AP Connectivity to Cisco WLC

AP Connectivity to Cisco WLC
AP Connectivity to Cisco WLC
• CAPWAP, page 1
• Discovering and Joining Cisco WLC, page 12
• Authorizing Access Points, page 24
• AP 802.1X Supplicant, page 30
• Infrastructure MFP, page 34
• Troubleshooting the Access Point Join Process, page 38
CAPWAP
Information About Access Point Communication Protocols
Cisco lightweight access points use the IETF standard Control and Provisioning of Wireless Access Points
Protocol (CAPWAP) to communicate with the controller and other lightweight access points on the network.
CAPWAP, which is based on LWAPP, is a standard, interoperable protocol that enables a controller to manage
a collection of wireless access points. CAPWAP is implemented in controller for these reasons:
• To provide an upgrade path from Cisco products that use LWAPP to next-generation Cisco products
that use CAPWAP
• To manage RFID readers and similar devices
• To enable controllers to interoperate with third-party access points in the future
LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP
controller is seamless. For example, the controller discovery process and the firmware downloading process
when using CAPWAP are the same as when using LWAPP. The one exception is for Layer 2 deployments,
which are not supported by CAPWAP.
You can deploy CAPWAP controllers and LWAPP controllers on the same network. The CAPWAP-enabled
software allows access points to join either a controller running CAPWAP or LWAPP. The only exceptions
are that the Cisco Aironet 1040, 1140, 1260, 3500, and 3600 Series Access Points, which support only
CAPWAP and join only controllers that run CAPWAP. For example, an 1130 series access point can join a
Cisco Wireless Controller Configuration Guide, Release 8.3
1
AP Connectivity to Cisco WLC
Restrictions for Access Point Communication Protocols
controller running either CAPWAP or LWAPP where an1140 series access point can join only a controller
that runs CAPWAP.
The following are some guidelines that you must follow for access point communication protocols:
• If your firewall is currently configured to allow traffic only from access points using LWAPP, you must
change the rules of the firewall to allow traffic from access points using CAPWAP.
• Ensure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP ports 12222 and
12223) are enabled and are not blocked by an intermediate device that could prevent an access point
from joining the controller.
• If access control lists (ACLs) are in the control path between the controller and its access points, you
need to open new protocol ports to prevent access points from being stranded.
Restrictions for Access Point Communication Protocols
• On virtual controller platforms, per-client downstream rate limiting is not supported in FlexConnect
central switching.
• Rate-limiting is applicable to all traffic destined to the CPU from either direction (wireless or wired).
We recommend that you always run the controller with the default config advanced rate enable command
in effect to rate limit traffic to the controller and protect against denial-of-service (DoS) attacks. You
can use the config advanced rate disable command to stop rate-limiting of Internet Control Message
Protocol (ICMP) echo responses for testing purposes. However, we recommend that you reapply the
config advanced rate enable command after testing is complete.
• Ensure that the controllers are configured with the correct date and time. If the date and time configured
on the controller precedes the creation and installation date of certificates on the access points, the access
point fails to join the controller.
Viewing CAPWAP Maximum Transmission Unit Information
See the maximum transmission unit (MTU) for the CAPWAP path on the controller by entering this command:
show ap config general Cisco_AP
The MTU specifies the maximum size of any packet (in bytes) in a transmission.
Information similar to the following appears:
Cisco AP Identifier..............................
Cisco AP Name....................................
Country code.....................................
Regulatory Domain allowed by Country.............
AP Country code..................................
AP Regulatory Domain.............................
Switch Port Number ..............................
MAC Address......................................
IP Address Configuration.........................
IP Address.......................................
IP NetMask.......................................
CAPWAP Path MTU..................................
Cisco Wireless Controller Configuration Guide, Release 8.3
2
9
Maria-1250
US - United States
802.11bg:-A
802.11a:-A
US - United States
802.11bg:-A
802.11a:-A
1
00:1f:ca:bd:bc:7c
DHCP
1.100.163.193
255.255.255.0
1485
AP Connectivity to Cisco WLC
Debugging CAPWAP
Debugging CAPWAP
Use these commands to obtain CAPWAP debug information:
• debug capwap events {enable | disable}—Enables or disables debugging of CAPWAP events.
• debug capwap errors {enable | disable}—Enables or disables debugging of CAPWAP errors.
• debug capwap detail {enable | disable}—Enables or disables debugging of CAPWAP details.
• debug capwap info {enable | disable}—Enables or disables debugging of CAPWAP information.
• debug capwap packet {enable | disable}—Enables or disables debugging of CAPWAP packets.
• debug capwap payload {enable | disable}—Enables or disables debugging of CAPWAP payloads.
• debug capwap hexdump {enable | disable}—Enables or disables debugging of the CAPWAP
hexadecimal dump.
• debug capwap dtls-keepalive {enable | disable}—Enables or disables debugging of CAPWAP DTLS
data keepalive packets.
Preferred Mode
Information About Prefer Mode
Prefer-mode allows an administrator to configure CAPWAP L3 transport (IPv4 and IPv6) through which
access points join the WLC (based on its primary/secondary/tertiary configuration).
There are two levels of prefer-mode
• AP Group specific
• Global Configuration
AP PnP
PnP solution provides staging parameters to the AP before it joins a WLC. Using this staging configuration,
the AP gets the runtime configuration when it joins the WLC. PnP is supported only on AP recovery images
and activated for the zero-day deployment alone. PnP is not initiated after the AP connects to the WLC for
the first time.
The following AP scenario is supported:
• On-premise redirection—Customer hosting the PnP server in their network.
Guidelines for Configuring Preferred Mode
The following preferred mode configurations are available:
• AP-Group specific prefer-mode is pushed to an AP only when the prefer-mode of AP-Group is configured
and the AP belongs to that group.
Cisco Wireless Controller Configuration Guide, Release 8.3
3
AP Connectivity to Cisco WLC
Preferred Mode
• Global prefer-mode is pushed to default-group APs and to those AP-Groups on which the prefer-mode
is not configured.
• By-default, values of prefer-mode for AP-Group and Global is set to un-configured and IPv4 respectively.
• If an AP, with an configured prefer-mode, tries to join the controller and fails, then it will fall back to
choose AP-manager of the other transport and joins the same controller. When both transports fail, AP
will move to next discovery response.
• In such a scenario, Static IP configuration will take precedence over prefer mode. For example:
◦On the controller, the preferred mode is configured with an IPv4 address.
◦On the AP, Static IPv6 is configured using CLI or GUI.
◦The AP will join the controller using IPv6 transport mode.
• The controllers CLI provides an XML support of prefer-mode.
Configuring CAPWAP Preferred Mode (GUI)
Step 1
Choose Controller > General to open the Global Configuration page. Select the CAPWAP Preferred Mode list box
and select either IPv4 or IPv6 as the global CAPWAP Preferred mode.
Note
By default, the controller is configured with an CAPWAP Prefer Mode IPv4 address.
Step 2
Choose WLAN > Advanced > APGroup > General Tab and select the CAPWAP Preferred Mode checkbox to
configure an AP-Group with an IPv4 or IPv6 CAPWAP Preferred Mode.
Choose Wireless > ALL APs > General Tab to check the APs CAPWAP setting. Refer to the IP Config section to
view if the AP's CAPWAP Preferred Mode is applied globally or for an AP-Group.
Choose Monitor > Statistics > Preferred Mode to help users to check if the prefer mode command is pushed
successfully to an AP.
Step 3
Step 4
• Prefer Mode of Global/AP Groups— The name of the AP that is configured with either IPv4, IPv6 or global.
• Total— The total count of APs configured with preferred mode.
• Success— Counts the number of times the AP was successfully configured with the preferred mode.
• Unsupported— AP's that are not capable of joining in with IPv6 CAPWAP.
• Already Configured— Counts the attempts made to configure an already configured AP.
• Per AP Group Configured— Preferred mode configured on per AP-Group.
• Failure— Counts the number of times the AP was failed to get configured with the preferred mode.
Cisco Wireless Controller Configuration Guide, Release 8.3
4
AP Connectivity to Cisco WLC
Preferred Mode
Configuring CAPWAP Preferred Mode (CLI)
Step 1
Use this command to configure prefer-mode of AP-Group and all APs. Global prefer-mode will not be applied on APs
whose AP-Group prefer-mode is already configured. On successful configuration, the AP will restart CAPWAP and join
with the configured prefer-mode after choosing a controller based on its primary/secondary/tertiary configuration.
config ap preferred-mode {IPv4|IPv6}{ <apgroup>|<all>}
Step 2
Use this command to disable (un-configure) the prefer-mode on the AP.
config ap preferred-mode disable <apgroup>
Note
APs that belong to <apgroup> will restart CAPWAP and join back the controller with global prefer-mode.
Step 3
Use this command to view the statistics for prefer-mode configuration. The statistics are not cumulative but will be
updated for last executed configuration CLI of prefer-mode.
show ap prefer-mode stats
Step 4
Use this command to view the prefer-mode configured for all AP-Groups.
show wlan apgroups
Step 5
Use this command to view the global prefer-mode configured.
show network summary
Step 6
Use this command to view to check if the prefer mode command is pushed to an AP from global configuration or from
an AP-Group specific configuration.
show ap config general <Cisco AP>
(Cisco Controller) >show ap config general AP-3702E
Cisco AP Identifier..............................
Cisco AP Name....................................
Country code.....................................
Regulatory Domain allowed by Country.............
AP Country code..................................
AP Regulatory Domain.............................
Switch Port Number ..............................
MAC Address......................................
IPv6 Address Configuration.......................
IPv6 Address.....................................
IPv6 Prefix Length...............................
Gateway IPv6 Addr................................
NAT External IP Address..........................
CAPWAP Path MTU..................................
Telnet State.....................................
Ssh State........................................
Cisco AP Location................................
Cisco AP Floor Label.............................
Cisco AP Group Name..............................
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address..................
.....................................
.....................................
.....................................
.....................................
.....................................
Ethernet Port Speed..............................
2
AP-3702E
US - United States
802.11bg:-A
802.11a:-A
US - United States
802.11bg:-A
802.11a:-A
1
bc:16:65:09:4e:fc
SLAAC
2001:9:2:35:be16:65ff:fe09:4efc
64
fe80::a2cf:5bff:fe51:c4ce
None
1473
Globally Enabled
Globally Enabled
default location
0
default-group
amb
9.2.35.25
Auto
Cisco Wireless Controller Configuration Guide, Release 8.3
5
AP Connectivity to Cisco WLC
UDP Lite
AP Link Latency.................................. Disabled
Rogue Detection.................................. Enabled
AP TCP MSS Adjust................................ Disabled
IPv6 Capwap UDP Lite............................. Enabled
Capwap Prefer Mode............................... Ipv6 (Global Config)
Hotspot Venue Group.............................. Unspecified
Hotspot Venue Type............................... Unspecified
DNS server IP ............................. Not Available
Note
Check for Capwap Prefer Mode in the command
output.
