Solved: Re: how to block an OEAP, missing/stolen/or otherwise

David Ritter · ‎06-29-2022

OK.. Management has released an employee with an oeap. they desire to block said oeap until its return. How do we do that before it connects to the wlc? the system has client tracking, not ap tracking/reporting. the device has to be connected before either Prime or the WLC can address it. No problem blocking clients.. but not infrastructure!

David Ritter · ‎06-29-2022

Hi Rasika,

lol up until now, our system was otherwise open.. I guess that has to change.

did you ever do a how-to on this procedure?

let me guess, AP Policies, tik Authorize MIC AP's against auth-list

and build the list before enabling.. at this time the only thing in my list are the LBS-SSC entries for ?

View solution in original post

Rasika Nayanajith · ‎06-30-2022

You just need to enable Authorize MIC again auth-list and add MAC address of AP ethernet. Once you enable this feature any AP registered to that WLC needs to have MAC address added to the list.

Therefore better to have a dedicated DMZ type WLC that only registered OEAP or APs that not coming from inside your netwok. You can connect inside network AP, but those MAC addresses also need to be added to the list.

HTH

Rasika

View solution in original post

Rasika Nayanajith · ‎06-29-2022

Hi David,

How do you control which OEAP allows registering to WLC? We typically enable "Authorize MIC APs against auth-list or AAA (under Security -> AP policies" on the WLC that manages OEAP.

In that way unless AP mac address has been added, it is not able to register to WLC

HTH

Rasika

*** Pls rate all useful responses ***

David Ritter · ‎06-29-2022

Hi Rasika,

lol up until now, our system was otherwise open.. I guess that has to change.

did you ever do a how-to on this procedure?

let me guess, AP Policies, tik Authorize MIC AP's against auth-list

and build the list before enabling.. at this time the only thing in my list are the LBS-SSC entries for ?

Rasika Nayanajith · ‎06-30-2022

You just need to enable Authorize MIC again auth-list and add MAC address of AP ethernet. Once you enable this feature any AP registered to that WLC needs to have MAC address added to the list.

Therefore better to have a dedicated DMZ type WLC that only registered OEAP or APs that not coming from inside your netwok. You can connect inside network AP, but those MAC addresses also need to be added to the list.

HTH

Rasika

David Ritter · ‎07-11-2022

Thank you, whitelist established and activated. No burps or hickups with live links.

Rasika Nayanajith · ‎07-11-2022

Good to hear that David

David Ritter · ‎07-22-2022

Hi Rasika,

What was your blog address again?

Have you anything on updating old Flash-based CIMC code in a 5520?

The current HUU iso's fail after boot.and TAC is only spouting published documentation. They cant even tell me if airos 8.10 will run on 2.0 firmware. I'm still back at 8.5 consistent with my 5508's. But I have a batch of 91xx ap's and my 9800-40 is a long way from being production ready.(no network interface structure)

Rasika Nayanajith · ‎07-22-2022

Hi David,

Here are the CIMC upgrade-related posts

https://mrncciew.com/2019/09/06/cimc-upgrade-8540-5520-wlc/
https://mrncciew.com/2019/09/21/cimc-upgrade-wlc-in-ha/

HTH
Rasika
*** Pls rate all useful responses ***