Then what is the most secure solution for LAP authorization, with minimum risk for my wireless network? I dont have problem with registering LAP to WLC (Authorize AP against AAA or MIC certificate), but I dont understand how to achieve full mutual authorization?What is the most recommended solution?

Not too many organizations will authorize ap against a AAA since it becomes another device they have to manage. Both the ap and wlc has a manufacture installed certificate which is an x509 certificate. This is the mutual authentication method used by the LAP and WLC. You can't change this. The only way you can prevent an LAP to not join a WLC is to use the following methods posted earlier. If someone connects a LAP to your network, but the LAP has no way of joining because you removed dhcp, dhcp option 43, dns, etc, the LAP will not be an issue. Even if the LAP joins your network, you then have full control of that LAP. What you worry about more is when someone connects a fat ap to you network... now this becomes a rouge and you have to find it.

1. Ok, you recommended to me to register all my LAP through LWAPP (dhcp, dhcp option 43, dns), and then after I have registered all my LAP to WLC, to remove dhcp option 43, dns, dhcp, etc.

2. If for some reason my LAP lose network connection I must add all parametars (dhcp option 43, dns, dhcp, etc..) again? Yes?

3. If I remove dhcp option 43, dns, dhcp, etc.., does that mean that even the fat ap would not be able to register to my network?

Thank you very much for your answers

Regards, Nenad