UDP Lite
Information About UDP Lite
The CAPWAP functionality, in Release 8.0, spans both IPv4 and IPv6. CAPWAP changes span the Controller
and the AP. An AP running older image, that is not IPv6 capable, can join an IPv6 capable controller provided
it has an IPv4 address and download image and vice-versa.
Implementation of IPv6 mandates complete payload checksum for User Datagram Protocol (UDP) which
slows down the performance of the AP and the Controller. To minimize the performance impact, Controller
and AP supports UDP Lite that mandates only a header checksum of the datagram, thereby avoiding checksum
on the entire packet. Enabling UDP Lite enhances the packet processing time.
UDP Lite protocol uses the IP Protocol ID 136 and uses the same CAPWAP port as used by UDP. Enabling
UDP Lite would require the network firewall to allow protocol 136. Switching between UDP and UDP Lite
causes the AP to disjoin and rejoin. UDP Lite is used for data traffic and UDP for control traffic.
A controller with UDP Lite enabled on it can exchange messages with IPv6 enabled APs along with the
existing APs that support only IPv4.
Note
A dual stack controller responds to a discovery request with both the IPv4 and IPv6 AP Managers.
AP Discovery mechanism uses both, IPv4 and IPv6 addresses assigned to an AP. An AP will use the source
address selection to determine the address to use to reach an IPv6 controller.
Configuring UDP Lite Globally (GUI)
Step 1
Step 2
Choose Wireless > Access Points > Global Configuration to open the Global Configuration page.
Under the Global UDP Lite section, select the UDP Lite checkbox to enable UDP Lite globally.
Note
IPv6 UDP Lite is not applicable for APs connected with CAPWAPv4 tunnel. They are applicable only for APs
joining the controller using CAPWAPv6 tunnel.
Cisco Wireless Controller Configuration Guide, Release 8.3
6
AP Connectivity to Cisco WLC
UDP Lite
Step 3
Step 4
Click Apply to set the global UDP Lite configuration.
If desired, you can choose to override the global UDP Lite configuration by unselecting the Global IPv6 UDP Lite
mentioned in Step 2.
Note
Switching between UDP and UDP Lite causes the AP to disjoin and rejoin.
Step 5
Click Save Configuration to save your changes.
Configuring UDP Lite on AP (GUI)
Step 1
Step 2
Step 3
Choose Wireless > Access Points > All APs to open the All APs page.
Step 4
Step 5
Select an AP Name with an IPv6 address and click on it to open the Details page of the selected AP.
Under the Advanced tab, select the UDP Lite checkbox to enable UDP Lite for the selected AP.
Note
This field is displayed only for APs that have joined the controller over CAPWAPv6 tunnel. The Web UI page
does not display this field for APs joining the controller over the CAPWAPv4 tunnel .
Click Apply to commit your changes.
Click Save Configuration to save your changes.
Configuring the UDP Lite (CLI)
Step 1
Use this command to enable UDP Lite globally.
config ipv6 capwap udplite enable all
Step 2
Use this command to enable UDP Lite on a selected AP.
config ipv6 capwap udplite enable <Cisco AP>
Step 3
Use this command to disable UDP Lite globally.
config ipv6 capwap udplite disable all
Step 4
Use this command to disable UDP Lite on a selected AP.
config ipv6 capwap udplite disable <Cisco AP>
Step 5
Use this command to view the status of UDP Lite on a controller.
show ipv6 summary
(Cisco Controller) >show ipv6 summary
Global Config...............................
Reachable-lifetime value....................
Stale-lifetime value........................
Down-lifetime value.........................
RA Throttling...............................
RA Throttling allow at-least................
RA Throttling allow at-most.................
RA Throttling max-through...................
Disabled
300
86400
30
Disabled
1
1
10
Cisco Wireless Controller Configuration Guide, Release 8.3
7
AP Connectivity to Cisco WLC
Data DTLS
RA Throttling throttle-period...............
RA Throttling interval-option...............
NS Mulitcast CacheMiss Forwarding...........
NA Mulitcast Forwarding.....................
IPv6 Capwap UDP Lite........................
Operating System IPv6 state ................
600
passthrough
Disabled
Enabled
Enabled
Disabled
(Cisco Controller) >
Data DTLS
Configuring Data Encryption
Cisco 5500 Series Controllers enable you to encrypt CAPWAP control packets (and optionally, CAPWAP
data packets) that are sent between the access point and the controller using Datagram Transport Layer Security
(DTLS). DTLS is a standards-track Internet Engineering Task Force (IETF) protocol based on TLS. CAPWAP
control packets are management packets exchanged between a controller and an access point while CAPWAP
data packets encapsulate forwarded wireless frames. CAPWAP control and data packets are sent over separate
UDP ports: 5246 (control) and 5247 (data). If an access point does not support DTLS data encryption, DTLS
is enabled only for the control plane, and a DTLS session for the data plane is not established.
Note
With Release 8.2, DTLSv1.2 for CAPWAP is not supported. The following are supported for web
authentication and WebAdmin based on the configuration:
• TLSv1.2
• TLSv1.0
• SSLv3
• SSLv2
Note
Cisco WLC supports only static configuration of gateway. Therefore, the ICMP redirect to change IP
address of the gateway is not considered.
Guidelines for Data Encryption
• Cisco 1130 and 1240 series access points support DTLS data encryption with software-based encryption.
• Cisco 1040, 1140, 1250, 1260, 1550, 1600, 1700, 2600, 2700, 3500, 3600, and 3700 series access points
support DTLS data encryption with hardware-based encryption
• Cisco Aironet 1552 and 1522 outdoor access points support data DTLS.
• DTLS data encryption is not supported on Cisco Aironet 700, 800, and 1530 Series Access Points.
Cisco Wireless Controller Configuration Guide, Release 8.3
8
AP Connectivity to Cisco WLC
Data DTLS
• DTLS data encryption is enabled automatically for OfficeExtend access points but disabled by default
for all other access points. Most access points are deployed in a secure network within a company
building, so data encryption is not necessary. In contrast, the traffic between an OfficeExtend access
point and the controller travels through an unsecure public network, so data encryption is more important
for these access points. When data encryption is enabled, traffic is encrypted at the access point before
it is sent to the controller and at the controller before it is sent to the client.
• Encryption limits throughput at both the controller and the access point, and maximum throughput is
desired for most enterprise networks.
• In a Cisco unified local wireless network environment, do not enable DTLS on the Cisco 1130 and 1240
access points, as it may result in severe throughput degradation and may render the APs unusable.
See the OfficeExtend Access Points section for more information on OfficeExtend access points.
• You can use the controller to enable or disable DTLS data encryption for a specific access point or for
all access points.
• The availability of data DTLS is as follows:
◦The Cisco 5500 Series Controller will be available with two licenses options: One that allows data
DTLS without any license requirements and another image that requires a license to use data DTLS.
See the Upgrading or Downgrading DTLS Images for Cisco 5508 WLC section. The images for
the DTLS and licensed DTLS images are as follows:
Licensed DTLS—AS_5500_LDPE_x_x_x_x.aes
Non licensed DTLS—AS_5500_x_x_x_x.aes
◦Cisco 2500, Cisco WiSM2, Cisco Virtual Wireless Controller—By default, these platforms do not
contain DTLS. To turn on data DTLS, you must install a license. These platforms have a single
image with data DTLS turned off. To use data DTLS you must have a license.
For Cisco Virtual Wireless Controllers without Data DTLS, the average controller throughput is
about 200 Mbps. With all APs using Data DTLS, the average controller throughput is about 100
Mbps.
• If your controller does not have a data DTLS license and if the access point associated with the controller
has DTLS enabled, the data path will be unencrypted.
• Non-Russian customers using Cisco 5508 Series Controller do not need data DTLS license. However
all customers using Cisco 2500 Series Controllers, Cisco 8500 Series Controllers, WISM2, and Cisco
Virtual Wireless Controllers need a data DTLS license to turn on the Data DTLS feature.
Upgrading or Downgrading DTLS Images for Cisco 5508 WLC
Step 1
Step 2
The upgrade operation fails on the first attempt with a warning indicating that the upgrade to a licensed DTLS image is
irreversible.
Note
Do not reboot the controller after Step
1.
On a subsequent attempt, the license is applied and the image is successfully updated.
Cisco Wireless Controller Configuration Guide, Release 8.3
9
AP Connectivity to Cisco WLC
Data DTLS
Guidelines When Upgrading to or from a DTLS Image
• You cannot install a regular image (nonlicensed data DTLS) once a licensed data DTLS image is installed.
• You can upgrade from one licensed DTLS image to another licensed DTLS image.
• You can upgrade from a regular image (DTLS) to a licensed DTLS image in a two step process.
• You can use the show sysinfo command to verify the LDPE image, before and after the image upgrade.
Configuring Data Encryption (GUI)
Ensure that the base license is installed on the Cisco 5500 Series Controller. Once the license is installed, you
can enable data encryption for the access points.
Step 1
Step 2
Step 3
Step 4
Choose Wireless > Access Points > All APs to open the All APs page.
Click the name of the access point for which you want to enable data encryption.
Choose the Advanced tab to open the All APs > Details for (Advanced) page.
Select the Data Encryption check box to enable data encryption for this access point or unselect it to disable this feature.
The default value is unselected.
Note
Changing the data encryption mode requires the access points to rejoin the controller.
Step 5
Step 6
Click Apply.
Click Save Configuration.
Configuring Data Encryption (CLI)
Note
In images without a DTLS license, the config or show commands are not available.
To enable DTLS data encryption for access points on the controller using the controller CLI, follow these
steps:
Step 1
Enable or disable data encryption for all access points or a specific access point by entering this command:
config ap link-encryption {enable | disable} {all | Cisco_AP}
The default value is disabled.
Note
Changing the data encryption mode requires the access points to rejoin the controller.
Step 2
When prompted to confirm that you want to disconnect the access point(s) and attached client(s), enter Y.
Step 3
Enter the save config command to save your configuration.
Step 4
See the encryption state of all access points or a specific access point by entering this command:
show ap link-encryption {all | Cisco_AP}
Cisco Wireless Controller Configuration Guide, Release 8.3
10
AP Connectivity to Cisco WLC
Configuring VLAN Tagging for CAPWAP Frames from Access Points
This command also shows authentication errors, which tracks the number of integrity check failures, and replay errors,
which tracks the number of times that the access point receives the same packet.
Step 5
See a summary of all active DTLS connections by entering this command:
show dtls connections
Note
If you experience any problems with DTLS data encryption, enter the debug dtls {all | event | trace | packet}
{enable | disable} command to debug all DTLS messages, events, traces, or packets.
Step 6
Enable new cipher suites for DTLS connection between AP and controller by entering this command:
config ap dtls-cipher-suite {RSA-AES256-SHA256 | RSA-AES256-SHA | RSA-AES128-SHA}
Step 7
See the summary of DTLS cipher suite by entering this command:
show ap dtls-cipher-suite
Configuring VLAN Tagging for CAPWAP Frames from Access Points
Information About VLAN Tagging for CAPWAP Frames from Access Points
You can configure VLAN tagging on the Ethernet interface either directly on the AP console or through the
controller. The configuration is saved in the flash memory and all CAPWAP frames use the VLAN tag as
configured, along with all the locally switched traffic, which is not mapped to a VLAN.
