Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7960
Views
0
Helpful
16
Replies

Prevent certain APs from associating with WLC

robinwenham
Level 1
Level 1

‎03-30-2012 02:41 AM - edited ‎07-03-2021 09:54 PM

Hi, we have the following situation which I'd appreciate assistance with.

We have 9 WLCs around a corporate network.  Each of the WLCs was in the same mobility group for failover purposes, and to permit APs to reconnect back to their primary WLC in the event of a failover.

However one of the sites has now been sold and pending separation of the LAN infrastructure the APs need to be isolated and prevented from associating with any WLC other than their primary (on site).  From our experience once the APs know about other WLCs they retain this list in NVRAM even if the secondary WLC is removed from the configuration they will still associate with one of the known APs if possible (Cisco document this).

WLC v 8.1.185.

Does anyone have any recommendations to achieve this?  My thoughts are:

1) configure WAN router to deny outgoing LWAPP / CAPWAP packets.  Router is a managed service which will entail negotiations and cost with the service provider.

2) completely default all APs on site.  69 APs mounted in the roof of a large distribution depot.

3) Use ACLs on the other WLCs to prevent ones from this subnet connecting to them.  May be the easiest because it is all in our control.  But I'm unsure of the implications of this.

4) any other?

Thoughts?

Thanks

R

Labels:
0 Helpful
16 Replies 16

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎03-30-2012 04:03 AM

That is what the AP authorization feature is for. What you can do is enable AP authorization via the MIC. The add you current AP ti the auth-list, you just need to put in their Mac address. This should stop any AP not in the list from being able to join. I'd push the template from WCS

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Stephen Rodriguez

‎03-30-2012 06:42 AM

just to add my 2¢...Well if you only want the wlc on the primary site to be the only wlc that these ap's can join, why not change the mobility group name and the VIP, disable AP fallback and remove the mobility for the other 8 WLC's and also remove the mobility from the 8 other WLLC's and isolate it that way.That might be the easiest way.... treat it as a different site.

-Scott
*** Please rate helpful posts ***
0 Helpful

robinwenham
Level 1
Level 1
In response to Scott Fella

‎04-02-2012 02:26 AM

Hi Scott, you would have thought so, and this is what we did on the APs/WLC in question.  However our experience is that once the APs know about a WLC they retain that information in NVRAM - removing the mobility and fallback does not remove this - the AP will associate with any AP that they can reach by IP.  Of course with the "home" controller no longer in the mobility group then having associated with another controller there is no way home...so you have to put the home controller back into the mobility group then they will go back, then take it out again.

It seems to me that the only way to clear this info from the AP is to do a total reset and remove all the files in the file system back to the as-shipped config.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to robinwenham

‎04-02-2012 04:26 AM

Well once you change the mobility group and virtual they will have different info in nvram. Block udp 12222 & 12223 at the local router and they will never join any wlc outside of their local defined subnet.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

robinwenham
Level 1
Level 1
In response to Scott Fella

‎04-03-2012 02:39 AM

It's not that simple.  If simply changing the config from the controller stopped the APs  from associating to an unwanted controller outside their own network  then I wouldn't be here asking for help.  But that is not the case.

These APs (LAP1242s) keep a list of known controllers in the NVRAM that is not part of the running configuration from the controller - as I recall it is in the environment variables, but all the APs I have here in the office have been defaulted (which includes deleting the ENV_VARS file from flash) so I can't illustrate it.

As I said above, blocking the ports at the router involves managed routers and change requests which we can do but takes it two levels outside our control.

Hence the request for help about using ACLs to deny access to the WLCs from a specific network.

Thanks

Robin

0 Helpful

robinwenham
Level 1
Level 1
In response to Stephen Rodriguez

‎04-02-2012 02:34 AM

@Steve - I see where you are gong with this Steve but it would be a big job 'cos it is the wrong way around for what I want to do - I want to deny APs to a WLC, this involves denying all then adding permits for all the known APs.

Within my infrastucture this is too big a task and potentially risky.  I wouldn't get permission to do this.

Thanks for the thought.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎03-30-2012 03:49 PM 

WLC v 8.1.185.

Betcha by golly wow!  Can I get a copy of this firmware please????

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Leo Laohoo

‎03-30-2012 07:46 PM

Your funny Leo. I had a feeling you would post something:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Scott Fella

‎03-30-2012 11:24 PM 

Your funny Leo. I had a feeling you would post something:)

LOL.

Sorry folks.  Too much caffine with my meusli.

0 Helpful

robinwenham
Level 1
Level 1
In response to Leo Laohoo

‎04-02-2012 02:43 AM

@Leo - OK maybe a small typo - 4.1.185...

Mind you v8 might be interesting...

0 Helpful

robinwenham
Level 1
Level 1

‎04-02-2012 02:41 AM

So, for the reasons discussed above I don't think that I can use the AP Autorisation feature, and the mobility group changes haven't worked, so does anyone have any thoughts about taking an approach using ACLs to deny access from the subnet?

Thanks in advance

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎04-03-2012 03:40 AM

Robin,

We give you suggestion that we think we would do in your situation. If it doesn't fit in your requirements then there is no other choice than to re-configure the other site. If you haven't tested to see if your theory is correct, then you don't have any other choice than delete the nvram.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

robinwenham
Level 1
Level 1
In response to Scott Fella

‎04-03-2012 03:48 AM

Scott,

Of course, and I understand that.

Robin

0 Helpful

robinwenham
Level 1
Level 1
In response to robinwenham

‎04-24-2012 02:01 AM

I'd like to thank everyone who replied, and to tidy it up.

The recommendation from Cisco is that we implement ACLs on the router to stop any control traffic passing (CAPWAP / LWAPP).

There is no simple way, given our infrastructure, to do this on the controllers.

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card