This document describes the trusted AP wireless
protection policies on a Wireless LAN Controller (WLC), defines trusted AP
policies, and provides a brief description of all trusted AP policies.
Ensure that you have a basic understanding of Wireless LAN security
parameters (such as SSID, encryption, authentication, and so on).
Technical Tips Conventions for more information on document conventions.
Trusted AP policies is a security feature in the controller that is
designed to be used in scenarios where customers have a parallel autonomous AP
network along with the controller. In that scenario, the autonomous AP can be
marked as the trusted AP on the controller, and the user can define policies
for these trusted APs (which should use only WEP or WPA, our own SSID, short
preamble, and so on). If any of these AP fail to meet these policies, the
controller raises an alarm to the network management device (Wireless Control
System) that states a trusted AP violated a configured policy.
Trusted APs are APs that are not part of an organization. However, they
do not cause a security threat to the network. These APs are also called
friendly APs. Several scenarios exist where you might want to configure an AP
as a trusted AP.
For example, you might have different categories of APs in your network
APs you own that do not run LWAPP (perhaps they run IOS or
LWAPP APs that employees bring in (with the knowledge of the
LWAPP APs used to test the existing network
LWAPP APs that neighbors own
Normally, trusted APs are APs that fall into category
1, which are APs you own that do not run LWAPP. They might be old APs
that run VxWorks or IOS. In order to ensure that these APs do not damage the
network, certain features can be enforced, such as correct SSIDs and
authentication-types. Configure the trusted AP policies on the WLC, and make
sure that the trusted APs meet these policies. If not, you can configure the
controller to take several actions, such as raise an alarm to the network
management device (WCS).
Known APs that belong to the neighbors can be configured as trusted
Normally, MFP (Management Frame Protection) should prevent APs that are
not legitimate LWAPP APs from joining the WLC. If NIC cards support MFP, they
are not allowed to accept deauthentications from devices other than the real
APs. Refer to
Management Frame Protection (MFP) with WLC and LAP Configuration Example
for more information about MFP.
If you have APs that run VxWorks or IOS (as in category 1), they will
never join the LWAPP group or do MFP, but you might want to enforce the
policies listed on that page. In such cases, trusted AP policies needs to be
configured on the controller for the APs of interest.
In general, if you know about a rogue AP and identify that it is not a
threat to your network, you can identify that AP as a known trusted AP.
Complete these steps in order to configure an AP as a trusted
Log into the GUI of the WLC through HTTP or https
From the controller main menu, click
In the menu located on the left side of theWireless page, click
The Rogue APs page lists all the APs that are detected as rogue APs
on the network.
From this list of rogue APs, locate the AP that you want to
configured as trusted AP that falls under category 1 (as explained in the
You can locate the APs with the MAC addresses listed on Rogue APs
page. If the desired AP is not in this page, click Next in
order to identify the AP from the next page.
Once the desired AP is located from the Rogue AP list, click the
Edit button that corresponds to the AP, which takes you to the
detail page of the AP.
In the Rogue AP details page, you can find detailed information about
this AP (such as whether that AP connected to wired network, as well as the
current status of the AP and so on).
In order to configure this AP as a trusted AP, select Known
Internal from the Update Status drop-down list, and click
When you update the AP status to Known Internal,
this AP is configured as the trusted AP of this network.
Repeat these steps for all APs you want to configure as trusted
Complete these steps in order to verify that the AP is correctly
configured as trusted AP from the controller GUI:
In the menu located on the left side of theWireless page, click
Known Rogue APs.
The desired AP should appear on the Known Rogue APs page with the
status listed as Known.
The WLC has these trusted AP policies:
This policy is used to define the encryption type that the trusted AP
should use. You can configure any of these encryption types under Enforced
The WLC verifies whether the encryption type configured on the trusted
AP matches the encryption type configured on "Enforced encryption
policy" setting. If the trusted AP does not use the designated
encryption type, the WLC raises an alarm to the management system in order to
take appropriate actions.
