I just want to know if you can authorize a lightweight AP without AAA. Looks like you can create local list on WLC for APs that have SSC, but doesn't seem to work for APs with MIC, even though MIC option is in dropdown.
You can authorize APs with AAA. Look at:
You can authorize APs locally if APs have SSCs installed. When you add an AP into the authorization list, there's an option to select MIC or SSC. If you select SSC, local authorization works (without AAA). If you select MIC, local authorization doesn't appear to work.
I don't want any LWAPP AP to be able to join my network. Disabling DHCP options so new APs can't find controller is not an elegant solution to preventing this.
rcullum is correct here. You could also do some creative stuff with a MAC ACL. The best way though is to do it with the SSC box. I would suggest disabling your dhcp options as this could cause major outages if the APs lost their local controller addresses.