When integrating unassociated APs into your managed WLAN, you have the choice of two different integration modes. The integration mode determines the conditions under which your WLC accepts an unassociated AP:
- Preconfigured integration is the controlled and preferred method to integrate an unassociated AP into a managed WLAN over a point-to-point link. In this mode, the WLC only allows the integration of APs that have a local, preconfigured SSID and a valid WPA2 passphrase for the AutoWDS base network.This mode is suitable for all productive environments, and is used to create a predefined relationship between an unassociated AP and an AutoWDS base network. As soon as the AP obtains a configuration from the WLC, the AP gives this configuration a higher priority than its own local AutoWDS configuration. This remains so until the WLC revokes the configuration via CAPWAP or you reset the device.
- Express integration is the quick way to integrate an unassociated AP into a managed WLAN via a point-to-point link. In this mode, the WLC allows both the integration of preconfigured devices as well as devices that are not configured at all. Unconfigured APs have neither a registered SSID nor an individual WPA2 passphrase for the AutoWDS base network. Instead, APs can authenticate with any AutoWDS base network by using a pre-shared key hard-coded in the firmware.This mode is suitable for the easy integration of new APs into a managed WLAN. The choice of AutoWDS base network is automatic and is outside your control. As soon as the corresponding APs obtain configurations from the WLC, these devices save the settings as default values until the WLC revokes the configuration via CAPWAP, the device executes the express reconfiguration after an interruption in the connection, or you reset the device.
Important: For the express integration make sure that no other AutoWDS base network is in range. Otherwise it is possible for an external WLC to take control of your AP and revoke your remote access. Having the express mode enabled increases the vulnerability to attack. For this reason it is advisable to disable the express mode if it is not absolutely necessary.Important: For the security reasons name above, LANCOM recommends a preconfigured integration. Through the pairing of WLC and APs, you can further reduce the effort required for the preconfigured integration. Learn more about this in section Accelerating preconfigured integration by pairing.
After successful authentication on the AutoWDS base network and retrieval of an IP address, the unassociated APs scan the network for a WLC. As soon as they have detected a WLC, they attempt to connect with it and retrieve a configuration. In LANmonitor, these APs are shown as unassociated devices. To include these in the managed WLAN, the administrator must still confirm them and assign WLAN profiles to them. Assigning profiles in this way is no different from accepting normal APs. Alternatively, assignment can be handled by the WLC if you
- set up a default WLAN profile and activate its automatic assignment; or
- enter the associated AP into the access point table and link it with a WLAN profile.
Important: By simultaneously setting the automatic acceptance of unassociated APs by the WLC ("Auto Accept"), the integration of unassociated APs can be fully automated. However, for express integration you should ensure that you disable this setting in order to maintain a minimum level of security and hinder rogue AP intrusion.
Note: The procedures for certificate generation, certificate checks, and the automatic acceptance or rejection of connection requests by the WLC are identical to a WLAN scenario with cable-connected APs. Refer to the section Communication between access point and WLAN controller for further information on this.