Restrictions on VLAN Tagging for CAPWAP Frames from APs
• This feature is not supported on mesh access points that are in bridge mode.
• CAPWAP VLAN tagging is not supported on these 802.11ac Wave 2 APs: 18xx, 2800, 3800, and 1560.
Configuring VLAN Tagging for CAPWAP Frames from Access Points (GUI)
Step 1
Step 2
Step 3
Step 4
Step 5
Choose Wireless > Access Points > All APs to open the All APs page.
Click the AP name from the list of AP names to open the Details page for the AP.
Click the Advanced tab.
In the VLAN Tagging area, select the VLAN Tagging check box.
In the Trunk VLAN ID text box, enter an ID.
If the access point is unable to route traffic through the specified trunk VLAN after about 10 minutes, the access point
performs a recovery procedure by rebooting and sending CAPWAP frames in untagged mode to try and reassociate with
the controller. The controller sends a trap to a trap server such as the Cisco Prime Infrastructure, which indicates the
failure of the trunk VLAN.
If the access point is unable to route traffic through the specified trunk VLAN, it untags the packets and reassociates
with the controller. The controller sends a trap to a trap server such as the Cisco Prime Infrastructure, which indicates
the failure of the trunk VLAN.
Cisco Wireless Controller Configuration Guide, Release 8.3
11
AP Connectivity to Cisco WLC
Discovering and Joining Cisco WLC
If the trunk VLAN ID is 0, the access point untags the CAPWAP frames.
The VLAN Tag status is displayed showing whether the AP tags or untags the CAPWAP frames.
Step 6
Step 7
Step 8
Click Apply.
You are prompted with a warning message saying that the configuration will result in a reboot of the access point. Click
OK to continue.
Click Save Configuration.
What to Do Next
After the configuration, the switch or other equipment connected to the Ethernet interface of the AP must also
be configured to support tagged Ethernet frames.
Configuring VLAN Tagging for CAPWAP Frames from Access Points (CLI)
Step 1
Configure VLAN tagging for CAPWAP frames from access points by entering this command:
config ap ethernet tag {disable | id vlan-id} {ap-name | all}
Step 2
You can see VLAN tagging information for an AP or all APs by entering this command:
show ap ethernet tag {summary | ap-name}
Discovering and Joining Cisco WLC
Controller Discovery Process
In a CAPWAP environment, a lightweight access point discovers a controller by using CAPWAP discovery
mechanisms and then sends the controller a CAPWAP join request. The controller sends the access point a
CAPWAP join response allowing the access point to join the controller. When the access point joins the
controller, the controller manages its configuration, firmware, control transactions, and data transactions.
The following are some guidelines for the controller discovery process:
• Upgrade and downgrade paths from LWAPP to CAPWAP or from CAPWAP to LWAPP are supported.
An access point with an LWAPP image starts the discovery process in LWAPP. If it finds an LWAPP
controller, it starts the LWAPP discovery process to join the controller. If it does not find a LWAPP
controller, it starts the discovery in CAPWAP. If the number of times that the discovery process starts
with one discovery type (CAPWAP or LWAPP) exceeds the maximum discovery count and the access
point does not receive a discovery response, the discovery type changes to the other type. For example,
if the access point does not discover the controller in LWAPP, it starts the discovery process in CAPWAP.
• If an access point is in the UP state and its IP address changes, the access point tears down the existing
CAPWAP tunnel and rejoins the controller.
Cisco Wireless Controller Configuration Guide, Release 8.3
12
AP Connectivity to Cisco WLC
Controller Discovery Process
• To configure the IP addresses that the controller sends in its CAPWAP discovery responses, use the
config network ap-discovery nat-ip-only {enable | disable} command.
• Access points must be discovered by a controller before they can become an active part of the network.
The lightweight access points support the following controller discovery processes:
• Layer 3 CAPWAP or LWAPP discovery—This feature can be enabled on different subnets from
the access point and uses either IPv4 or IPv6 addresses and UDP packets rather the MAC addresses
used by Layer 2 discovery.
• CAPWAP Multicast Discovery—Broadcast does not exist in IPv6 address. Access point sends
CAPWAP discovery message to all the controllers multicast address (FF01::18C). The controller
receives the IPv6 discovery request from the AP only if it is in the same L2 segment and sends
back the IPv6 discovery response.
• Locally stored controller IPv4 or IPv6 address discovery—If the access point was previously
associated to a controller, the IPv4 or IPv6 addresses of the primary, secondary, and tertiary
controllers are stored in the access point’s nonvolatile memory. This process of storing controller
IPv4 or IPv6 addresses on an access point for later deployment is called priming the access point.
• DHCP server discovery using option 43—This feature uses DHCP option 43 to provide controller
IPv4 addresses to the access points. Cisco switches support a DHCP server option that is typically
used for this capability. For more information about DHCP option 43, see the Using DHCP Option
43 and DHCP Option 60 section.
• DHCP server discovery using option 52 —This feature uses DHCP option 52 to allow the AP to
discover the IPv6 address of the controller to which it connects. As part of the DHCPv6 messages,
the DHCP server provides the controllers management with an IPv6 address.
• DNS discovery—The access point can discover controllers through your domain name server
(DNS). You must configure your DNS to return controller IPv4 and IPv6 addresses in response to
CISCO-LWAPP-CONTROLLER.localdomain or CISCO-CAPWAP-CONTROLLER.localdomain,
where localdomain is the access point domain name.
When an access point receives an IPv4/IPv6 address and DNSv4/DNSv6 information from a
DHCPv4/DHCPv6 server, it contacts the DNS to resolve
CISCO-LWAPP-CONTROLLER.localdomain or CISCO-CAPWAP-CONTROLLER.localdomain.
When the DNS sends a list of controller IP addresses, which may include either IPv4 addresses or
IPv6 addresses or both the addresses, the access point sends discovery requests to the controllers.
Restrictions for Controller Discovery Process
• During the discovery process, the 1040, 1140, 1260, 3500, and 3600 series access points will only query
for Cisco CAPWAP Controllers. It will not query for LWAPP controllers. If you want these access
points to query for both LWAPP and CAPWAP controllers then you need to update the DNS.
• Ensure that the controller is set to the current time. If the controller is set to a time that has already
occurred, the access point might not join the controller because its certificate may not be valid for that
time.
• To avoid downtime restart CAPWAP on AP while configuring Global HA , so that AP goes back and
joins the backup primary controller. This starts a discovery with the primary controller in the back
ground. If the discovery with primary is successful, it goes back and joins the primary again.
Cisco Wireless Controller Configuration Guide, Release 8.3
13
AP Connectivity to Cisco WLC
Using DHCP Option 43 and DHCP Option 60
Using DHCP Option 43 and DHCP Option 60
Cisco Aironet access points use the type-length-value (TLV) format for DHCP option 43. DHCP servers must
be programmed to return the option based on the access point’s DHCP Vendor Class Identifier (VCI) string
(DHCP option 60).
This table lists the VCI strings for Cisco access points capable of operating in lightweight mode.
Table 1: VCI Strings For Lightweight Access Points
Access Point
VCI String
Cisco Aironet 1040 Series
Cisco AP c1040
Cisco Aironet 1130 Series
Cisco AP c1130
Cisco Aironet 1140 Series
Cisco AP c1140
Cisco Aironet 1240 Series
Cisco AP c1240
Cisco Aironet 1250 Series
Cisco AP c1250
Cisco Aironet 1260 Series
Cisco AP c1260
Cisco Aironet 1520 Series
Cisco AP c1520
Cisco Aironet 1550 Series
Cisco AP c1550
Cisco Aironet 1700 Series
Cisco AP c1700
Cisco Aironet 2700 Series
Cisco AP c2700
Cisco Aironet 3600 Series
Cisco AP c3600
Cisco Aironet 3700 Series
Cisco AP c3700
Cisco Aironet 3500 Series
Cisco AP c3500
Cisco Aironet 700 Series
Cisco AP c700
Cisco AP801 Embedded Access Point
Cisco AP801
Cisco AP802 Embedded Access Point
Cisco AP802
The format of the TLV block is as follows:
• Type: 0xf1 (decimal 241)
• Length: Number of controller IP addresses * 4
Cisco Wireless Controller Configuration Guide, Release 8.3
14
AP Connectivity to Cisco WLC
Verifying that Access Points Join the Controller
• Value: List of the IP addresses of controller management interfaces
See the product documentation for your DHCP server for instructions on configuring DHCP option 43. The
Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode document contains example steps
for configuring option 43 on a DHCP server.
If the access point is ordered with the Service Provider Option - AIR-OPT60-DHCP selected, the VCI string
for that access point will be different than those listed above. The VCI string will have the “ServiceProvider”.
For example, a 1260 with this option will return this VCI string: "Cisco AP c1260-ServiceProvider".
Note
The controller IP address that you obtain from the DHCP server should be a unicast IP address. Do not
configure the controller IP address as a multicast address when configuring DHCP Option 43.
Verifying that Access Points Join the Controller
When replacing a controller, ensure that access points join the new controller.
Verifying that Access Points Join the Controller (GUI)
Step 1
Configure the new controller as a master controller as follows:
a) Choose Controller > Advanced > Master Controller Mode to open the Master Controller Configuration page.
b) Select the Master Controller Mode check box.
c) Click Apply to commit your changes.
d) Click Save Configuration to save your changes.
Step 2
Step 3
Step 4
(Optional) Flush the ARP and MAC address tables within the network infrastructure.
Restart the access points.
Once all the access points have joined the new controller, configure the controller not to be a master controller by
unselecting the Master Controller Mode check box on the Master Controller Configuration page.
Verifying that Access Points Join the Controller (CLI)
Step 1
Configure the new controller as a master controller by entering this command:
config network master-base enable
Step 2
Step 3
Step 4
(Optional) Flush the ARP and MAC address tables within the network infrastructure.
Restart the access points.
Configure the controller not to be a master controller after all the access points have joined the new controller by entering
this command:
config network master-base disable
Cisco Wireless Controller Configuration Guide, Release 8.3
15
AP Connectivity to Cisco WLC
Backup Cisco WLCs
Backup Cisco WLCs
Information About Configuring Backup Controllers
A single controller at a centralized location can act as a backup for access points when they lose connectivity
with the primary controller in the local region. Centralized and regional controllers do not need to be in the
same mobility group. You can specify a primary, secondary, and tertiary controller for specific access points
in your network. Using the controller GUI or CLI, you can specify the IP addresses of the backup controllers,
which allows the access points to fail over to controllers outside of the mobility group.
The following are some guidelines for configuring backup controllers:
• You can configure primary and secondary backup controllers (which are used if primary, secondary, or
tertiary controllers are not specified or are not responsive) for all access points connected to the controller
as well as various timers, including heartbeat timers and discovery request timers. To reduce the controller
failure detection time, you can configure the fast heartbeat interval (between the controller and the access
point) with a smaller timeout value. When the fast heartbeat timer expires (at every heartbeat interval),
the access point determines if any data packets have been received from the controller within the last
interval. If no packets have been received, the access point sends a fast echo request to the controller.
• The access point maintains a list of backup controllers and periodically sends primary discovery requests
to each entry on the list. When the access point receives a new discovery response from a controller, the
backup controller list is updated. Any controller that fails to respond to two consecutive primary discovery
requests is removed from the list. If the access point’s local controller fails, it chooses an available
controller from the backup controller list in this order: primary, secondary, tertiary, primary backup,
and secondary backup. The access point waits for a discovery response from the first available controller
in the backup list and joins the controller if it receives a response within the time configured for the
primary discovery request timer. If the time limit is reached, the access point assumes that the controller
cannot be joined and waits for a discovery response from the next available controller in the list.
• When an access point's primary controller comes back online, the access point disassociates from the
backup controller and reconnects to its primary controller. The access point falls back only to its primary
controller and not to any available secondary controller for which it is configured. For example, if an
access point is configured with primary, secondary, and tertiary controllers, it fails over to the tertiary
controller when the primary and secondary controllers become unresponsive. If the secondary controller
comes back online while the primary controller is down, the access point does not fall back to the
secondary controller and stays connected to the tertiary controller. The access point waits until the
primary controller comes back online to fall back from the tertiary controller to the primary controller.
If the tertiary controller fails and the primary controller is still down, the access point then falls back to
the available secondary controller.
Restrictions for Configuring Backup Controllers
• You can configure the fast heartbeat timer only for access points in local and FlexConnect modes.
Cisco Wireless Controller Configuration Guide, Release 8.3
16
AP Connectivity to Cisco WLC
Backup Cisco WLCs
Configuring Backup Controllers (GUI)
Step 1
Choose Wireless > Access Points > Global Configuration to open the Global Configuration page.
Step 2
From the Local Mode AP Fast Heartbeat Timer State drop-down list, choose Enable to enable the fast heartbeat timer
for access points in local mode or choose Disable to disable this timer. The default value is Disable.
Step 3
If you chose Enable in Step 2, enter the Local Mode AP Fast Heartbeat Timeout text box to configure the fast heartbeat
timer for access points in local mode. Specifying a small heartbeat interval reduces the amount of time it takes to detect
a controller failure.
The range for the AP Fast Heartbeat Timeout value for Cisco Flex 7500/8510/8540 Controllers is 10–15 (inclusive) and
is 1–10 (inclusive) for other controllers. The default value for the heartbeat timeout for Cisco Flex 7500/8510/8540
Controllers is 10. The default value for other controllers is 1 second.
Step 4
From the FlexConnect Mode AP Fast Heartbeat Timer State drop-down list, choose Enable to enable the fast heartbeat
timer for FlexConnect access points or choose Disable to disable this timer. The default value is Disable.
Step 5
If you enable FlexConnect fast heartbeat, enter the FlexConnect Mode AP Fast Heartbeat Timeout value in the FlexConnect
Mode AP Fast Heartbeat Timeout text box. Specifying a small heartbeat interval reduces the amount of time it takes to
detect a controller failure.
The range for the FlexConnect Mode AP Fast Heartbeat Timeout value for Cisco Flex 7500/8510/8540 Controllers is
10–15 (inclusive) and is 1–10 for other controllers. The default value for the heartbeat timeout for Cisco Flex
7500/8510/8540 Controllers is 10. The default value for other controllers is 1 second.
Step 6
In the AP Primary Discovery Timeout text box, a value between 30 and 3600 seconds (inclusive) to configure the access
point primary discovery request timer. The default value is 120 seconds.
If you want to specify a primary backup controller for all access points, enter the IPv4/IPv6 address of the primary backup
controller in the Back-up Primary Controller IP Address (IPv4/IPv6) text box and the name of the controller in the
Back-up Primary Controller Name text box.
Note
The default value for the IP address is 0.0.0.0, which disables the primary backup controller.
Step 7
Step 8
If you want to specify a secondary backup controller for all access points, enter the IPv4/IPv6 address of the secondary
backup controller in the Back-up Secondary Controller IP Address (IPv4/IPv6) text box and the name of the controller
in the Back-up Secondary Controller Name text box.
Note
The default value for the IP address is 0.0.0.0, which disables the secondary backup controller.
Step 9
Click Apply to commit your changes.
Step 10
Configure primary, secondary, and tertiary backup controllers for a specific access point as follows:
a) Choose Access Points > All APs to open the All APs page.
b) Click the name of the access point for which you want to configure primary, secondary, and tertiary backup controllers.
c) Choose the High Availability tab to open the All APs > Details for (High Availability) page.
d) If desired, enter the name and IP address of the primary controller for this access point in the Primary Controller text
boxes.
Note
Entering an IP address for the backup controller is optional in this step and the next two steps. If the backup
controller is outside the mobility group to which the access point is connected (the primary controller), then
you need to provide the IP address of the primary, secondary, or tertiary controller, respectively. The controller
name and IP address must belong to the same primary, secondary, or tertiary controller. Otherwise, the
access point cannot join the backup controller.
e) If desired, enter the name and IP address of the secondary controller for this access point in the Secondary Controller
text boxes.
Cisco Wireless Controller Configuration Guide, Release 8.3
17
AP Connectivity to Cisco WLC
Backup Cisco WLCs
f) If desired, enter the name and IP address of the tertiary controller for this access point in the Tertiary Controller text
boxes.
g) Click Apply to commit your changes.
Step 11
Click Save Configuration to save your changes.
Configuring Backup Controllers (CLI)
Step 1
Configure a primary controller for a specific access point by entering this command:
config ap primary-base controller_name Cisco_AP [controller_ip_address]
The controller_ip_address parameter in this command and the next two commands is optional. If the backup
controller is outside the mobility group to which the access point is connected (the primary controller), then
you need to provide the IP address of the primary, secondary, or tertiary controller, respectively. In each
command, the controller_name and controller_ip_address must belong to the same primary, secondary, or
tertiary controller. Otherwise, the access point cannot join the backup controller.
Configure a secondary controller for a specific access point by entering this command:
config ap secondary-base controller_name Cisco_AP [controller_ip_address]
Note
Step 2
Step 3
Configure a tertiary controller for a specific access point by entering this command:
config ap tertiary-base controller_name Cisco_AP [controller_ip_address]
Step 4
Configure a primary backup controller for all access points by entering this command:
config advanced backup-controller primary system name ip_addr
This command is valid for both IPv4 and
IPv6
Configure a secondary backup controller for all access points by entering this command:
config advanced backup-controller secondary system name ip_addr
Note
Step 5
Note
To delete a primary or secondary backup controller entry, enter 0.0.0.0 for the controller IPv4/IPv6 address.
This command is valid for both IPv4 and
IPv6
Enable or disable the fast heartbeat timer for local or FlexConnect access points by entering this command:
config advanced timers ap-fast-heartbeat {local | flexconnect | all} {enable | disable} interval
Note
Step 6
where all is both local and FlexConnect access points, and interval is a value between 10 and 15 seconds for Cisco
7500/8510/8540 controllers, and 1 and 10 seconds for other controllers. Specifying a small heartbeat interval reduces
the amount of time that it takes to detect a controller failure. The default value is disabled.Configure the access point
heartbeat timer by entering this command:
config advanced timers ap-heartbeat-timeout interval
where interval is a value between 1 and 30 seconds (inclusive). This value should be at least three times larger than the
fast heartbeat timer. The default value is 30 seconds.
Do not enable the fast heartbeat timer with the high latency link. If you have to enable the fast heartbeat timer,
the timer value must be greater than the latency.
Configure the access point primary discovery request timer by entering this command:
Caution
Step 7
Cisco Wireless Controller Configuration Guide, Release 8.3
18
AP Connectivity to Cisco WLC
Backup Cisco WLCs
config advanced timers ap-primary-discovery-timeout interval
where interval is a value between 30 and 3600 seconds. The default value is 120 seconds.
Step 8
Configure the access point discovery timer by entering this command:
config advanced timers ap-discovery-timeout interval
where interval is a value between 1 and 10 seconds (inclusive). The default value is 10 seconds.
Step 9
Configure the 802.11 authentication response timer by entering this command:
config advanced timers auth-timeout interval
where interval is a value between 5 and 600 seconds (inclusive). The default value is 10 seconds.
Step 10
Save your changes by entering this command:
save config
Step 11
See an access point’s configuration by entering these commands:
• show ap config general Cisco_AP
• show advanced backup-controller
• show advanced timers
Information similar to the following appears for the show ap config general Cisco_AP command for Primary Cisco
Switch IP Address using IPv4:
Cisco AP Identifier..............................
Cisco AP Name....................................
Country code.....................................
Regulatory Domain allowed by Country.............
AP Country code..................................
AP Regulatory Domain.............................
Switch Port Number ..............................
MAC Address......................................
IP Address Configuration.........................
IP Address.......................................
...
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address..................
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address.................
...
1
AP5
US - United States
802.11bg:-AB
802.11a:-AB
US - United States
802.11bg:-A
802.11a:-N
1
00:13:80:60:48:3e
DHCP
1.100.163.133
1-5508
2.2.2.2
1-4404
2.2.2.2
2-4404
1.1.1.4
Information similar to the following appears for the show ap config general Cisco_AP command for Primary Cisco
Switch IP Address using IPv6:
Cisco AP Identifier..............................
Cisco AP Name....................................
Country code.....................................
Regulatory Domain allowed by Country.............
1
AP6
US - United States
802.11bg:-A 802.11a:-A
Cisco Wireless Controller Configuration Guide, Release 8.3
19
AP Connectivity to Cisco WLC
Backup Cisco WLCs
AP Country code..................................
AP Regulatory Domain.............................
Switch Port Number ..............................
MAC Address......................................
IPv6 Address Configuration.......................
IPv6 Address.....................................
IPv6 Prefix Length...............................
Gateway IPv6 Addr................................
NAT External IP Address..........................
CAPWAP Path MTU..................................
Telnet State.....................................
Ssh State........................................
Cisco AP Location................................
Cisco AP Floor Label.............................
Cisco AP Group Name..............................
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address..................
US - United States
802.11bg:-A 802.11a:-A
13
44:2b:03:9a:9d:30
DHCPv6
2001:9:5:96:295d:3b2:2db2:9b47
128
fe80::6abd:abff:fe8c:764a
None
1473
Globally Disabled
Globally Disabled
_5500
0
IPv6-Same_VLAN
Maulik_WLC_5500-HA
2001:9:5:95::11
Information similar to the following appears for the show advanced backup-controller command when configured
using IPv4:
AP primary Backup Controller .................... controller1 10.10.10.10
AP secondary Backup Controller ............... 0.0.0.0
Information similar to the following appears for the show advanced backup-controller command when configured
using IPv6:
AP primary Backup Controller .................... WLC_5500-2 fd09:9:5:94::11
AP secondary Backup Controller .................. vWLC 9.5.92.11
Information similar to the following appears for the show advanced timers command:
Authentication Response Timeout (seconds)........ 10
Rogue Entry Timeout (seconds).................... 1300
AP Heart Beat Timeout (seconds).................. 30
AP Discovery Timeout (seconds)................... 10
AP Local mode Fast Heartbeat (seconds)........... 10 (enable)
AP flexconnect mode Fast Heartbeat (seconds)........... disable
AP Primary Discovery Timeout (seconds)........... 120
Cisco Wireless Controller Configuration Guide, Release 8.3
20
AP Connectivity to Cisco WLC
Failover Priority for APs
Failover Priority for APs
Information About Configuring Failover Priority for Access Points
Each controller has a defined number of communication ports for access points. When multiple controllers
with unused access point ports are deployed on the same network and one controller fails, the dropped access
points automatically poll for unused controller ports and associate with them.
