11-07-2013 11:03 AM - edited 07-04-2021 01:14 AM
I have a WLC 2112 and currently if you plug in a Cisco access point, it will connect to the controller and download the config. I don't like this and want to allow only the AP's that I specify. Anyone could just walk into one of our buildings and plug in an AP and get our entire wireless config. Is there a way in the WLC 2112 to only allow the AP's that I specify to be connected to the controller?
11-07-2013 11:08 AM
Yup, the easiest way go SECURITY->>AP POLICES (left hand side menu). Check box
Authorize MIC APs against auth-list or AAA and add the wired mac address of each AP you want to connect.
DONE
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
11-07-2013 11:09 AM
If you want to get fancy you can leverage a AAA server and use certificates on the AP with LSC.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
11-07-2013 11:17 AM
Thanks, that is what I was after.
11-07-2013 01:29 PM
Cool .. Thanks for supporting the rating system!
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
11-07-2013 01:29 PM
I'd put your production SSID outside AP Groups 1 to 16. Put all your SSID with index 17 and more.
This way, if someone tries to put their own AP in, the AP will not broadcast any SSID.
11-08-2013 02:10 AM
Nice trick, Leo!
11-08-2013 05:17 AM
The issue with this ap group trick is that the ap would still join the WLC, pull code, and take up a license.
ap group is good for hiding ssid from the broadcast list and have a legit use. I do this with our offnet WLAN.
Sent from Cisco Technical Support iPhone App
11-08-2013 05:01 PM
Nice trick, Leo!
Florin,
If you plan to do this, make sure you tell the rest of the team. Happened to one of my colleague when I was on leave. They deployed >20 APs and none of them were broadcasting anything. It took them hours to realize I shuffled all the SSID index to 17 and above. Me bad.
11-12-2013 07:14 AM
When you're saying SSID index you reffer to WLANs->WLANs-->WLAN ID?
11-12-2013 07:18 AM
Correct .. WLAN index 1 - 16 will automatically be broadcasted from the said. Making a WLAN index 17 Allows you to shape with ap groups what wlans get broadcasted from an ap ..
Sent from Cisco Technical Support iPhone App
11-12-2013 01:10 PM
When you're saying SSID index you reffer to WLANs->WLANs-->WLAN ID?
That's right. Index or WLAN ID #1 to 16 goes to the "default-group" AP groups.
Make sure you have no SSIDs configured in this range. Start with 17 and work your way up.
11-12-2013 10:10 PM
For a WLAN already in use can I rename ID 10 with 18?
11-12-2013 10:12 PM
Nope, you have to delete it & recreate with new ID
11-12-2013 11:32 PM
Unfortunately no, Florin. You'll need to delete and create a new one.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide