Re: [WIRELESS-LAN] Cisco Wireless Vulnerability

[Justin Hao]

not 100% true if a controller coded as primary secondary or tertiary is full or doesn't respond in a timely manner (network outage/power/whatever) and this is likely since your ap just rebooted or went into discovery randomly because of some kind of outage. it will go to the foreign controller and it won't come back depending on the "foreign" controller's configuration or mobility group.  we had this exact problem because an internal department at a&m installed their own cisco 44xx controller and some of our ap's learned his controller via otap and it was a huge mess. we had to block lwapp internally via acl at the department border to prevent our aps from going over and we disabled otap completely on our controllers (because we controlled the top level domain DNS master response) to prevent his aps from coming to us.  we eventually negotiated a complete takeover/replacement of his system to avoid any future conflict. either way, in my experience OTAP is inconsistant and unreliable and i believe cisco's mobility guide (4.1/4.2 was last i read it) recommended it not be used during regular deployment. i believe it's intent is for rapid initial deployment in a homogeneous environment without having to configure dhcp-43/dns. -Justin Paul Lee (paulle) wrote: It will add the controller addresses it learns from OTAP to it's candidate list and send a discovery request to all the controllers in it's list. If it gets a response from a controller that is coded as Primary, Secondary or Tertiary it will never join the "foreign" controller. The key is to code Primary, Secondary and Tertiary on your controllers and make sure Firewall's and ACL's block LWAPP/CAPWAP at your borders. -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Daniel Husand Sent: Tuesday, August 25, 2009 1:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco Wireless Vulnerability On 25/08/2009 18:02, Lee H Badman wrote: FYI Block CAPWAP/LWAPP at your edge, be happy. Anyhow, I wonder, if an AP has been associated with a controller before, and discovers an OTAP controller on reboot; which one will it select? -- Justin Hao Network Engineer Texas A&M University Networking and Information Security j...@tamu.edu (979)862-2162 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.