The following are some guidelines for configuring failover priority for access points:
• You can configure your wireless network so that the backup controller recognizes a join request from
a higher-priority access point and if necessary disassociates a lower-priority access point as a means to
provide an available port.
• Failover priority is not in effect during the regular operation of your wireless network. It takes effect
only if there are more association requests after a controller failure than there are available backup
controller ports.
• You can enable failover priority on your network and assign priorities to the individual access points.
• By default, all access points are set to priority level 1, which is the lowest priority level. Therefore, you
need to assign a priority level only to those access points that warrant a higher priority.
Configuring Failover Priority for Access Points (GUI)
Step 1
Choose Wireless > Access Points > Global Configuration to open the Global Configuration page.
Step 2
From the Global AP Failover Priority drop-down list, choose Enable to enable access point failover priority or choose
Disable to disable this feature and turn off any access point priority assignments. The default value is Disable.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Step 5
Choose Wireless > Access Points > All APs to open the All APs page.
Step 6
Step 7
Click the name of the access point for which you want to configure failover priority.
Choose the High Availability tab. The All APs > Details for (High Availability) page appears.
Step 8
From the AP Failover Priority drop-down list, choose one of the following options to specify the priority of the access
point:
• Low—Assigns the access point to the level 1 priority, which is the lowest priority level. This is the default value.
• Medium—Assigns the access point to the level 2 priority.
• High—Assigns the access point to the level 3 priority.
• Critical—Assigns the access point to the level 4 priority, which is the highest priority level.
Step 9
Click Apply to commit your changes.
Step 10
Click Save Configuration to save your changes.
Cisco Wireless Controller Configuration Guide, Release 8.3
21
AP Connectivity to Cisco WLC
Failover Priority for APs
Configuring Failover Priority for Access Points (CLI)
Step 1
Enable or disable access point failover priority by entering this command:
config network ap-priority {enable | disable}
Step 2
Specify the priority of an access point by entering this command:
config ap priority {1 | 2 | 3 | 4} Cisco_AP
where 1 is the lowest priority level and 4 is the highest priority level. The default value is 1.
Step 3
Enter the save config command to save your changes.
Viewing Failover Priority Settings (CLI)
• Confirm whether access point failover priority is enabled on your network by entering this command:
show network summary
Information similar to the following appears:
RF-Network Name.............................
Web Mode....................................
Secure Web Mode.............................
Secure Web Mode Cipher-Option High..........
Secure Shell (ssh)..........................
Telnet......................................
Ethernet Multicast Mode.....................
Ethernet Broadcast Mode.....................
IGMP snooping...............................
IGMP timeout................................
User Idle Timeout...........................
ARP Idle Timeout............................
Cisco AP Default Master.....................
mrf
Enable
Enable
Disable
Enable
Enable
Disable
Disable
Disabled
60 seconds
300 seconds
300 seconds
Disable
AP Join Priority......................... Enabled
...
• See the failover priority for each access point by entering this command:
show ap summary
Information similar to the following appears:
Number of APs.................................... 2
Global AP User Name.............................. user
Global AP Dot1x User Name........................ Not Configured
AP Name
------ap:1252
ap:1121
Slots
----2
1
AP Model
-----------------AIR-LAP1252AG-A-K9
AIR-LAP1121G-A-K9
Cisco Wireless Controller Configuration Guide, Release 8.3
22
Ethernet MAC
Location
Port Country Priority
----------------- --------- ---- ------- ------00:1b:d5:13:39:74 hallway 6 1
US
1
00:1b:d5:a9:ad:08 reception 1
US
3
AP Connectivity to Cisco WLC
AP Retransmission Interval and Retry Count
To see the summary of a specific access point, you can specify the access point name. You can also use
wildcard searches when filtering for access points.
AP Retransmission Interval and Retry Count
Information About Configuring the AP Retransmission Interval and Retry Count
The controller and the APs exchange packets using the CAPWAP reliable transport protocol. For each request,
a response is defined. This response is used to acknowledge the receipt of the request message. Response
messages are not explicitly acknowledged; therefore, if a response message is not received, the original request
message is retransmitted after the retransmit interval. If the request is not acknowledged after a maximum
number of retransmissions, the session is closed and the APs reassociate with another controller.
Restrictions for Access Point Retransmission Interval and Retry Count
• You can configure the retransmission intervals and retry count both at a global as well as a specific
access point level. A global configuration applies these configuration parameters to all the access points.
That is, the retransmission interval and the retry count are uniform for all access points. Alternatively,
when you configure the retransmission level and retry count at a specific access point level, the values
are applied to that particular access point. The access point specific configuration has a higher precedence
than the global configuration.
• Retransmission intervals and the retry count do not apply for mesh access points.
Configuring the AP Retransmission Interval and Retry Count (GUI)
You can configure the retransmission interval and retry count for all APs globally or a specific AP.
Step 1
To configure the controller to set the retransmission interval and retry count globally using the controller GUI, follow
these steps:
a) Choose Wireless > Access Points > Global Configuration.
b) Choose one of the following options under the AP Transmit Config Parameters section:
• AP Retransmit Count—Enter the number of times you want the access point to retransmit the request to the
controller. This parameter can take values between 3 and 8.
• AP Retransmit Interval—Enter the time duration between the retransmission of requests. This parameter can
take values between 2 and 5.
c) Click Apply.
Step 2
To configure the controller to set the retransmission interval and retry count for a specific access point, follow these
steps:
a) Choose Wireless > Access Points > All APs.
b) Click on the AP Name link for the access point on which you want to set the values.
The All APs > Details page appears.
Cisco Wireless Controller Configuration Guide, Release 8.3
23
AP Connectivity to Cisco WLC
Authorizing Access Points
c) Click the Advanced Tab to open the advanced parameters page.
d) Choose one of the following parameters under the AP Transmit Config Parameters section:
• AP Retransmit Count—Enter the number of times that you want the access point to retransmit the request to
the controller. This parameter can take values between 3 and 8.
• AP Retransmit Interval—Enter the time duration between the retransmission of requests. This parameter can
take values between 2 and 5.
e) Click Apply.
Configuring the Access Point Retransmission Interval and Retry Count (CLI)
You can configure the retransmission interval and retry count for all access points globally or a specific access
point.
• Configure the retransmission interval and retry count for all access points globally by entering the this
command:
config ap retransmit {interval | count} seconds all
The valid range for the interval parameter is between 3 and 8. The valid range for the count parameter
is between 2 and 5.
• Configure the retransmission interval and retry count for a specific access point, by entering this command:
config ap retransmit {interval | count} seconds Cisco_AP
The valid range for the interval parameter is between 3 and 8. The valid range for the count parameter
is between 2 and 5.
• See the status of the configured retransmit parameters on all or specific APs by entering this command:
show ap retransmit all
Note
Because retransmit and retry values cannot be set for access points in mesh mode, these
values are displayed as N/A (not applicable).
• See the status of the configured retransmit parameters on a specific access point by entering this command:
show ap retransmit Cisco_AP
Authorizing Access Points
Authorizing Access Points Using SSCs
The Control and Provisioning of Wireless Access Points protocol (CAPWAP) secures the control
communication between the access point and controller by a secure key distribution requiring X.509 certificates
Cisco Wireless Controller Configuration Guide, Release 8.3
24
AP Connectivity to Cisco WLC
Authorizing Access Points for Virtual Controllers Using SSC
on both the access point and controller. CAPWAP relies on provisioning of the X.509 certificates. Cisco
Aironet access points shipped before July 18, 2005 do not have a MIC, so these access points create an SSC
when upgraded to operate in lightweight mode. Controllers are programmed to accept local SSCs for
authentication of specific access points and do not forward those authentication requests to a RADIUS server.
This behavior is acceptable and secure.
Authorizing Access Points for Virtual Controllers Using SSC
Virtual controllers use SSC certificates instead of Manufacturing Installed Certificates (MIC) used by physical
controllers. You can configure the controller to allow an AP to validate the SSC of the virtual controller.
When an AP validates the SSC, the AP checks if the hash key of the virtual controller matches the hash key
stored in its flash. If a match is found, the AP associates with the controller. If a match is not found, the
validation fails and the AP disconnects from the controller and restarts the discovery process. By default, hash
validation is enabled. An AP must have the virtual controller hash key in its flash before associating with the
virtual controller. If you disable hash validation of the SSC, the AP bypasses the hash validation and directly
moves to the Run state. APs can associate with a physical controller, download the hash keys and then associate
with a virtual controller. If the AP is associated with a physical controller and hash validation is disabled, the
AP associates with any virtual controller without hash validation. The hash key of the virtual controller can
be configured for a mobility group member. This hash key gets pushed to the APs, so that the APs can validate
the hash key of the controller.
Configuring SSC (GUI)
Step 1
Choose Security > Certificate > SSC to open the Self Significant Certificates (SSC) page.
The SSC device certification details are displayed.
Step 2
Step 3
Select the Enable SSC Hash Validation check box to enable the validation of the hash key.
Click Apply to commit your changes.
Configuring SSC (CLI)
Step 1
To configure hash validation of SSC, enter this command:
config certificate ssc hash validation {enable | disable}
Step 2
To see the hash key details, enter this command:
show certificate ssc
Cisco Wireless Controller Configuration Guide, Release 8.3
25
AP Connectivity to Cisco WLC
Authorizing Access Points Using MICs
Authorizing Access Points Using MICs
You can configure controllers to use RADIUS servers to authorize access points using MICs. The controller
uses an access point’s MAC address as both the username and password when sending the information to a
RADIUS server. For example, if the MAC address of the access point is 000b85229a70, both the username
and password used by the controller to authorize the access point are 000b85229a70.
Note
The lack of a strong password by the use of the access point’s MAC address should not be an issue because
the controller uses MIC to authenticate the access point prior to authorizing the access point through the
RADIUS server. Using MIC provides strong authentication.
Note
If you use the MAC address as the username and password for access point authentication on a RADIUS
AAA server, do not use the same AAA server for client authentication.
Authorizing Access Points Using LSCs
You can use an LSC if you want your own public key infrastructure (PKI) to provide better security, to have
control of your certificate authority (CA), and to define policies, restrictions, and usages on the generated
certificates.
The LSC CA certificate is installed on access points and controllers. You need to provision the device certificate
on the access point. The access point gets a signed X.509 certificate by sending a certRequest to the controller.
