Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Prevent Access Points from authenticating with my WLC?

I have a WLC 2112 and currently if you plug in a Cisco access point, it will connect to the controller and download the config. I don't like this and want to allow only the AP's that I specify. Anyone could just walk into one of our buildings and plug in an AP and get our entire wireless config. Is there a way in the WLC 2112 to only allow the AP's that I specify to be connected to the controller?            

16 REPLIES

Prevent Access Points from authenticating with my WLC?

Yup, the easiest way go SECURITY->>AP POLICES (left hand side menu). Check box

Authorize MIC APs against auth-list or AAA and add the wired mac address of each AP you want to connect.

DONE

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: Prevent Access Points from authenticating with my WLC?

If you want to get fancy you can leverage a AAA server and use certificates on the AP with LSC.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Prevent Access Points from authenticating with my WLC?

Thanks, that is what I was after.

Re: Prevent Access Points from authenticating with my WLC?

Cool .. Thanks for supporting the rating system!

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Gold

Prevent Access Points from authenticating with my WLC?

I'd put your production SSID outside AP Groups 1 to 16.  Put all your SSID with index 17 and more.

This way, if someone tries to put their own AP in, the AP will not broadcast any SSID. 

Prevent Access Points from authenticating with my WLC?

Nice trick, Leo!

Re: Prevent Access Points from authenticating with my WLC?

The issue with this ap group trick is that the ap would still join the WLC, pull code, and take up a license.

ap group is good for hiding ssid from the broadcast list and have a legit use. I do this with our offnet WLAN.



Sent from Cisco Technical Support iPhone App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Gold

Prevent Access Points from authenticating with my WLC?

Nice trick, Leo!

Florin,

If you plan to do this, make sure you tell the rest of the team.  Happened to one of my colleague when I was on leave.  They deployed >20 APs and none of them were broadcasting anything.  It took them hours to realize I shuffled all the SSID index to 17 and above.  Me bad. 

Prevent Access Points from authenticating with my WLC?

When you're saying SSID index you reffer to WLANs->WLANs-->WLAN ID?

Re: Prevent Access Points from authenticating with my WLC?

Correct .. WLAN index 1 - 16 will automatically be broadcasted from the said. Making a WLAN index 17 Allows you to shape with ap groups what wlans get broadcasted from an ap ..

Sent from Cisco Technical Support iPhone App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Gold

Prevent Access Points from authenticating with my WLC?

When you're saying SSID index you reffer to WLANs->WLANs-->WLAN ID?

That's right.  Index or WLAN ID #1 to 16 goes to the "default-group" AP groups.

Make sure you have no SSIDs configured in this range.  Start with 17 and work your way up. 

Re: Prevent Access Points from authenticating with my WLC?

For a WLAN already in use can I rename ID 10 with 18?

VIP Purple

Re: Prevent Access Points from authenticating with my WLC?

Nope, you have to delete it & recreate with new ID

Hall of Fame Super Gold

Prevent Access Points from authenticating with my WLC?

Unfortunately no, Florin.  You'll need to delete and create a new one.

Re: Prevent Access Points from authenticating with my WLC?

Thanks guys, just wanted to be sure as I am fairly new to this "wireless-chapter".

Other than automatic exclusion from default-group are there any other consequencese when using a WLAN ID equal or above 17?

Hall of Fame Super Gold

Prevent Access Points from authenticating with my WLC?

Other than automatic exclusion from default-group are there any other consequencese when using a WLAN ID equal or above 17?

Not that I can think of.

342
Views
27
Helpful
16
Replies
CreatePlease to create content