Security Requirements:
All Cisco access points must be authorized locally to join the Cisco 9800 WLC.
Background Information
To authorize an Access Point (AP), the AP’s Ethernet MAC address needs to be authorized against the local database with the 9800 Wireless LAN Controller or against an external Remote Authentication Dial-In User Service (RADIUS) server.
This feature ensures that only authorized Access Points (APs) can join a Catalyst 9800 Wireless LAN Controller. Reference: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213916-catalyst-9800-wireless-controllers-ap-au.html
Note: APs joined to the WLC must be authorized after the authorization list is applied. Therefore, it is important to whitelist the AP MAC addresses in advance.
Create the MAC address authorization list
Enable AP MAC authorization.
After the APs rebooted, they can NOT rejoin the WLC because their MAC addresses have not been authorized.
Add the MAC address to the auth list
CLI Configuration
aaa authorization credential-download AAA_AP_AUTH LOcal
ap auth-list authorize-mac
ap auth-list method-list AAA_AP_AUTH
username 0042.68c5.f676 mac description LAP-3802i
username f4bd.9e9b.d5c0 mac description LAP_9120AX-I
Verification
Note: For SSO with N+1 redundancy, the configuration between devices MUST be identical (MAC addresses, AP tags, policy profiles, etc.)
Example:
Note: The configuration can be automated when a management platform is in place.