Cisco 9800 Wireless 2024 – Phase 7 – AP Authorization List

Security Requirements:

All Cisco access points must be authorized locally to join the Cisco 9800 WLC.

Background Information

To authorize an Access Point (AP), the AP’s Ethernet MAC address needs to be authorized against the local database with the 9800 Wireless LAN Controller or against an external Remote Authentication Dial-In User Service (RADIUS) server.

This feature ensures that only authorized Access Points (APs) can join a Catalyst 9800 Wireless LAN Controller. Reference: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213916-catalyst-9800-wireless-controllers-ap-au.html


Note: APs joined to the WLC must be authorized after the authorization list is applied. Therefore, it is important to whitelist the AP MAC addresses in advance.

Create the MAC address authorization list

Enable AP MAC authorization.

After the APs rebooted, they can NOT rejoin the WLC because their MAC addresses have not been authorized.


Add the MAC address to the auth list

CLI Configuration

aaa authorization credential-download AAA_AP_AUTH LOcal
ap auth-list authorize-mac
ap auth-list method-list AAA_AP_AUTH

username 0042.68c5.f676 mac description LAP-3802i
username f4bd.9e9b.d5c0 mac description LAP_9120AX-I

Verification


Note: For SSO with N+1 redundancy, the configuration between devices MUST be identical (MAC addresses, AP tags, policy profiles, etc.)

Example:

Note: The configuration can be automated when a management platform is in place.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.