Solved: How to filter AP to join a controller?

Alexandre Fasquel · ‎01-09-2014

Dear all,

I've been trying to filter AP from joining the controller using the AP Policies (Security>Ap policies) but it's seems I've missed something cuz it's not working.

I've got 2 APs, that register with my controller. To check filtering, I've entered the mac of the first AP in the AP policies, apply and then reloaded both AP.

I was expecting to see only the first AP to join but both joined the controller.

Is there any further configuration reqired to apply the filtering?

Cheers

Alex

Sandeep Choudhary · ‎01-09-2014

HI Alex,

I think u need to stop 2nd AP to Join to WLC.

then do this:

You can use the Authorize AP's against AAA function to make sure that all the AP's registering to your WLC are authorized AP's of the network.

By enabling this feature, only those AP's whose mac-addresses are present in the authorization list, will be able to register to the WLC.

This authorization list can either be present externally on a server or a local list on the WLC itself.

Complete these steps:

From the WLC controller GUI, click Security > AP Policies.
The AP Policies page appears.
Under Policy Configuration, check the box for Authorize APs against AAA.
When this parameter is selected, the WLC checks the local authorization list first. If the LAP's MAC is not present, it checks the RADIUS server.
Click the Add button on the right hand side of the screen.
Under Add AP to Authorization List, enter the AP MAC address. Then, choose the certificate type(MIC) and click Add.

The link below explains it in detail:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml

Regards

Dont forget to arte helpful posts.

View solution in original post

Sandeep Choudhary · ‎01-09-2014

Hi Alex,

what you want exactly.

You want first AP to coonect to first controller and 2nd AP to 2nd controller ???

or ?

put the output from:

WLC: sh sysinfo

AP: sh inventory

Regards

Alexandre Fasquel · ‎01-09-2014

Hi,

I would like the first AP to join the controller and the second AP not to be able to join the controller.

This is to secure an environement where only APs from a list ( macaddresses) could register to the controler.

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.116.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS

System Name...................................... 5508-2
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
IP Address....................................... 10.20.1.10
Last Reset....................................... Software reset
System Up Time................................... 3 days 17 hrs 12 mins 27 secs
System Timezone Location.........................
Current Boot License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base
Next Boot License Type........................... Permanent

Configured Country............................... DE - Germany
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +30 C
External Temperature............................. +14 C
Fan Status....................................... 1 fan stopped, 3 fans OK

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 5
Number of Active Clients......................... 0

Burned-in MAC Address............................ CC:EF:48:B3:37:00
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 12

AP1#sh inventory

NAME: "AP1140", DESCR: "Cisco Aironet 1140 Series (IEEE 802.11n) Access Point"

PID: AIR-AP1142N-E-K9 , VID: V05, SN: FCZ1546W4E5

Sandeep Choudhary · ‎01-10-2014

Hallo,

Did you tried Authorize AP's against AAA function, whcih is my last post here.

Try that und zuruckinfo geben.

Grüsse

Dont forget to rate helpful posts

Alexandre Fasquel · ‎01-10-2014

Indeed you have to check the "Authorize MIC APs against auth-list or AAA" to apply the list.. I need to learn how to read ...

It worked

Thanks a lot

Cheers

Sandeep Choudhary · ‎01-10-2014

Gald that u resolved ur issue and thanks for rating.

MFG

Sandeep Choudhary · ‎01-09-2014

HI Alex,

I think u need to stop 2nd AP to Join to WLC.

then do this:

You can use the Authorize AP's against AAA function to make sure that all the AP's registering to your WLC are authorized AP's of the network.

By enabling this feature, only those AP's whose mac-addresses are present in the authorization list, will be able to register to the WLC.

This authorization list can either be present externally on a server or a local list on the WLC itself.

Complete these steps:

From the WLC controller GUI, click Security > AP Policies.
The AP Policies page appears.
Under Policy Configuration, check the box for Authorize APs against AAA.
When this parameter is selected, the WLC checks the local authorization list first. If the LAP's MAC is not present, it checks the RADIUS server.
Click the Add button on the right hand side of the screen.
Under Add AP to Authorization List, enter the AP MAC address. Then, choose the certificate type(MIC) and click Add.

The link below explains it in detail:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml

Regards

Dont forget to arte helpful posts.