Unleashed AP approval issues with 200.2.9.13.186

  • 2
  • Question
  • Updated 6 months ago
  • Answered
With previous firmware versions I could enable/disable automatic approvals.  I just updated to 200.2.9.13.186 and it seems the approval option is permanently enabled, you are not able to click the option.  Has anyone else noticed this?  It's caused some minor headaches when running multiple APs on the same network that I did not want to be connected together.
Photo of Jeff W

Jeff W

  • 10 Posts
  • 1 Reply Like

Posted 10 months ago

  • 2
Photo of Michael Brado

Michael Brado, Official Rep

  • 1982 Posts
  • 276 Reply Likes
Unleashed is designed to run on one flat VLAN, and automatically upgrade/update new APs seen. 
You cannot run two Unleashed networks on the same VLAN.
You have a choice when to Upgrade the entire network, following a new Unleashed release.
Photo of Jeff W

Jeff W

  • 10 Posts
  • 1 Reply Like
Thanks Michael, I could have sworn I was able to select or un-select the approval option with the previous firmware, I thought it was strange I couldn't do it with this release... but I could be wrong.  Thanks for the update.
Photo of Michael Brado

Michael Brado, Official Rep

  • 1979 Posts
  • 275 Reply Likes
Glad to get your feedback.  Keep testing.
Photo of Ruben Trucon

Ruben Trucon

  • 4 Posts
  • 1 Reply Like
Hi Jeff

You are definitely not mistaken: after setup last year, we disabled the automatic approval. Since upgrading to the latest firmware on friday, the feature is enabled again, and grayed out.

From a security point of view, it's bad that someone can plug in an AP and it just joins the AP to your network without any approval requests...

Is there a workaround for this issue?

Michael Brado: I'm not sure if you're not talking about the automatic upgrade of firmwares? Unless I'm mistaken, what Jeff, Daniel (and I) mean is the automatic approval of new access points on your network.
(Edited)
Photo of Daniel M

Daniel M

  • 41 Posts
  • 7 Reply Likes

Hey Jeff.  I have the same problem and I’m running the same version.  Approval is checked and greyed out and I cannot uncheck it, which I’d like to do.  The UI even says “To enhance wireless security, deactivate this option. This means you must manually “allow” each newly discovered AP.”

Did you ever get this resolved?

Photo of Daniel M

Daniel M

  • 41 Posts
  • 7 Reply Likes

This problem still exists with the latest 200.3.9.13.228.

Photo of Michael Brado

Michael Brado, Official Rep

  • 1982 Posts
  • 276 Reply Likes
Hello Jeff, Daniel,

     Your first Unleashed AP on a network will have a startup wizard that asks "Would you like to join the Cloud" or
"Would you like to create an Unleashed network."  It is a design *feature* that all subsequent Unleashed APs on
this same LAN/VLAN are intended to be part of the Unleashed network that was created, so up to 24 more APs
will be automatically recognized, upgraded if necessary, and configured with WLANs to start service asap.  You
would need to convince our Product line manager that this is not a good idea...    =:^)
Photo of Daniel M

Daniel M

  • 41 Posts
  • 7 Reply Likes

While I understand the reason behind it and I’m certain it leads to fewer support calls, the last thing I need is for someone to put a rogue AP on the network that can automatically join the existing Unleashed network.  While it simplifies things to have this enabled by default, it is a security concern.  If you plan to leave this feature permanently broken, which is a shame, you should probably remove it from the product and documentation at http://docs.ruckuswireless.com/unleashed/200.3/index.html#c-Others.html.

Photo of Ruben Trucon

Ruben Trucon

  • 4 Posts
  • 1 Reply Like
Hi Michael,

You say it's by design, but why in versions prior to 200.2 could we disable the auto join then? And as Daniel says, why would it ever be visible in the configuration (grayed out or not)?

Before version 200.2.9.13, we disabled the auto-join, because in some environments it's just ridiculously insecure to allow AP's to join wether they are plugged in by someone working at the company, or a random person with less good intentions...

Like Daniel says, if the feature won't be enabled anymore, remove it from the UI and the documentation. But also expect lots of criticism.
Photo of John D

John D, AlphaDog

  • 497 Posts
  • 136 Reply Likes
FWIW, I was able to use the Unleashed CLI's faux ZoneDirector mode to disable AP auto-approval much in the same way that one uses the ZD CLI to do so....

Of course, if Ruckus's official position is that this is not a supported feature, I would not recommend doing so.

(Don't ask who may have gotten in a bit of trouble for hijacking a test rack of Ruckus AP's once because he had a controller plugged in :D)
Photo of Ruben Trucon

Ruben Trucon

  • 4 Posts
  • 1 Reply Like
Good thinking!

And good to know that tinkering through the CLI can get you in to trouble when plugging in a controller :-P Definitely putting that in our documentation :-P
Photo of John D

John D, AlphaDog

  • 497 Posts
  • 136 Reply Likes
It's more bringing in a controller with auto-approval enabled on a subnet I did not own. Little did I know, someone on the subnet was trying to set up some Ruckus AP's and his controller was losing the race to mine, so I kept accidentally stealing his AP's.

That taught a valuable lesson to turn off auto-approval unless I really know I want it on a network.
Photo of Ruben Trucon

Ruben Trucon

  • 4 Posts
  • 1 Reply Like
Is it possible to remove an "Answered"-tag from a thread, or should I make a new thread for this issue?
Photo of Michael Brado

Michael Brado, Official Rep

  • 1968 Posts
  • 275 Reply Likes
No, but you can contact Tech Support or your SE and ask for a Field Request (FR) with your business case for PLM to consider.