I have a Cisco 5508 WLC with a license for 100 LWAPs. The LWAPs are a mix of AIR-CAP2702 and 1532 outdoor LWAPs. We are very near the license limit for the number of LWAPs on the controller - 96 of 100 LWAPs have been installed. Last night, a colleague rebooted the WLC in an attempt to fix an issue with a Flexconnect site. After the WLC was rebooted, the LOCAL LWAPs would not join the WLC. It was found that manually entering the LWAPs MAC address in the WLC Security > MAC filtering screen and then rebooting the LWAP (log into the switch, do a shut/no shut on the LWAP port) fixed the issue and the LWAP joined the controller. This is a new behavior for the WLC. Prior to last night, we just had to prime the LWAP and it would join the WLC when it was permanently installed. Why is entering the LWAP MAC address and then rebooting it now necessary? We are in the process of adding a license for another 100 LWAPs, but what would cause us to suddenly have to add the LWAP MAC address to the WLC to get the LWAPs to join the controller?
Could you issue the show auth-list on your wlc?
(Cisco Controller) >show auth-list
Authorize MIC APs against Auth-list or AAA ...... enabled
I bet you have the option shown above enabled. That's why it requires now to enter each AP MAC.
Now I can't have any explanation why this option came up automatically if no one had changed it.
Did you do an upgrade? We can have a look on the release note to see if this option is changed automatically by this upgrade? But I doubt. I never faced that issue even after an upgrade.
PS: Please don't forget to rate and mark as correct answer if this answered your question
Thank you for the reply Francesco. The WLC has not been upgraded nor had any changes that I know of recently. We may have exceeded our AP license limit by a few APs, but if that were the case, I would think that after a controller reboot the first 100 APs would join with no issues, then a handful would not. Those being LWAPs #101 and greater. Instead, after the reboot, there were only 19 or 20 of the 1532 outdoor LWAPs on the controller. These we had to enter the MACs of when they were installed last year. All of the others had to be manually added. 2 nights ago.
Here is the output of the show auth-list:
Cisco Controller) >show auth-list Authorize MIC APs against Auth-list or AAA ...... disabled Authorize LSC APs against Auth-List ............. disabled APs Allowed to Join AP with Manufacturing Installed Certificate.... yes AP with Self-Signed Certificate................ yes AP with Locally Significant Certificate........ no (Cisco Controller) >
You said you've added AP Mac address on the Mac filtering page within the aaa section? This section is for authenticating users and not AP, as far as I know. Or you've added it into AP policy?
They're mesh AP? Because this is a normal behavior for mesh AP.
They are not mesh APs. The vast majority are AIR-CAP2702I or AIR-CAP2702E in local mode. They have gone through multiple WLC reboots in the past and have always just joined the controller on their own once it booted.
Ok. Honestly i don't see why you faced this issue.
So sorry to not being able to help you more.
You don't have any logs to help?
Here's what I get from your post:
-APs are deployed in FlexConnect.
Assuming you did not change any advanced settings on the WLC, the only requirement that your APs need to join the WLC is an IP address and the WLC IP address defined via CLI if you are priming the AP manually.
Or an alternative is to create a DHCP Server service on the WLC and let the AP get an IP address via DHCP. (PS you can create a DHCP service on a separte DHCP server, but with an addition of DHCP option 43 configured)
Reading your replies, you are correct, only Mesh APs require this.
-There must be a changed that you are not aware of considering you need to manually add APs MAC address manually.
-Below are the common problems that an AP is not joining:
1. WLC incorrect time/CA Certificate Validty
-WLC time set must be WITHIN the LWAPP-AP Certificate validity or else APs will not join the WLC
-TIP: Since your APs are newer models, you should have no issues with this. If you want to check the CA validity on the AP. Access the LWAPP AP via CLI and enter the command "show crypto ca certificates" NOTE THAT THIS IS A HIDDEN COMMAND and the 'TAB' button does not work. SImply just type it
2. AP Policies are not correctly set
-By default you should not change this (unless in certain situations). Still it is recommended to check this page if it is correclty set
AT: Security Tab
AT: AAA->AP Policies
--Verify that "Accept Manufactured Installed Certificate(MIC)" is selected/enabled
3. Wrong Country Set
-APs are country setting sensitive and this is on the hardware level
-Obviously Cisco did this to make sure customers cope with country wireless standards :) though im sure this is not one of the issue you are facing
4. AP log message reads "DTLS ERRORS/AES ERRORS"
-Have a look see on CIsco document ID 70341
Hope this helps
A rating would be good to :D