Solved: Re: New WLC on the network, APs are automatically adopted to it?

eeebbunee · ‎07-31-2023

Hello Professionals,

I have currently using WLC2504 with 40 access points and I'm about to replace new WLC (WLC9800).

I finished interface/WLANs/AAA (for authorized AP can join only) configuration so I would like to connect new WLC to my network.

However, I would like to make sure that if I configure AAA correctly, then unauthorized access points can't be joined.
The reason why I ask this, WLC9800 image is 17.09 so if AP automatically join to this, then it won't back to original WLC2504 because of image version matrix.

My new WLC9800 is testing for now, so it will be disaster all APs join to new one.

- On WLC2504 : 40 APs has only primary controller.
- WLC2504 IP address: 10.150.80.49/24
- WLC9800 IP address: 10.150.80.50/24
- 40 APs IP address range: 10.150.80.x/24

I appreciate your response.

Flavio Miranda · ‎08-01-2023

Try to enable the option "Authorize AP against Serial Number" and the serial number for test.

View solution in original post

jagan.chowdam · ‎07-31-2023

you may set the primary WLC per AP and point to which ever controller you want that AP to join. As long as the AP can discover the primary controller, it'll register with it.

-CJ

Flavio Miranda · ‎07-31-2023

Hi @eeebbunee

You can achieve that by using Access Point Authorization list. Basically you can set an ACL based in mac address and allow the Access Point accordlngly.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213916-catalyst-9800-wireless-controllers-ap-au.html#toc-hId-333236743

On this guide you have all the information you need. "MAC AP authorization List - Local" will show you how to do via web or CLI.

eeebbunee · ‎07-31-2023

Hi, Thank you for reaching me.

So, you mean my original WLC(2504) does not need to do more configure, but for new WLC(9800) does..?

Flavio Miranda · ‎07-31-2023

Actually it would be necessary to add on the 2504 and not on the 9800. You can do in both but I believe you concern is more like the AP try to return to the 2504 than join the 9800, so, make more sense put the ACL on the 2504 and dont allow a migrated AP to return.

You can follow this guide

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/98848-lap-auth-uwn-config.html#backinfo

eeebbunee · ‎07-31-2023

If you can, can you also help troubleshooting..?

I setup WLC9800 manually, (please see my screen shots) but when I enable the AP Policy, AP is disjoin.

Log: *Jul 31 2023 16:58:26.758: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP Event: AP Name: AP00EA.BD12.804C Mac: 706d.158c.4320 Session-IP: 10.150.80.100[5264] 10.150.80.50[5246] Disjoined AP Auth Failure.

When I disable the AAA, AP is successfully joined. What did I missed..?

Thank you so much.

eeebbunee · ‎07-31-2023

AP join summary is :

sh wireless stats ap join sum
Number of APs: 1

Base MAC Ethernet MAC AP Name IP Address Status Last Failure Phase Last Disconnect Reason
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
706d.158c.4320 00ea.bd12.804c AP00EA.BD12.804C 10.150.80.100 Not Joined Join AP Auth Failure

Flavio Miranda · ‎07-31-2023

which mac address did you add on the Access List? It must be the ethernet mac address

eeebbunee · ‎08-01-2023

On the access list, I put device ethernet mac address.

Actually I tried bssid too, but obviously didn't work.

I tried 'without seperate' or 'xx:xx:xx:xx:xx', 'xx-xx-xx-xx-xx-xx', 'xxxx.xxxx.xxxx' , result is same.

WLC controller time is local time, but should I check the AP side either?

Actually, without AAA (authrozied AP) AP is join... I don't know what did I miss or mis-configured.

Thank you sir.

Flavio Miranda · ‎08-01-2023

Try to enable the option "Authorize AP against Serial Number" and the serial number for test.

eeebbunee · ‎08-01-2023

When I tried to with Serial number, it works.

I don't know why mac address way doesn't work.... would it be a bug?

I'm using 17.9.3 controller version.

Thank you so much for your help. I'm good for now, but I wish I could find the resolution for this.

Flavio Miranda · ‎08-01-2023

Let me take a look on the bugs around for this vesion.