The controller acts as a CA proxy and receives the certRequest signed by the CA for the access point.
Note
When the CA server is in manual mode and if there is an AP entry in the LSC SCEP table that is pending
enrollment, the controller waits for the CA server to send a pending response. If there is no response from
the CA server, the controller retries a total of three times to get a response, after which the fallback mode
comes into effect where the AP provisioning times out and the AP reboots and comes up with MIC.
Note
LSC on controller does not take password challenge. Therefore, for LSC to work, you must disable
password challenge on the CA server.
Cisco Wireless Controller Configuration Guide, Release 8.3
26
AP Connectivity to Cisco WLC
Authorizing Access Points Using LSCs
Configuring Locally Significant Certificates (GUI)
Step 1
Step 2
Step 3
Choose Security > Certificate > LSC to open the Local Significant Certificates (LSC) - General page.
In the CA Server URL text box, enter the URL to the CA server. You can enter either a domain name or an IP address.
In the Params text boxes, enter the parameters for the device certificate. [Optional] The key size is a value from 2048 to
4096 (in bits), and the default value is 2048.
Click Apply to commit your changes.
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Step 16
To add the CA certificate into the controller’s certificate database, hover your cursor over the blue drop-down arrow for
the certificate type and choose Add.
To add the device certificate into the controller's certificate database, hover your cursor over the blue drop-down arrow
for the certificate type and choose Add.
Select the Enable LSC on Controller check box to enable the LSC on the system.
Click Apply to commit your changes.
Choose the AP Provisioning tab to open the Local Significant Certificates (LSC) - AP Provisioning page.
Select the Enable check box and click Update to provision the LSC on the access point.
Click Apply to commit your changes.
When a message appears indicating that the access points will be rebooted, click OK.
In the Number of Attempts to LSC text box, enter the number of times that the access point attempts to join the controller
using an LSC before the access point reverts to the default certificate (MIC or SSC). The range is 0 to 255 (inclusive),
and the default value is 3.
Note
If you set the number of retries to a nonzero value and the access point fails to join the controller using an LSC
after the configured number of retries, the access point reverts to the default certificate. If you set the number
of retries to 0 and the access point fails to join the controller using an LSC, the access point does not attempt
to join the controller using the default certificate.
Note
If you are configuring LSC for the first time, we recommend that you configure a nonzero
value.
Enter the access point MAC address in the AP Ethernet MAC Addresses text box and click Add to add access points to
the provision list.
Note
To remove an access point from the provision list, hover your cursor over the blue drop-down arrow for the
access point and choose Remove.
Note
If you configure an access point provision list, only the access points in the provision list are provisioned when
you enable AP provisioning. If you do not configure an access point provision list, all access points with a MIC
or SSC certificate that join the controller are LSC provisioned.
Click Apply to commit your changes.
Click Save Configuration to save your changes.
Configuring Locally Significant Certificates (CLI)
Step 1
Configure the URL to the CA server by entering this command:
Cisco Wireless Controller Configuration Guide, Release 8.3
27
AP Connectivity to Cisco WLC
Authorizing Access Points Using LSCs
config certificate lsc ca-server http://url:port/path
where url can be either a domain name or IP address.
Note
Step 2
You can configure only one CA server. To configure a different CA server, delete the configured CA server
using the config certificate lsc ca-server delete command, and then configure a different CA server.
Configure the parameters for the device certificate by entering this command:
config certificate lsc subject-params country state city orgn dept e-mail
The common name (CN) is generated automatically on the access point using the current MIC/SSC format
Cxxxx-MacAddr, where xxxx is the product number.
[Optional] Configure a key size by entering this command:
config certificate lsc other-params keysize
Note
Step 3
The keysize is a value from 2048 to 4096 (in bits), and the default value is 2048.
Step 4
Add the LSC CA certificate into the controller’s certificate database by entering this command:
config certificate lsc ca-cert {add | delete}
Step 5
Add the LSC device certificate into the controller’s certificate database by entering this command:
config certificate lsc device-cert {add | delete}
Step 6
Enable LSC on the system by entering this command:
config certificate lsc {enable | disable}
Step 7
Add access points to the provision list by entering this command:
config certificate lsc ap-provision auth-list add AP_mac_addr
To remove access points from the provision list, enter the config certificate lsc ap-provision auth-list delete
AP_mac_addr command.
Note
If you configure an access point provision list, only the access points in the provision list are provisioned when
you enable AP provisioning (in Step 8). If you do not configure an access point provision list, all access points
with a MIC or SSC certificate that join the controller are LSC provisioned.
Configure the number of times that the access point attempts to join the controller using an LSC before the access point
reverts to the default certificate (MIC or SSC) by entering this command:
config certificate lsc ap-provision revert-cert retries
Note
Step 8
where retries is a value from 0 to 255, and the default value is 3.
If you set the number of retries to a nonzero value and the access point fails to join the controller using an LSC
after the configured number of retries, the access point reverts to the default certificate. If you set the number
of retries to 0 and the access point fails to join the controller using an LSC, the access point does not attempt
to join the controller using the default certificate.
Note
If you are configuring LSC for the first time, Cisco recommends that you configure a nonzero
value.
Provision the LSC on the access point by entering this command:
config certificate lsc ap-provision {enable | disable}
Note
Step 9
Step 10
See the LSC summary by entering this command:
show certificate lsc summary
Information similar to the following appears:
LSC Enabled.......................................... Yes
LSC CA-Server........................................ http://10.0.0.1:8080/caserver
Cisco Wireless Controller Configuration Guide, Release 8.3
28
AP Connectivity to Cisco WLC
Authorizing Access Points (GUI)
LSC AP-Provisioning.................................. Yes
Provision-List................................... Not Configured
LSC Revert Count in AP reboots................... 3
LSC Params:
Country..........................................
State............................................
City.............................................
Orgn.............................................
Dept.............................................
Email............................................
KeySize..........................................
US
ca
ss
org
dep
[email protected]
2048
LSC Certs:
CA Cert.......................................... Not Configured
RA Cert....................................... Not Configured
Step 11
See details about the access points that are provisioned using LSC by entering this command:
show certificate lsc ap-provision
Information similar to the following appears:
LSC AP-Provisioning........................... Yes
Provision-List................................ Present
Idx Mac Address
--- -----------1 00:18:74:c7:c0:90
Authorizing Access Points (GUI)
Step 1
Choose Security > AAA > AP Policies to open the AP Policies page.
Step 2
If you want the access point to accept self-signed certificates (SSCs), manufactured-installed certificates (MICs), or local
significant certificates (LSCs), select the appropriate check box.
If you want the access points to be authorized using a AAA RADIUS server, select the Authorize MIC APs against
auth-list or AAA check box.
If you want the access points to be authorized using an LSC, select the Authorize LSC APs against auth-list check
box.
Enter the Ethernet MAC address for all APs except when in bridge mode (where you need to enter the radio Mac address).
Step 3
Step 4
Step 5
Click Apply to commit your changes.
Step 6
Follow these steps to add an access point to the controller’s authorization list:
a) Click Add to access the Add AP to Authorization List area.
Cisco Wireless Controller Configuration Guide, Release 8.3
29
AP Connectivity to Cisco WLC
Authorizing Access Points (CLI)
b) In the MAC Address text box, enter the MAC address of the access point.
c) From the Certificate Type drop-down list, choose MIC, SSC, or LSC.
d) Click Add. The access point appears in the access point authorization list.
Note
To remove an access point from the authorization list, hover your cursor over the blue drop-down arrow for
the access point and choose Remove.
Note
To search for a specific access point in the authorization list, enter the MAC address of the access point in
the Search by MAC text box and click Search.
Authorizing Access Points (CLI)
• Configure an access point authorization policy by entering this command:
config auth-list ap-policy {authorize-ap {enable | disable} | authorize-lsc-ap {enable | disable}}
• Configure an access point to accept manufactured-installed certificates (MICs), self-signed certificates
(SSCs), or local significant certificates (LSCs) by entering this command:
config auth-list ap-policy {mic | ssc | lsc {enable | disable}}
• Configure the user name to be used in access point authorization requests.
config auth-list ap-policy {authorize-ap username {ap_name | ap_mac | both}}
• Add an access point to the authorization list by entering this command:
config auth-list add {mic | ssc | lsc} ap_mac [ap_key]
where ap_key is an optional key hash value equal to 20 bytes or 40 digits.
Note
To delete an access point from the authorization list, enter this command: config auth-list delete ap_mac.
• See the access point authorization list by entering this command:
show auth-list
AP 802.1X Supplicant
Information About Configuring Authentication for Access Points
You can configure 802.1X authentication between a lightweight access point and a Cisco switch. The access
point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous PAC
provisioning.
You can configure global authentication settings that all access points that are currently associated with the
controller and any that associate in the future. You can also override the global authentication settings and
assign unique authentication settings for a specific access point.
Cisco Wireless Controller Configuration Guide, Release 8.3
30
AP Connectivity to Cisco WLC
Prerequisites for Configuring Authentication for Access Points
Prerequisites for Configuring Authentication for Access Points
Step 1
If the access point is new, do the following:
a) Boot the access point with the installed recovery image.
b) If you choose not to follow this suggested flow and instead enable 802.1X authentication on the switch port connected
to the access point prior to the access point joining the controller, enter this command:
lwapp ap dot1x username username password password
Note
Note
If you choose to follow this suggested flow and enable 802.1X authentication on the switch port after the
access point has joined the controller and received the configured 802.1X credentials, you do not need to
enter this command.
This command is available only for access points that are running the applicable recovery
image.
Connect the access point to the switch port.
Step 2
Step 3
Step 4
Step 5
Install the required software image on the controller and reboot the controller.
Allow all access points to join the controller.
Configure authentication on the controller. See the Configuring Authentication for Access Points (GUI) section or the
Configuring Authentication for Access Points (CLI) section for information about configuring authentication on the
controller.
Configure the switch to allow authentication. See the Configuring the Switch for Authentication section for information
about configuring the switch for authentication.
Restrictions for Authenticating Access Points
• The OEAP 600 Series access points do not support LEAP.
• Always disable the Bridge Protocol Data Unit (BPDU) guard on the switch port connected to the AP.
Enabling the BPDU guard is allowed only when the switch puts the port in port fast mode.
Configuring Authentication for Access Points (GUI)
Step 1
Step 2
Step 3
Step 4
Choose Wireless > Access Points > Global Configuration to open the Global Configuration page.
Under 802.1x Supplicant Credentials, select the 802.1x Authentication check box.
In the Username text box, enter the username that is to be inherited by all access points that join the controller.
In the Password and Confirm Password text boxes, enter the password that is to be inherited by all access points that
join the controller.
Cisco Wireless Controller Configuration Guide, Release 8.3
31
AP Connectivity to Cisco WLC
Configuring Authentication for Access Points (CLI)
Note
You must enter a strong password in these text boxes. Strong passwords have the following characteristics:
• They are at least eight characters long
• They contain a combination of uppercase and lowercase letters, numbers, and symbols
• They are not a word in any language
Step 5
Step 6
Step 7
Click Apply to send the global authentication username and password to all access points that are currently joined to
the controller and to any that join the controller in the future.
