Cisco have been kind enough to lend us a 4404 WLC and I've got to grips with setting up our WLANS on it and I can get an AP to pick up config from anywhere in our extended network.
I am, however having a problem trying to get an access point to join the WLC _without_ picking up every WLAN that I have configured on the WLC.
Once the AP is on the network I can maually put it into a group - restart it and it's all fine, but it doesn't feel secure at all when anyone can put a blank AP on the network and have it supplying our wifi without any IT input.
I suppose my question is, how can I setup a default AP group that all new APs have to join with a non-service-delivering config (at which point i can move them into whichever group they need to be).
Thanks for the reply. you'll have to excuse me I'm not too hot on this so I'm going to go through each and tell you what I think about them.
1. Remove DHCP on management vlan
I'm not sure why this would be an issue. I've put APs onto the same lan as the managemnet interface and on other lans as well and the AP behavior is the same.
2. Remove DNS
I originally planned to use DHCP opt 43 to tell the APs where the WLC was, but I can't use this because of overlaps with voice services across some of the network. In any case this would still leave entire dhcp scoped lans succeptable to the same problem.
Already disabled on the WLC
4 Remove IP helper
I'm not sure what this would do. Can you elaborate how I can do this and why?
5 Configure Auth against an AAA server
I like the look of this solution, but I'm a bit unsure about how it might be implemented without putting some config on the AP first. Do I need to configure shared secrets (on the AP) before I send the AP out for install? I really wanted and hands-off approach for the APs. If this can't be done, then so be it.
1-4 are way's in which an ap can join a wlc. So if you remove these after a deployment, then there is no way an ap can accidentally join a wlc. 5 is just another way you can prevent an ap from joining a wlc if you can't remove 1-4.
Also... I forgot.... you should also remove the option 43. There is no reason to have these after the ap has joined the wlc. After an ap joins, it will have the wlc info and any other wlc in that mobility group.