The radio preamble (sometimes called a header) is a section of data at
the head of a packet that contains information that wireless devices need when
they send and receive packets. Short preambles improve
throughput performance, so they are enabled by default. However, some wireless
devices, such as SpectraLink NetLink phones, require long
preambles. You can configure any of these preamble options under Enforced
The WLC verifies whether the Preamble type configured on the trusted AP
matches the preamble type configured on "Enforced preamble
policy" setting. If the trusted AP does not use the specified preamble
type, the WLC raises an alarm to the management system in order to take
This policy is used to define the radio type that the trusted AP should
use. You can configure any of these Radio types under Enforced radio type
The WLC verifies whether the radio type configured on the trusted AP
matches the radio type configured on "Enforced radio type
policy" setting. If the trusted APdoes not use the specified radios,
the WLC raises an alarm to the management system in order to take appropriate
You can configure the controller to validate a trusted APs SSID against
the SSIDs configured on the controller. If the trusted APs SSID matches one of
the controller SSIDs, the controller raises an alarm.
If this policy is enabled, the WLC alerts the management system if the
trusted AP is missing from the known Rogue APs list.
This Expiration Timeout value specifies the number of seconds before
the trusted AP is considered expired and flushed from the WLC entry. You can
specify this timeout value in seconds (120 - 3600 seconds).
Complete these steps in order to configure trusted AP policies on the
WLC through the GUI:
Note: All the trusted AP policies reside on the same WLC page.
From the WLC GUI main menu, click Security.
From the menu located on the left side of the Security page, click
Trusted AP policies listed under the Wireless Protection
On the Trusted AP policies page, select the desired encryption type
(None, Open, WEP, WPA/802.11i) from the Enforced encryption policy drop-down
Select the desired preamble type (None, Short, Long) from the
Enforced preamble type policy drop-down list.
Select the desired radio type (None, 802.11b only, 802.11a only,
802.11b/g only) from the Enforced radio type policy drop-down
Check or uncheck the Validate SSID Enabled check box
in order to enable or disable the Validate SSID setting.
Check or uncheck the Alert if trusted AP is missing
Enabled check box in order to enable or disable the Alert if trusted
AP is missing setting.
Enter a value (in seconds) for the Expiration Timeout for
Trusted AP entries option.
Note: In order to configure these settings from the WLC CLI, you can use
the config wps trusted-ap command with the appropriate policy
Cisco Controller) >config wps trusted-ap ?
encryption Configures the trusted AP encryption policy to be enforced.
missing-ap Configures alert of missing trusted AP.
preamble Configures the trusted AP preamble policy to be enforced.
radio Configures the trusted AP radio policy to be enforced.
timeout Configures the expiration time for trusted APs, in seconds.
Here is an example of trusted AP policy violation alert message shown
by the controller.
Thu Nov 16 12:39:12 2006 [WARNING] apf_rogue.c 1905: Possible AP
impersonation of xx:xx:xx:xx:xx:xx, using source address of
00:16:35:9e:6f:3a, detected by 00:17:df:7d:e1:70 on slot 0
Thu Nov 16 12:39:12 2006 [SECURITY] apf_rogue.c 1490: Trusted AP Policy
failed for AP xx:xx:xx:xx:xx:xx - invalid SSID 'SSID1'
Thu Nov 16 12:39:12 2006 [SECURITY] apf_rogue.c 1457: Trusted AP Policy
failed for AP xx:xx:xx:xx:xx:xx - invalid encryption type
Thu Nov 16 12:39:12 2006 Previous message occurred 6 times
Notice the highlighted error messages here. These error messages
indicate that the SSID and the encryption type configured on the trusted AP do
not match the Trusted AP policy setting.
The same alert message can be seen from the WLC GUI. In order to view
this message, go to the WLC GUI main menu, and click Monitor.
In the Most Recent Traps section of the Monitor page, click View
All in order to view all recent alerts on the WLC.
On the Most Recent Traps page, you can identify the controller that
generates the trusted AP policy violation alert message as shown in this