cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10754
Views
15
Helpful
8
Replies

How can I ensure only known AP's connect to WLC

richard.dimond
Level 1
Level 1

I have a Cisco 2112 WLC with 1131 LWAP's

How can I ensure only known AP's connect to the WLC?

Thanks in advance

Richard

1 Accepted Solution

Accepted Solutions

Hi Richard,

You can use the Authorize AP's against AAA function to make sure that all the AP's registering to your WLC are authorized AP's of the network.

By enabling this feature, only those AP's whose mac-addresses are present in the authorization list, will be able to register to the WLC.

This authorization list can either be present externally on a server or a local list on the WLC itself. The link below explains it in detail:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml

Another feature, that has already been mentioned in this thread, is Rogue detection. Using this feature, the WLC will be able to detect any AP that is not a part of its RF group and contain it.

Please refer to the document below for more information regarding this:

https://www.cisco.com/application/pdf/paws/70987/rogue_detect.pdf

Regards,

Maithri

View solution in original post

8 Replies 8

Surendra BG
Cisco Employee
Cisco Employee

Hi Richard,

You can prime the AP by prividing the Management ip to join and the other way is to maitain the APs by using the Rogue rules..

Here is the link to do the same..

Priming the AP

==========

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a00808e2d27.shtml

Rogue Rules

===========

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70rrm.html#wp1180349

lemme know if this answered your question..

Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Regards
Surendra BG

Leo Laohoo
Hall of Fame
Hall of Fame

Can you elaborate further by the statement "known AP's connect to WLC"?

Cisco APs, running the correct IOS, can join a WLC.  Another hurdle is the port.  It has to be in the correct VLAN and should be an access port.

If you have, say, a NetGear AP then there's a snowball's-chance-in-he11 it'll join the WLC.

George Stefanick
VIP Alumni
VIP Alumni

On larger deployments or if you have a ACS you can go security --> ap polices --> AP authorize against AAA.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

richard.dimond
Level 1
Level 1

Elaborating further .....

I am ensuring that my wireless network will pass the PCI data security Standards.

If somebody else connects a Cisco 1131 Ap into the network it will be seen by the 2112 WLC and be able to be connected to.

If the malicious person with this access point was using a console cable, could they not arrange to capture packets or disrupt the network in some way?

I would like to be able to ensure that this possible rougue Ap would only be able to function within the network after correct configuration via the WLC.

Richard

Hi Richard,

You can use the Authorize AP's against AAA function to make sure that all the AP's registering to your WLC are authorized AP's of the network.

By enabling this feature, only those AP's whose mac-addresses are present in the authorization list, will be able to register to the WLC.

This authorization list can either be present externally on a server or a local list on the WLC itself. The link below explains it in detail:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml

Another feature, that has already been mentioned in this thread, is Rogue detection. Using this feature, the WLC will be able to detect any AP that is not a part of its RF group and contain it.

Please refer to the document below for more information regarding this:

https://www.cisco.com/application/pdf/paws/70987/rogue_detect.pdf

Regards,

Maithri

Thanks

The local AP policy list is just what I needed.

Just one more thing

When I plug my "Rogue" AP into the controller I expected it to be reported on the monitor as a "rogue on wired network" but I do not see this "rogue" showing up in any of the lists.

Just see

0Wed Feb 9 12:19:45 2011Failed to authorize AP with Base Radio MAC 00:3a:99:67:69:60. Authorization entry does not exist in AAA server.
1Wed Feb 9 12:19:45 2011AAA Authentication Failure for UserName:e05fb9ea5f54 User Type: WLAN USER

Richard

Hi Richard,

Do you have any APs in "Rogue Detection"  mode sitting on the trunk port on the switch?? if this is present then  only, this AP will detetc the Rogue on Wired.

Regards
Surendra

Regards
Surendra BG

Sur 5+

Everyone always forgets the "trunk" for Rouge Monitor APs...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Review Cisco Networking for a $25 gift card