Click Save Configuration to save your changes.
If desired, you can choose to override the global authentication settings and assign a unique username and password to
a specific access point as follows:
a) Choose Access Points > All APs to open the All APs page.
b) Click the name of the access point for which you want to override the authentication settings.
c) Click the Credentials tab to open the All APs > Details for (Credentials) page.
d) Under 802.1x Supplicant Credentials, select the Over-ride Global Credentials check box to prevent this access
point from inheriting the global authentication username and password from the controller. The default value is
unselected.
e) In the Username, Password, and Confirm Password text boxes, enter the unique username and password that you
want to assign to this access point.
Note
The information that you enter is retained across controller and access point reboots and whenever the access
point joins a new controller.
f) Click Apply to commit your changes.
g) Click Save Configuration to save your changes.
Note
If you want to force this access point to use the controller’s global authentication settings, unselect the
Over-ride Global Credentials check box.
Configuring Authentication for Access Points (CLI)
Step 1
Configure the global authentication username and password for all access points currently joined to the controller as
well as any access points that join the controller in the future by entering this command:
config ap 802.1Xuser add username ap-username password ap-password all
Note
You must enter a strong password for the ap-password parameter. Strong passwords have the following
characteristics:
• They are at least eight characters long.
• They contain a combination of uppercase and lowercase letters, numbers, and symbols.
• They are not a word in any language.
Step 2
(Optional) Override the global authentication settings and assign a unique username and password to a specific access
point. To do so, enter this command:
config ap 802.1Xuser add username ap-username password ap-password Cisco_AP
Cisco Wireless Controller Configuration Guide, Release 8.3
32
AP Connectivity to Cisco WLC
Configuring the Switch for Authentication
You must enter a strong password for the ap-password parameter. See the note in Step 1 for the characteristics
of strong passwords.
The authentication settings that you enter in this command are retained across controller and access point reboots and
whenever the access point joins a new controller.
Note
Note
If you want to force this access point to use the controller’s global authentication settings, enter the config ap
802.1Xuser delete Cisco_AP command. The following message appears after you execute this command: “AP
reverted to global username configuration.”
Step 3
Enter the save config command to save your changes.
Step 4
(Optional) Disable 802.1X authentication for all access points or for a specific access point by entering this command:
config ap 802.1Xuser disable {all | Cisco_AP}
You can disable 802.1X authentication for a specific access point only if global 802.1X authentication is not
enabled. If global 802.1X authentication is enabled, you can disable 802.1X for all access points only.
See the authentication settings for all access points that join the controller by entering this command:
show ap summary
Note
Step 5
Information similar to the following appears:
Number of APs.................................... 1
Global AP User Name.............................. globalap
Global AP Dot1x User Name........................ globalDot1x
Step 6
See the authentication settings for a specific access point by entering this command:
show ap config general Cisco_AP
Note
Note
The name of the access point is case
sensitive.
If this access point is configured for global authentication, the AP Dot1x User Mode text boxes shows “Automatic.”
If the global authentication settings have been overwritten for this access point, the AP Dot1x User Mode text
box shows “Customized.”
Configuring the Switch for Authentication
To enable 802.1X authentication on a switch port, on the switch CLI, enter these commands:
• Switch# configure terminal
• Switch(config)# dot1x system-auth-control
• Switch(config)# aaa new-model
• Switch(config)# aaa authentication dot1x default group radius
• Switch(config)# radius-server host ip_addr auth-port port acct-port port key key
• Switch(config)# interface fastethernet2/1
• Switch(config-if)# switchport mode access
• Switch(config-if)# dot1x pae authenticator
Cisco Wireless Controller Configuration Guide, Release 8.3
33
AP Connectivity to Cisco WLC
Infrastructure MFP
• Switch(config-if)# dot1x port-control auto
• Switch(config-if)# end
Infrastructure MFP
Information About Management Frame Protection
Management frame protection (MFP) provides security for the otherwise unprotected and unencrypted 802.11
management messages passed between access points and clients. MFP provides both infrastructure and client
support.
• Infrastructure MFP—Protects management frames by detecting adversaries that are invoking
denial-of-service attacks, flooding the network with associations and probes, interjecting as rogue access
points, and affecting network performance by attacking the QoS and radio measurement frames.
Infrastructure MFP is a global setting that provides a quick and effective means to detect and report
phishing incidents.
Specifically, infrastructure MFP protects 802.11 session management functions by adding message
integrity check information elements (MIC IEs) to the management frames emitted by access points
(and not those emitted by clients), which are then validated by other access points in the network.
Infrastructure MFP is passive. It can detect and report intrusions but has no means to stop them.
• Client MFP—Shields authenticated clients from spoofed frames, preventing many of the common attacks
against wireless LANs from becoming effective. Most attacks, such as deauthentication attacks, revert
to simply degrading performance by contending with valid clients.
Specifically, client MFP encrypts management frames are sent between access points and CCXv5 clients
so that both the access points and clients can take preventative action by dropping spoofed class 3
management frames (that is, management frames passed between an access point and a client that is
authenticated and associated). Client MFP leverages the security mechanisms defined by IEEE 802.11i
to protect the following types of class 3 unicast management frames: disassociation, deauthentication,
and QoS (WMM) action. Client MFP protects a client-access point session from the most common type
of denial-of-service attack. It protects class 3 management frames by using the same encryption method
used for the session’s data frames. If a frame received by the access point or client fails decryption, it is
dropped, and the event is reported to the controller.
To use client MFP, clients must support CCXv5 MFP and must negotiate WPA2 using either TKIP or
AES-CCMP. EAP or PSK may be used to obtain the PMK. CCKM and controller mobility management
are used to distribute session keys between access points for Layer 2 and Layer 3 fast roaming.
Cisco Wireless Controller Configuration Guide, Release 8.3
34
AP Connectivity to Cisco WLC
Restrictions for Management Frame Protection
Note
To prevent attacks using broadcast frames, access points supporting CCXv5 will not
emit any broadcast class 3 management frames (such as disassociation, deauthentication,
or action). CCXv5 clients and access points must discard broadcast class 3 management
frames.
Client MFP supplements infrastructure MFP rather than replaces it because infrastructure
MFP continues to detect and report invalid unicast frames sent to clients that are not
client-MFP capable as well as invalid class 1 and 2 management frames. Infrastructure
MFP is applied only to management frames that are not protected by client MFP.
Infrastructure MFP consists of three main components:
• Management frame protection—The access point protects the management frames it transmits by adding
a MIC IE to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing
any receiving access point configured to detect MFP frames to report the discrepancy. MFP is supported
for use with Cisco Aironet lightweight access points.
• Management frame validation—In infrastructure MFP, the access point validates every management
frame that it receives from other access points in the network. It ensures that the MIC IE is present (when
the originator is configured to transmit MFP frames) and matches the content of the management frame.
If it receives any frame that does not contain a valid MIC IE from a BSSID belonging to an access point
that is configured to transmit MFP frames, it reports the discrepancy to the network management system.
In order for the timestamps to operate properly, all controllers must be Network Time Protocol (NTP)
synchronized.
• Event reporting—The access point notifies the controller when it detects an anomaly, and the controller
aggregates the received anomaly events and can report the results through SNMP traps to the network
management system.
Note
Client MFP uses the same event reporting mechanisms as infrastructure MFP.
Infrastructure MFP is disabled by default and can be enabled globally. When you upgrade from a previous
software release, infrastructure MFP is disabled globally if access point authentication is enabled because the
two features are mutually exclusive. Once infrastructure MFP is enabled globally, signature generation (adding
MICs to outbound frames) can be disabled for selected WLANs, and validation can be disabled for selected
access points.
Client MFP is enabled by default on WLANs that are configured for WPA2. It can be disabled, or it can be
made mandatory (in which case, only clients that negotiate MFP are allowed to associate) on selected WLANs.
Restrictions for Management Frame Protection
• Lightweight access points support infrastructure MFP in local and monitor modes and in FlexConnect
mode when the access point is connected to a controller. They support client MFP in local, FlexConnect,
and bridge modes.
• OEAP 600 Series Access points do not support MFP.
• Client MFP is supported for use only with CCXv5 clients using WPA2 with TKIP or AES-CCMP.
Cisco Wireless Controller Configuration Guide, Release 8.3
35
AP Connectivity to Cisco WLC
Configuring Management Frame Protection (GUI)
• Non-CCXv5 clients may associate to a WLAN if client MFP is disabled or optional.
• Error reports generated on a FlexConnect access point in standalone mode cannot be forwarded to the
controller and are dropped.
Configuring Management Frame Protection (GUI)
Step 1
Step 2
Step 3
Step 4
Choose Security> Wireless Protection Policies > AP Authentication/MFP to open the AP Authentication Policy page.
Enable infrastructure MFP globally for the controller by choosing Management Frame Protection from the Protection
Type drop-down list.
Click Apply to commit your changes.
Note
If more than one controller is included in the mobility group, you must configure an NTP/SNTP server on all
controllers in the mobility group that are configured for infrastructure MFP.
Configure client MFP for a particular WLAN after infrastructure MFP has been enabled globally for the controller as
follows:
a) Choose WLANs.
b) Click the profile name of the desired WLAN. The WLANs > Edit page appears.
c) Choose Advanced. The WLANs > Edit (Advanced) page appears.
d) Choose Disabled, Optional, or Required from the MFP Client Protection drop-down list. The default value is
Optional. If you choose Required, clients are allowed to associate only if MFP is negotiated (that is, if WPA2 is
configured on the controller and the client supports CCXv5 MFP and is also configured for WPA2).
Note
For Cisco OEAP 600, MFP is not supported. It should either be Disabled or Optional.
e) Click Apply to commit your changes.
Step 5
Click Save Configuration to save your settings.
Viewing the Management Frame Protection Settings (GUI)
To see the controller’s current global MFP settings, choose Security > Wireless Protection Policies >
Management Frame Protection. The Management Frame Protection Settings page appears.
On this page, you can see the following MFP settings:
• The Management Frame Protection field shows if infrastructure MFP is enabled globally for the
controller.
• The Controller Time Source Valid field indicates whether the controller time is set locally (by manually
entering the time) or through an external source (such as the NTP/SNTP server). If the time is set by an
external source, the value of this field is “True.” If the time is set locally, the value is “False.” The time
source is used for validating the timestamp on management frames between access points of different
controllers within a mobility group.
• The Client Protection field shows if client MFP is enabled for individual WLANs and whether it is
optional or required.
Cisco Wireless Controller Configuration Guide, Release 8.3
36
AP Connectivity to Cisco WLC
Configuring Management Frame Protection (CLI)
Configuring Management Frame Protection (CLI)
• Enable or disable infrastructure MFP globally for the controller by entering this command:
config wps mfp infrastructure {enable | disable}
• Enable or disable client MFP on a specific WLAN by entering this command:
config wlan mfp client {enable | disable} wlan_id [required ]
If you enable client MFP and use the optional required parameter, clients are allowed to associate only
if MFP is negotiated.
