Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10755
Views
15
Helpful
8
Replies

How can I ensure only known AP's connect to WLC

Go to solution
richard.dimond
Level 1
Level 1

‎02-08-2011 07:39 AM - edited ‎07-03-2021 07:47 PM

I have a Cisco 2112 WLC with 1131 LWAP's

How can I ensure only known AP's connect to the WLC?

Thanks in advance

Richard

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maithri B
Cisco Employee
Cisco Employee
In response to richard.dimond

‎02-09-2011 02:35 AM

Hi Richard,

You can use the Authorize AP's against AAA function to make sure that all the AP's registering to your WLC are authorized AP's of the network.

By enabling this feature, only those AP's whose mac-addresses are present in the authorization list, will be able to register to the WLC.

This authorization list can either be present externally on a server or a local list on the WLC itself. The link below explains it in detail:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml

Another feature, that has already been mentioned in this thread, is Rogue detection. Using this feature, the WLC will be able to detect any AP that is not a part of its RF group and contain it.

Please refer to the document below for more information regarding this:

https://www.cisco.com/application/pdf/paws/70987/rogue_detect.pdf

Regards,

Maithri

View solution in original post

8 Replies 8

Go to solution
Surendra BG
Cisco Employee
Cisco Employee

‎02-08-2011 07:51 AM

Hi Richard,

You can prime the AP by prividing the Management ip to join and the other way is to maitain the APs by using the Rogue rules..

Here is the link to do the same..

Priming the AP

==========

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a00808e2d27.shtml

Rogue Rules

===========

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70rrm.html#wp1180349

lemme know if this answered your question..

Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Regards
Surendra BG
0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎02-08-2011 01:27 PM

Can you elaborate further by the statement "known AP's connect to WLC"?

Cisco APs, running the correct IOS, can join a WLC.  Another hurdle is the port.  It has to be in the correct VLAN and should be an access port.

If you have, say, a NetGear AP then there's a snowball's-chance-in-he11 it'll join the WLC.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎02-08-2011 10:52 PM

On larger deployments or if you have a ACS you can go security --> ap polices --> AP authorize against AAA.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
richard.dimond
Level 1
Level 1

‎02-09-2011 01:21 AM

Elaborating further .....

I am ensuring that my wireless network will pass the PCI data security Standards.

If somebody else connects a Cisco 1131 Ap into the network it will be seen by the 2112 WLC and be able to be connected to.

If the malicious person with this access point was using a console cable, could they not arrange to capture packets or disrupt the network in some way?

I would like to be able to ensure that this possible rougue Ap would only be able to function within the network after correct configuration via the WLC.

Richard

0 Helpful

Go to solution
Maithri B
Cisco Employee
Cisco Employee
In response to richard.dimond

‎02-09-2011 02:35 AM

Hi Richard,

You can use the Authorize AP's against AAA function to make sure that all the AP's registering to your WLC are authorized AP's of the network.

By enabling this feature, only those AP's whose mac-addresses are present in the authorization list, will be able to register to the WLC.

This authorization list can either be present externally on a server or a local list on the WLC itself. The link below explains it in detail:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml

Another feature, that has already been mentioned in this thread, is Rogue detection. Using this feature, the WLC will be able to detect any AP that is not a part of its RF group and contain it.

Please refer to the document below for more information regarding this:

https://www.cisco.com/application/pdf/paws/70987/rogue_detect.pdf

Regards,

Maithri

Go to solution
richard.dimond
Level 1
Level 1
In response to Maithri B

‎02-09-2011 04:27 AM

Thanks

The local AP policy list is just what I needed.

Just one more thing

When I plug my "Rogue" AP into the controller I expected it to be reported on the monitor as a "rogue on wired network" but I do not see this "rogue" showing up in any of the lists.

Just see

0Wed Feb 9 12:19:45 2011Failed to authorize AP with Base Radio MAC 00:3a:99:67:69:60. Authorization entry does not exist in AAA server.
1Wed Feb 9 12:19:45 2011AAA Authentication Failure for UserName:e05fb9ea5f54 User Type: WLAN USER

Richard

Go to solution
Surendra BG
Cisco Employee
Cisco Employee
In response to richard.dimond

‎02-09-2011 04:35 AM

Hi Richard,

Do you have any APs in "Rogue Detection"  mode sitting on the trunk port on the switch?? if this is present then  only, this AP will detetc the Rogue on Wired.

Regards
Surendra

Regards
Surendra BG

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Surendra BG

‎02-09-2011 05:00 AM

Sur 5+

Everyone always forgets the "trunk" for Rouge Monitor APs...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card