller and download the config. I don't like this and want to allow only the AP's that I specify. Anyone could just walk into one of our buildings and plug in an AP and get our entire wireless config. Is there a way in the WLC 2112 to only allow the AP's that I specify to be connected to the controller?            

16 Replies 16

George Stefanick
VIP Alumni
VIP Alumni

Yup, the easiest way go SECURITY->>AP POLICES (left hand side menu). Check box

Authorize MIC APs against auth-list or AAA and add the wired mac address of each AP you want to connect.

DONE

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

If you want to get fancy you can leverage a AAA server and use certificates on the AP with LSC.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Thanks, that is what I was after.

Cool .. Thanks for supporting the rating system!

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

I'd put your production SSID outside AP Groups 1 to 16.  Put all your SSID with index 17 and more.

This way, if someone tries to put their own AP in, the AP will not broadcast any SSID. 

Nice trick, Leo!

The issue with this ap group trick is that the ap would still join the WLC, pull code, and take up a license.

ap group is good for hiding ssid from the broadcast list and have a legit use. I do this with our offnet WLAN.



Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Nice trick, Leo!

Florin,

If you plan to do this, make sure you tell the rest of the team.  Happened to one of my colleague when I was on leave.  They deployed >20 APs and none of them were broadcasting anything.  It took them hours to realize I shuffled all the SSID index to 17 and above.  Me bad. 

When you're saying SSID index you reffer to WLANs->WLANs-->WLAN ID?

Correct .. WLAN index 1 - 16 will automatically be broadcasted from the said. Making a WLAN index 17 Allows you to shape with ap groups what wlans get broadcasted from an ap ..

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

When you're saying SSID index you reffer to WLANs->WLANs-->WLAN ID?

That's right.  Index or WLAN ID #1 to 16 goes to the "default-group" AP groups.

Make sure you have no SSIDs configured in this range.  Start with 17 and work your way up. 

For a WLAN already in use can I rename ID 10 with 18?

Nope, you have to delete it & recreate with new ID

Unfortunately no, Florin.  You'll need to delete and create a new one.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: