topic So if I created a Policy in Wireless

Prevent LWAPs from joining a Controller

JASON SIMMONS — Mon, 05 Jul 2021 11:29:33 GMT

Is there a way to prevent LWAPs from joining a controller?

I know I can change the primary controller config on each AP, but that would only affect the APs that are online when I make that change.

I need to make some pretty extensive changes to a controllers configuration and I'd like to be able to take my time and do it during business hours, instead of rushing to make all of the changes during a maintenance window.

It may not be what you are

George Stefanick — Thu, 14 Jan 2016 18:08:45 GMT

It may not be what you are looking for but you can use AP Policy. You would need to enter a mac address for each AP which would be allowed on said controller.

So if I created a Policy

JASON SIMMONS — Thu, 14 Jan 2016 19:29:54 GMT

So if I created a Policy without any macs, no APs join the controller...

Sounds like exactly what I need.

Thanks!

Correct, only MACs that would

George Stefanick — Thu, 14 Jan 2016 19:55:45 GMT

Correct, only MACs that would be on the AP list would be allowed to join.

Looking at the AP Policies

JASON SIMMONS — Thu, 14 Jan 2016 20:04:03 GMT

Looking at the AP Policies screen on one of my controllers, accept MIC is checked and there are several MACs in the authorization list. Do I just uncheck MIC and remove the APs from the auth list?

yes that would do it i think.

George Stefanick — Thu, 14 Jan 2016 20:08:23 GMT

yes that would do it i think. or checkk box

Authorize MIC APs against auth-list or AAA

and remove the aps on the list

Hi Jason,

Sandeep Choudhary — Fri, 15 Jan 2016 06:38:56 GMT

Hi Jason,

On the WLC, use the AP authorization list to restrict LAPs based on their MAC address. The AP authorization list is available under Security > AP Policies in the WLC GUI.

yes, you need to remove the mac of AP, which you don't want to join to this WLC.

More info:http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/98848-lap-auth-uwn-config.html#backinfo

Regards

Don't forget to rate helpful posts

If I accepted SSC,MIC, & LSC

JASON SIMMONS — Fri, 15 Jan 2016 16:28:47 GMT

If I accepted SSC,MIC, & LSC certificates, will I need to add the MACs to the auth-list when I'm ready to put the controller back in production?

Let's cover what these are ..

George Stefanick — Fri, 15 Jan 2016 17:25:39 GMT

Let's cover what these are ..

Ssc, mic, lsc are different certs installed on the ap. By check boxing these you are saying aps with these types of certs are allowed to join the WLC. Ssc is only needed if you converted very old 1131 1242 model aps and during that conversion a self signed cert was created. If don't tic that ssc box these aps won't join.

Mic is is what every newer ap comes with. Same applies you don't tic that box they wouldn't join.

Lsc is if you had a PKI and you installed your own cert. Same apples.

So if you tic mic your aps will come back and join.

If if you want to limit what aps can join say if you have mic enabled and you only want set aps to join the WLC you would tic mic and ap authorization and add the ap Ethernet MAC address.

Make sense ?