Agreed, I wasn't explicit enough with my response. OTAP is turned off by default and I always advise customers to keep it off. I am not a big fan of VTP on the wired side either because of the ramifications of a new switch wiping out your whole networks VLAN database.
So you have two issues to think about, your AP's joining foreign controllers and foreign controllers joining your controller. Foreign AP's joining your controller: Disable OTAP on your controllers. Only turn it on if you are actively adding new AP's to your network and are not using the other discovery methods. Stop LWAPP/CAPWAP at the border of your network. Implement AP authentication on your controllers. Implement Locally Significant Certificates (LCSs) on your controllers. Your AP's joining a foreign controller: Make sure that ACLs on the border routers and firewalls stop LWAPP/CAPWAP. Use primary/secondary/tertiary controller preferences on your APs. That won't totally mitigate the threat... if an AP goes into the LWAPP/CAPWAP discovery cycle, it will hear the "alien" controller OTAP messages and add it to the candidate list. But, as long as one of the primary/secondary/tertiary controllers responds to the LWAPP/CAPWAP discovery request, the AP will never attempt to join the "alien" controller. Pre configure your AP to use locally significant certificates (LSC) I work for Cisco but this is not an official Cisco response. An official Cisco link is here: http://tools.cisco.com/security/center/viewAlert.x?alertId=18919 <http://tools.cisco.com/security/center/viewAlert.x?alertId=18919> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Justin Hao Sent: Tuesday, August 25, 2009 1:30 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Cisco Wireless Vulnerability not 100% true if a controller coded as primary secondary or tertiary is full or doesn't respond in a timely manner (network outage/power/whatever) and this is likely since your ap just rebooted or went into discovery randomly because of some kind of outage. it will go to the foreign controller and it won't come back depending on the "foreign" controller's configuration or mobility group. we had this exact problem because an internal department at a&m installed their own cisco 44xx controller and some of our ap's learned his controller via otap and it was a huge mess. we had to block lwapp internally via acl at the department border to prevent our aps from going over and we disabled otap completely on our controllers (because we controlled the top level domain DNS master response) to prevent his aps from coming to us. we eventually negotiated a complete takeover/replacement of his system to avoid any future conflict. either way, in my experience OTAP is inconsistant and unreliable and i believe cisco's mobility guide (4.1/4.2 was last i read it) recommended it not be used during regular deployment. i believe it's intent is for rapid initial deployment in a homogeneous environment without having to configure dhcp-43/dns. -Justin Paul Lee (paulle) wrote: It will add the controller addresses it learns from OTAP to it's candidate list and send a discovery request to all the controllers in it's list. If it gets a response from a controller that is coded as Primary, Secondary or Tertiary it will never join the "foreign" controller. The key is to code Primary, Secondary and Tertiary on your controllers and make sure Firewall's and ACL's block LWAPP/CAPWAP at your borders. -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Daniel Husand Sent: Tuesday, August 25, 2009 1:06 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Cisco Wireless Vulnerability On 25/08/2009 18:02, Lee H Badman wrote: FYI Block CAPWAP/LWAPP at your edge, be happy. Anyhow, I wonder, if an AP has been associated with a controller before, and discovers an OTAP controller on reboot; which one will it select? -- Justin Hao Network Engineer Texas A&M University Networking and Information Security [email protected] (979)862-2162 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
