안녕하세요.

 

오늘은 인가된 AP만 WLC에 등록 가능 하게 설정해보겠습니다.

 

사용할 방법은 AP MAC주소를 WLC에 등록해서 허가된 AP MAC만 WLC에 등록 할 수 있습니다.

 

AP IP: DHCP Server로 부터 IP주소를 받아감. 192.168.200.X/24

AP GW: 192.168.200.181

WLC: 192.168.100.182 DHCP option43를 이용함. 

 

1.  Configuration  -> Security -> AAA 클릭 합니다. 

 

2. AAA Advanced -> AP Policy 에서 Authorized AP aginast MAC를 Enable하고 Apply를 클릭 합니다. 

 

*** 만약에 Default값으로 아래 처럼 설정 안되어져 있으면 추가로 설정 합니다. ***

3. 현재 아래처럼 AP한대가 WLC에 등록 되어져 있습니다. 

 

4. AP를 재부팅 합니다.

 

5. 약 5분후 - Monitoring -> Wireless -> AP statistics를 클릭해서 AP가 상태를 확인 합니다.

 

AP가 WLC에게 CAPWAP join request  메시지를 전송하지만 reponse패킷을 받지 못합니다. 

그리고 CAPWAP state: DTLS Teardown이 되고, 다시 CAPWAP join request를 보냅니다. 이 과정을 반복합니다. 

[*12/25/2024 05:57:51.4299] CAPWAP State: Join
[*12/25/2024 05:57:51.6198] Sending Join request to 192.168.100.182 through port 5272, packet size 1376
[*12/25/2024 05:57:56.3783] Sending Join request to 192.168.100.182 through port 5272, packet size 1376
[*12/25/2024 05:58:01.0569] Sending Join request to 192.168.100.182 through port 5272, packet size 896

[*12/25/2024 05:58:48.1321] CAPWAP State: DTLS Teardown
[*12/25/2024 05:58:48.3621] status 'upgrade.sh: Script called with args:[CANCEL]'
[*12/25/2024 05:58:48.4121] do CANCEL, part2 is active part
[*12/25/2024 05:58:48.4320] status 'upgrade.sh: Cleanup tmp files ...'
[*12/25/2024 05:58:53.0506] dtls_queue_first: Nothing to extract!
[*12/25/2024 05:58:53.0506] 
[*12/25/2024 05:58:53.5504] Discovery Response from 192.168.100.182
[*12/25/2024 05:59:04.0000] Started wait dtls timer (60 sec)
[*12/25/2024 05:59:04.0099] 
[*12/25/2024 05:59:04.0099] CAPWAP State: DTLS Setup
[*12/25/2024 05:59:04.1799] First connect to vWLC, accept vWLC by default
[*12/25/2024 05:59:04.1799] 
[*12/25/2024 05:59:04.1799] dtls_verify_server_cert: vWLC is using SSC, returning 1
[*12/25/2024 05:59:04.2599] 
[*12/25/2024 05:59:04.2599] CAPWAP State: Join
[*12/25/2024 05:59:04.4299] Sending Join request to 192.168.100.182 through port 5272, packet size 1376
[*12/25/2024 05:59:09.1284] Sending Join request to 192.168.100.182 through port 5272, packet size 1376

 

6. Monitoring -> Wireless -. AP Statistics에서 Join Statics를 클릭해서 보시면

아래 사진처럼 AP AUth Failure를 확인 할수 있습니다. 

 

아래 AP MAC주소가 WLC 인가된 AP MAC 주소 리스트에 포함되지 않기 떄문에 AP 등록이 실패 하였습니다.

 

7. AP MAC주소를 등록 합니다.

Configuration ->  Security -> AAA -> AAA Advanced -> Device Authentication -> MAC Address -> Add 버튼을 클릭 합니다. 

 

CLI 에서 AP MAC주소 확인 방법

SG-AP01#show interfaces wired 0
wired0    Link encap:Ethernet  HWaddr C8:84:A1:CC:2F:48  
          inet addr: 192.168.200.235  Bcast: 192.168.200.255  Mask: 255.255.255.
0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          collisions:0 txqueuelen:80 
          Interrupt:2 
          full Duplex, 1000 Mb/s

          5 minute input rate 1268 bits/sec, 1 packets/sec
          5 minute output rate 5067 bits/sec, 1 packets/sec
Wired0 Port Statistics:
RX PKTS    :            1171/8           TX PKTS    :            1171/8         
RX BYTES   :          122210/508         TX BYTES   :          122210/508       
RX DROPS   :               0/0          

 

아래처럼 입력 합니다. 

 

그리고 특정 시간을 기다립니다.

이번에는 아래처럼 Join Reponse 패킷을 WLC로부터 받았습니다. 

[*12/25/2024 06:20:28.8807] CAPWAP State: Discovery
[*12/25/2024 06:20:28.8807] Got WLC address 192.168.100.182 from DHCP.
[*12/25/2024 06:20:29.1006] Discovery Request sent to 192.168.100.182, discovery type STATIC_CONFIG(1)
[*12/25/2024 06:20:29.3005] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*12/25/2024 06:20:29.3005] Discovery Response from 192.168.100.182
[*12/25/2024 06:20:39.0000] Started wait dtls timer (60 sec)
[*12/25/2024 06:20:39.0099] 
[*12/25/2024 06:20:39.0099] CAPWAP State: DTLS Setup
[*12/25/2024 06:20:39.1099] First connect to vWLC, accept vWLC by default
[*12/25/2024 06:20:39.1099] 
[*12/25/2024 06:20:39.1199] dtls_verify_server_cert: vWLC is using SSC, returning 1
[*12/25/2024 06:20:39.1799] 
[*12/25/2024 06:20:39.1799] CAPWAP State: Join
[*12/25/2024 06:20:39.3399] Sending Join request to 192.168.100.182 through port 5272, packet size 1376
[*12/25/2024 06:20:43.9185] Sending Join request to 192.168.100.182 through port 5272, packet size 1376
[*12/25/2024 06:20:44.1484] Join Response from 192.168.100.182, packet size 1397
[*12/25/2024 06:20:44.1484] AC accepted previous sent request with result code: 0
[*12/25/2024 06:20:44.1484] Received wlcType 0, timer 30
[*12/25/2024 06:20:44.2584] nss_capwapmgr_enable_tunnel[1682]:ef30e800: tunnel 0 is already enabled
[*12/25/2024 06:20:44.2783] 
[*12/25/2024 06:20:44.2783] CAPWAP State: Image Data
[*12/25/2024 06:20:44.2883] AP image version 17.13.0.107 backup 17.8.0.144, Controller 17.13.0.107
[*12/25/2024 06:20:44.2883] Version is the same, do not need update.
[*12/25/2024 06:20:44.3583] status 'upgrade.sh: Script called with args:[NO_UPGRADE]'
[*12/25/2024 06:20:44.3983] do NO_UPGRADE, part2 is active part
[*12/25/2024 06:20:44.4183] 
[*12/25/2024 06:20:44.4183] CAPWAP State: Configure
[*12/25/2024 06:20:44.6382] Radio [2] Administrative state DISABLED  change to ENABLED 
[*12/25/2024 06:20:44.6382] Radio [1] Administrative state DISABLED  change to ENABLED 
[*12/25/2024 06:20:44.6382] Radio [0] Administrative state DISABLED  change to ENABLED 
[*12/25/2024 06:20:45.3880] 
[*12/25/2024 06:20:45.3880] CAPWAP State: Run
[*12/25/2024 06:20:45.4680] AP has joined controller WLC01
[*12/25/2024 06:20:45.4680] Flexconnect Switching to Connected Mode!
[*12/25/2024 06:20:46.0678] Previous AP mode is 2, change to 2
[*12/25/2024 06:20:46.0778] Current session mode: ssh, Configured: Telnet-No, SSH-No, Console-Yes
[*12/25/2024 06:20:46.0778] 
[*12/25/2024 06:20:46.3377] Current session mode: telnet, Configured: Telnet-No, SSH-No, Console-Yes
[*12/25/2024 06:20:46.3377] 
[*12/25/2024 06:20:46.3577] Current session mode: console, Configured: Telnet-No, SSH-No, Console-Yes
[*12/25/2024 06:20:46.3577] 
[*12/25/2024 06:20:46.4177] chpasswd: password for user changed
[*12/25/2024 06:20:46.4677] chpasswd: password for user changed
[*12/25/2024 06:20:46.6376] 
[*12/25/2024 06:20:46.6376] Same LSC mode, no action needed
[*12/25/2024 06:20:46.9275] Same value is already set.
[*12/25/2024 06:20:47.2374] USB Device Disconnected from the AP
[*12/25/2024 06:20:47.3974] Got WSA Server config TLVs
[*12/25/2024 06:20:48.7270] Socket: Valid Element: wcp/wcp_db Handler: set_vlan_name_map Data: null Length: 10
[*12/25/2024 06:20:50.4064] SD AVC only supports 802.11ax AP
[*12/25/2024 06:20:50.5664] Re-Tx Count=1, Max Re-Tx Value=5, SendSeqNum=16, NumofPendingMsgs=1
[*12/25/2024 06:20:50.5664] 
[*12/25/2024 06:20:50.8163] DOT11_DRV[0]: Stop Radio0 - Begin
[*12/25/2024 06:20:50.8963] DOT11_DRV[0]: Stop Radio0 - End
[*12/25/2024 06:20:50.8963] DOT11_DRV[0]: Start Radio0 - Begin
[*12/25/2024 06:20:50.8963] DOT11_DRV[0]: Start Radio0 - End
[*12/25/2024 06:20:53.0756]  **** CAC start for 62 seconds for radio 1 ****
[*12/25/2024 06:21:15.6385] netlink socket init done, pnl->spectral_fd=4
[*12/25/2024 06:21:15.6385] CLEANAIR: Slot 0 admin disabled
[*12/25/2024 06:21:16.6382] CLEANAIR: Slot 1 admin disabled
[*12/25/2024 06:21:55.1962] cac_timeout cac expired, chan 5560 curr time 306
[*12/25/2024 06:21:55.1962]  **** CAC stop for radio 1 ****

Username: 
Username: 
% Authentication failed

 

아래 사진처럼 AP가 WLC에 등록 되었습니다. 

 

 

시간이 지나도 AP는 계속 UP상태 입니다. 그 이유는 이미 WLC등록되어기 때문에, 다시 AP Authentication를 확인 하지 않습니다. 

 

AP를 재부팅 합니다. 

재부팅후에는 다시 AP authentication를 시도해야합니다. 하지만 WLC에서 AP MAC주소를 제거 했기 떄문에, 아래처럼 인증 실패로 표시 됩니다. 

 

지금까지 [C9800CL][#7]- AP authentication - AP Mac Filter 글을 읽어주셔서 감사합니다. 

 

저작자표시

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#9]- WLAN Guest  (0) 2024.12.26
[C9800CL][#8]- Data Interface Redundancy - Port Channel  (0) 2024.12.25
[C9800CL][#6]-AP hostname를 이용해서 Tag 할당하기  (0) 2024.12.24
[C9800CL][#5]-AP Join Process - DHCP option 43  (1) 2024.12.24
[C9800CL][#4]-AP Join Process - Manual Method  (0) 2024.12.24

+ Recent posts

티스토리툴바