I don't know how an 8510 UI looks but in 5508's you have an option under security AP Policies.
Accept Manufactured Installed Certificate (MIC)? Authorize MIC APs against auth-list or AAA We use these settings in our whole network to keep AP's from just being able to willingly join any Controller they want. Thanks, CHRISTOPHER ALLISON Network Engineer I Information Technology Mail Code 4622 625 Wham Drive Carbondale, Illinois 62901 chris.m.alli...@siu.edu<mailto:%20chris.m.alli...@siu.edu> P: 618 / 453 - 8415 F: 618 / 453 - 5261 INFOTECH.SIU.EDU<http://infotech.siu.edu/> [http://asset.siu.edu/_assets/images/email_sig/SIU_email_2line.gif] "Choose a job you love, and you will never have to work a day in your life." Confucius ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lee H Badman <lhbad...@syr.edu> Sent: Thursday, February 19, 2015 9:50 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLC "AP Fallback" Gone Wonky? Hello from snowy Syracuse. For the Cisco WLANers in the group: Adding a new 8510 HA Pair to an existing large environment. The 8510s are up with management addresses, and AP fallback is disabled. Basically, these are controllers that are being configured as time allows and so need to be on the wire. Typically, disabling AP fallback is all that's needed to keep the APs away while working on a WLC. These 8510s have been sitting there for a week- idle and a work in progress-, and last night out of the blue one of them took on like 150 APs (is licensed for 1000) from a few different controllers in a very random feeling event (no disruption to the controllers that shed APs). Since the APs hit a controller that wasn't properly configured, lots of clients were dead in the water. Did something change in 8.0.100 code or the 8510 that makes "AP fallback disabled" not effective? Is there any more positive way of keeping APs off of a controller that's a work in progress other than ACLs and putting them on different networks, etc? Seems reasonable to be able to just turn off a controller's willingness to take APs...? (just copied my inquiry from Cisco forums to this email) Anyone have thoughts? Thanks- Lee Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.