Viewing the Management Frame Protection Settings (CLI)
• See the controller’s current MFP settings by entering this command:
show wps mfp summary
• See the current MFP configuration for a particular WLAN by entering this command:
show wlan wlan_id
• See whether client MFP is enabled for a specific client by entering this command:
show client detail client_mac
• See MFP statistics for the controller by entering this command:
show wps mfp statistics
Note
This report contains no data unless an active attack is in progress. This table is cleared every 5 minutes
when the data is forwarded to any network management stations.
Debugging Management Frame Protection Issues (CLI)
• Use this command if you experience any problems with MFP:
debug wps mfp ? {enable | disable}
where ? is one of the following:
client—Configures debugging for client MFP messages.
capwap—Configures debugging for MFP messages between the controller and access points.
detail—Configures detailed debugging for MFP messages.
report—Configures debugging for MFP reporting.
mm—Configures debugging for MFP mobility (inter-controller) messages.
Cisco Wireless Controller Configuration Guide, Release 8.3
37
AP Connectivity to Cisco WLC
Troubleshooting the Access Point Join Process
Troubleshooting the Access Point Join Process
Access points can fail to join a controller for many reasons such as a RADIUS authorization is pending,
self-signed certificates are not enabled on the controller, the access point and controller’s regulatory domains
do not match, and so on.
Controller software release 5.2 or later releases enable you to configure the access points to send all
CAPWAP-related errors to a syslog server. You do not need to enable any debug commands on the controller
because all of the CAPWAP error messages can be viewed from the syslog server itself.
The state of the access point is not maintained on the controller until it receives a CAPWAP join request from
the access point, so it can be difficult to determine why the CAPWAP discovery request from a certain access
point was rejected. In order to troubleshoot such joining issues without enabling CAPWAP debug commands
on the controller, the controller collects information for all access points that send a discovery message to this
controller and maintains information for any access points that have successfully joined this controller.
The controller collects all join-related information for each access point that sends a CAPWAP discovery
request to the controller. Collection begins with the first discovery message received from the access point
and ends with the last configuration payload sent from the controller to the access point.
You can view join-related information for the following numbers of access points:
When the controller is maintaining join-related information for the maximum number of access points, it does
not collect information for any more access points.
If any of these conditions are met and the access point has not yet joined a controller, you can also configure
a DHCP server to return a syslog server IP address to the access point using option 7 on the server. The access
point then starts sending all syslog messages to this IP address.
Note
The access point joins the controller with a DHCP address from an internal DHCP pool configured on
WLC. When the DHCP lease address is deleted in WLC, the access point reloads with the following
message:
AP Rebooting: Reset Reason - Admin Reload. This is a common behavior in Cisco IOS and Wave 2 APs.
You can also configure the syslog server IP address through the access point CLI, provided the access point
is currently not connected to the controller by entering the capwap ap log-server syslog_server_IP_address
command.
When the access point joins a controller for the first time, the controller pushes the global syslog server IP
address (the default is 255.255.255.255) to the access point. After that, the access point sends all syslog
messages to this IP address, until it is overridden by one of the following scenarios:
• The access point is still connected to the same controller, and the global syslog server IP address
configuration on the controller has been changed using the config ap syslog host global
syslog_server_IP_address command. In this case, the controller pushes the new global syslog server IP
address to the access point.
• The access point is still connected to the same controller, and a specific syslog server IP address has
been configured for the access point on the controller using the config ap syslog host specific Cisco_AP
syslog_server_IP_address command. In this case, the controller pushes the new specific syslog server
IP address to the access point.
Cisco Wireless Controller Configuration Guide, Release 8.3
38
AP Connectivity to Cisco WLC
Configuring the Syslog Server for Access Points (CLI)
• The access point gets disconnected from the controller, and the syslog server IP address has been
configured from the access point CLI using the lwapp ap log-server syslog_server_IP_address command.
This command works only if the access point is not connected to any controller.
• The access point gets disconnected from the controller and joins another controller. In this case, the new
controller pushes its global syslog server IP address to the access point.
Whenever a new syslog server IP address overrides the existing syslog server IP address, the old address is
erased from persistent storage, and the new address is stored in its place. The access point also starts sending
all syslog messages to the new IP address, provided the access point can reach the syslog server IP address.
You can configure the syslog server for access points using the controller GUI and view the access point join
information using the controller GUI or CLI.
When the name of the access point is modified using the config ap name new_name old_name command,
then the new AP name is updated. You can view the new AP name updated in both the show ap join stats
summary all as well as the show ap summary commands.
Note
When an AP in a Release 8.0 image tries to join Cisco WLC, Release 8.3 (having Release 8.2 as the
primary image and Release 8.2.1 as the secondary image on Flash), the AP goes into a perpetual loop.
(Note that the release numbers are used only as an example to illustrate the scenario of three different
images and does not apply to the releases mentioned.) This loop occurs due to version mismatch. After
the download, when the AP compares its image with the Cisco WLC image, there will be a version
mismatch. The AP will start the entire process again, resulting in a loop.
Configuring the Syslog Server for Access Points (CLI)
Step 1
Perform one of the following:
• To configure a global syslog server for all access points that join this controller, enter this command:
config ap syslog host global syslog_server_IP_address
By default, the global syslog server IPv4/IPv6 address for all access points is 255.255.255.255. Make sure
that the access points can reach the subnet on which the syslog server resides before configuring the syslog
server on the controller. If the access points cannot reach this subnet, the access points are unable to send
out syslog messages.
Note
Only one Syslog Server is used for both IPv4 and
IPv6.
• To configure a syslog server for a specific access point, enter this command:
config ap syslog host specific Cisco_AP syslog_server_IP_address
Note
Note
By default, the syslog server IPv4/IPv6 address for each access point is 0.0.0.0, which indicates that the
access point is not yet set. When the default value is used, the global access point syslog server IP address
is pushed to the access point.
Step 2
Enter the save config command to save your changes.
Step 3
See the global syslog server settings for all access points that join the controller by entering this command:
show ap config global
Cisco Wireless Controller Configuration Guide, Release 8.3
39
AP Connectivity to Cisco WLC
Viewing Access Point Join Information
Information similar to the following appears:
AP global system logging host.................... 255.255.255.255
Step 4
See the syslog server settings for a specific access point by entering this command:
show ap config general Cisco_AP
Viewing Access Point Join Information
Join statistics for an access point that sends a CAPWAP discovery request to the controller at least once are
maintained on the controller even if the access point is rebooted or disconnected. These statistics are removed
only when the controller is rebooted or when you choose to clear the statistics.
Viewing Access Point Join Information (GUI)
Step 1
Choose Monitor > Statistics > AP Join to open the AP Join Stats page.
This page lists all of the access points that are joined to the controller or that have tried to join. It shows the radio MAC
address, access point name, current join status, Ethernet MAC address, IP address, and last join time for each access
point.
The total number of access points appears in the upper right-hand corner of the page. If the list of access points spans
multiple pages, you can view these pages by clicking the page number links. Each page shows the join statistics for up
to 25 access points.
Note
Note
Step 2
If you want to remove an access point from the list, hover your cursor over the blue drop-down arrow for that
access point and click Remove.
If you want to clear the statistics for all access points and start over, click Clear Stats on All
APs.
If you want to search for specific access points in the list of access points on the AP Join Stats page, follow these steps
to create a filter to display only access points that meet certain criteria (such as MAC address or access point name).
Note
This feature is especially useful if your list of access points spans multiple pages, preventing you from viewing
them all at once.
a) Click Change Filter to open the Search AP dialog box.
b) Select one of the following check boxes to specify the criteria used when displaying access points:
• MAC Address—Enter the base radio MAC address of an access point.
• AP Name—Enter the name of an access point.
Note
When you enable one of these filters, the other filter is disabled
automatically.
c) Click Find to commit your changes. Only the access points that match your search criteria appear on the AP Join
Stats page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for
example, MAC Address:00:1e:f7:75:0a:a0 or AP Name:pmsk-ap).
Cisco Wireless Controller Configuration Guide, Release 8.3
40
AP Connectivity to Cisco WLC
Viewing Access Point Join Information
Note
Step 3
If you want to remove the filter and display the entire access point list, click Clear
Filter.
To see detailed join statistics for a specific access point, click the radio MAC address of the access point. The AP Join
Stats Detail page appears.
This page provides information from the controller’s perspective on each phase of the join process and shows any errors
that have occurred.
Viewing Access Point Join Information (CLI)
Use these CLI commands to see access point join information:
• See the MAC addresses of all the access points that are joined to the controller or that have tried to join
by entering this command:
show ap join stats summary all
• See the last join error detail for a specific access point by entering this command:
show ap join stats summary ap_mac
where ap_mac is the MAC address of the 802.11 radio interface.
Note
To obtain the MAC address of the 802.11 radio interface, enter the show interfaces
Dot11Radio 0 command on the access point.
Information similar to the following appears:
Is the AP currently connected to controller................ Yes
Time at which the AP joined this controller last time...... Aug 21
12:50:36.061
Type of error that occurred last........................... AP got or has
been disconnected
Reason for error that occurred last........................ The AP has
been reset by the controller
Time at which the last join error occurred.............. Aug 21
12:50:34.374
• See all join-related statistics collected for a specific access point by entering this command:
show ap join stats detailed ap_mac
Information similar to the following appears:
Discovery phase statistics
- Discovery requests received..............................
- Successful discovery responses sent......................
- Unsuccessful discovery request processing................
- Reason for last unsuccessful discovery attempt...........
- Time at last successful discovery attempt................
- Time at last unsuccessful discovery attempt..............
2
2
0
Not applicable
Aug 21 12:50:23.335
Not applicable
Join phase statistics
- Join requests received................................... 1
- Successful join responses sent........................... 1
Cisco Wireless Controller Configuration Guide, Release 8.3
41
AP Connectivity to Cisco WLC
Viewing Access Point Join Information
- Unsuccessful join request processing.....................
- Reason for last unsuccessful join attempt................
is pending for the AP
- Time at last successful join attempt.....................
- Time at last unsuccessful join attempt...................
Configuration phase statistics
- Configuration requests received..........................
- Successful configuration responses sent..................
- Unsuccessful configuration request processing............
- Reason for last unsuccessful configuration attempt.......
- Time at last successful configuration attempt............
- Time at last unsuccessful configuration attempt..........
1
RADIUS authorization
Aug 21 12:50:34.481
Aug 21 12:50:34.374
1
1
0
Not applicable
Aug 21 12:50:34.374
Not applicable
Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable
Last AP disconnect details
- Reason for last AP connection failure.................... The AP has been reset by
the controller
Last join error summary
- Type of error that occurred last......................... AP got or has been
disconnected
- Reason for error that occurred last...................... The AP has been reset by
the controller
- Time at which the last join error occurred............... Aug 21 12:50:34.374
• Clear the join statistics for all access points or for a specific access point by entering this command:
clear ap join stats {all | ap_mac}
Cisco Wireless Controller Configuration Guide, Release 8.3
42
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement