OEAP with Cisco 5508 WLC question...

trawleigh · ‎01-12-2017

Hi, I have a Cisco WLC 5508 I am setting up and we are using it only for OEAP devices for home users. It seems that the OEAP devices (600 series and 1810) will only successfully connect if the management interface is the one that is internet facing. Obviously this cannot be how this is intended to be deployed because that would be a huge security risk being able to manage the WLC from the internet.

Does anyone know if it is possible to make the OEAP devices connect through another interface than management? I am running IOS 8.2.141.0 and FUS 1.9 on the controller.

Any help will be appreciated, I have yet to call TAC and open a case yet but may be able to next week if I can find time.

Thanks,

Terry

Rasika Nayanajith · ‎01-12-2017

Always AP use management interface of WLC to register.

What you can do in this case

1. Configure WLC management IP as a private IP and then use NAT in order to communicate WLC with APs that get public IP

http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_Cisco_OfficeExtend_Access_Point_/b_Cisco_OfficeExtend_Access_Point__chapter_01000.html

2. Configure AP policy, so that only authorized MAC AP can register to that WLC.

Additionally, if you have border firewalls, I would only allow UDP 5246/5247 to controller IP (from public internet) in order to provide better secuirty.

HTH

Rasika

*** Pls rate all useful responses ***

trawleigh · ‎01-17-2017

Thanks Rasika, I will give this a try. I think the only part I need is to restrict the traffic to Capwap ports you mentioned and make sure that inside trust traffic can reach the management on 443. I will let you know how I make out.