Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 4404 default AP group

Cisco have been kind enough to lend us a 4404 WLC and I've got to grips with setting up our WLANS on it and I can get an AP to pick up config from anywhere in our extended network.

I am, however having a problem trying to get an access point to join the WLC _without_ picking up every WLAN that I have configured on the WLC.

Once the AP is on the network I can maually put it into a group - restart it and it's all fine, but it doesn't feel secure at all when anyone can put a blank AP on the network and have it supplying our wifi without any IT input.

I suppose my question is, how can I setup a default AP group that all new APs have to join with a non-service-delivering config (at which point i can move them into whichever group they need to be).


Hall of Fame Super Silver

Re: Cisco 4404 default AP group

If you are afraid of someone attaching a LAP to your network and that joining one of your WLC, then you have these choices to prevent an AP from joining a WLC:

1. Remove any dhcp on the wlc management vlan

2. Remove DNS to resolve the ip of the wlc's

3. Disable OTAP on the lwc's

4. Remove any ip helper address using the wlc management ip and upd forwarding of ports 12222 & 12223.

5. COnfigure the LAP's to authorize against a AAA server.

Hope this explains it.

*** Please rate helpful posts ***
New Member

Re: Cisco 4404 default AP group

Thanks for the reply. you'll have to excuse me I'm not too hot on this so I'm going to go through each and tell you what I think about them.

1. Remove DHCP on management vlan

I'm not sure why this would be an issue. I've put APs onto the same lan as the managemnet interface and on other lans as well and the AP behavior is the same.

2. Remove DNS

I originally planned to use DHCP opt 43 to tell the APs where the WLC was, but I can't use this because of overlaps with voice services across some of the network. In any case this would still leave entire dhcp scoped lans succeptable to the same problem.


Already disabled on the WLC

4 Remove IP helper

I'm not sure what this would do. Can you elaborate how I can do this and why?

5 Configure Auth against an AAA server

I like the look of this solution, but I'm a bit unsure about how it might be implemented without putting some config on the AP first. Do I need to configure shared secrets (on the AP) before I send the AP out for install? I really wanted and hands-off approach for the APs. If this can't be done, then so be it.

Again, thanks for your replies.

Hall of Fame Super Silver

Re: Cisco 4404 default AP group

1-4 are way's in which an ap can join a wlc. So if you remove these after a deployment, then there is no way an ap can accidentally join a wlc. 5 is just another way you can prevent an ap from joining a wlc if you can't remove 1-4.

Also... I forgot.... you should also remove the option 43. There is no reason to have these after the ap has joined the wlc. After an ap joins, it will have the wlc info and any other wlc in that mobility group.

*** Please rate helpful posts ***