Cisco Cisco 2000 Series Wireless LAN Controller White Paper
APs you own that do not run LWAPP (perhaps they run IOS or VxWorks)
•
LWAPP APs that employees bring in (with the knowledge of the administrator)
•
LWAPP APs used to test the existing network
•
LWAPP APs that neighbors own
•
Normally, trusted APs are APs that fall into category 1, which are APs you own that do not run LWAPP.
They might be old APs that run VxWorks or IOS. In order to ensure that these APs do not damage the
network, certain features can be enforced, such as correct SSIDs and authentication−types. Configure the
trusted AP policies on the WLC, and make sure that the trusted APs meet these policies. If not, you can
configure the controller to take several actions, such as raise an alarm to the network management device
(WCS).
They might be old APs that run VxWorks or IOS. In order to ensure that these APs do not damage the
network, certain features can be enforced, such as correct SSIDs and authentication−types. Configure the
trusted AP policies on the WLC, and make sure that the trusted APs meet these policies. If not, you can
configure the controller to take several actions, such as raise an alarm to the network management device
(WCS).
Known APs that belong to the neighbors can be configured as trusted APs.
Normally, MFP (Management Frame Protection) should prevent APs that are not legitimate LWAPP APs
from joining the WLC. If NIC cards support MFP, they are not allowed to accept deauthentications from
devices other than the real APs. Refer to Infrastructure Management Frame Protection (MFP) with WLC and
LAP Configuration Example for more information about MFP.
from joining the WLC. If NIC cards support MFP, they are not allowed to accept deauthentications from
devices other than the real APs. Refer to Infrastructure Management Frame Protection (MFP) with WLC and
LAP Configuration Example for more information about MFP.
If you have APs that run VxWorks or IOS (as in category 1), they will never join the LWAPP group or do
MFP, but you might want to enforce the policies listed on that page. In such cases, trusted AP policies needs
to be configured on the controller for the APs of interest.
MFP, but you might want to enforce the policies listed on that page. In such cases, trusted AP policies needs
to be configured on the controller for the APs of interest.
In general, if you know about a rogue AP and identify that it is not a threat to your network, you can identify
that AP as a known trusted AP.
that AP as a known trusted AP.
How to Configure an AP as a Trusted AP from the WLC GUI?
Complete these steps in order to configure an AP as a trusted AP:
Log into the GUI of the WLC through HTTP or https login.
1.
From the controller main menu, click Wireless.
2.
In the menu located on the left side of theWireless page, click Rogue APs.
3.