Author: the-x.ru

Configure Cisco Wireless AP as controller

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-2/b_Mobility_Express_Deployment_guide/b_Mobility_Express_Deployment_guide_chapter_01.html

Cisco WLC 2504 configuration

https://ciscomaster.ru/content/nastroyka-cisco-wlc-2504
https://habr.com/ru/post/148903/
https://telecom-sales.ru/content/stati/nastrojka-kontrollera-besprovodnoj-seti-cisco-air-ct2504/
Compatiability: https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr8.html#supported-aps

Virtual Wireless LAN Controller Deployment Guide

https://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_Virtual_Wireless_LAN_Controller_Deployment_Guide_8-2.html
Set AP Mode to a FlexConnect on each AP
Disable WLANs > WLAN NAME > Advanced > FlexConnect Local Switching if you’re planing to use different VLANs for different WLANS

Flexconnect APs description and deployment with vWLC

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/flexconnect.html#flexconnect-overview

Dynamic VLAN Assignment with WLCs based on ISE to Active Directory Group Mapping Configuration

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99121-vlan-acs-ad-config.html

https://netconfigure.net/index.php/ru/forum/12-konfiguratsiya-setevogo-oborudovaniya/182-nastrojka-cisco-wlc-flex-connect-h-reap-dynamic-vlan-assignment-microsoft-nps-radius

Cisco Aironet 2700 Series Access Points LED indication:

https://www.cisco.com/c/en/us/td/docs/wireless/access_point/2700/quick/guide/ap2700getstart.html#pgfId-37791

Easy, affordable and useful Wi-Fi lab:

https://habr.com/ru/post/352864/

Reset AP to factory defaults:

https://integratingit.wordpress.com/2018/07/01/reset-cisco-ap-to-factory-defaults/
Connect the console cable
Unplug the power or network cable if connected to a POE switch
Press and hold the Mode button
Plug the power back into the AP
Wait until the output on the console says "button is pressed. Wait for button to be released…"
Once that message is displayed release the button and allow the AP to boot
You should now be at the ap: prompt
Enter the command delete flash:private-multiple-fs
Press y when prompted
Type reset to reboot the AP
After the AP has rebooted login to the AP using the default username and password (the password is case sensitive)
Username: Cisco
Password: Cisco
The enable password is the same password.
Once logged in, the hostname of the AP should be the MAC address
On the WLC WebGUI, under the AP Join Stats you should be able to confirm that the MAC address of the AP is Joined.
If you do have access to the CLI of an AP but wish to reset the configuration, use either of the 2 commands below depending on the mode of the device CAPWAP/LWAPP:-
clear capwap private-config
clear lwapp private-config
reset


Cisco Wireless Solutions Software Compatibility Matrix:

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

Converting Cisco Wireless Access Point from Lightweight Mode to Autonomous Mode and Vice Versa:

https://itthatshouldjustwork.blogspot.com/2015/08/convert-cisco-1702i-ap-to-autonomous.html
https://www.speaknetworks.com/converting-cisco-wireless-access-point-lightweight-mode-autonomous-mode-vice-versa/
https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_multibook_config_guide_wireless_3850_chapter_01101.pdf

Activate E-licences Cisco on wireless controller

https://web.archive.org/web/20170708123126/https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70ccfg.html

Automate wireless AP check and recovery

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213317-understanding-various-ap-ios-flash-corru.html

Upload IOS image to the AP via TFTP

Connect console cable to the AP
Push reset button
Connect POE ethernet cable or power source to the AP
Hold reset button for 20 seconds until AP’s LED shine amber.

On the AP:

Initiale systems:
flash_init
ether_init
tftp_init

Upload the IOS image:
tar -xtract tftp://10.0.0.2/ap3g2-rcvk9w8-tar.default flash:

Set boot path:
boot=flash:/ap3g2-rcvk9w8-mx

Understand AP Radio Reset Codes

https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3700-series/117869-technote-ap-00.html

AP failed to see WLC

https://community.cisco.com/t5/wireless/joining-ap-to-vwlc/td-p/3353624
If all configured fine: the AP is in the same vlan with the WLC’s management interface and they can see each other and DHCP server can see them both, probably you need to configure DHCP option 43 on your DHCP server to show the AP the MAC of the WLC’s management interface.
For PFsense do it like in link below:
https://tcpip.wtf/en/unifi-l3-adoption-with-dhcp-option-43-on-pfsense-mikrotik-and-others.htm
In DHCP server configiration for the selected interface in Additional BOOTP/DHCP Options configure Option 43, String, WLC’s management interface MAC.

AP stuck at “%CAPWAP-5-SENDJOIN: sending Join Request to” with vWLC

https://community.cisco.com/t5/wireless/ap-stuck-in-join-request-vwlc/td-p/3860310
Go to Management > Software Activation > Licenses and accept EULA

Some useful info:

Show CAPWAP errors in the WLC console: debug capwap errors enable

Aironet IE contains information, such as the access point name, load, number of associated clients, and so on sent out by the access point in the beacon and probe responses of the WLAN. CCX clients use this information to choose the best access point with which to associate. https://community.cisco.com/t5/wireless/what-is-aironet-ie-i-have-my-clients-disconnected-from-when/m-p/2806028/highlight/true#M6027

Configure autonomous AP with WLANs directed to a VLANs and management interface available at the same physical G0 port:

On Switch:

interface GigabitEthernetX
description ACCESSPOINT
switchport trunk native vlan MANAGEMENT-VLAN-ID
switchport trunk allowed vlan XXX,YYY,AAA,BBB,MANAGEMENT-VLAN-ID
switchport mode trunk
no ip address


On AP:

interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.XXX
encapsulation dot1Q XXX
bridge-group XXX
bridge-group XXX spanning-disabled
no bridge-group XXX source-learning
!
interface GigabitEthernet0.MANAGEMENT-VLAN-ID
encapsulation dot1Q MANAGEMENT-VLAN-ID native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.YYY
encapsulation dot1Q YYY
bridge-group YYY
bridge-group YYY spanning-disabled
no bridge-group YYY source-learning
!
interface GigabitEthernet0.AAA
encapsulation dot1Q AAA
bridge-group AAA
bridge-group AAA spanning-disabled
no bridge-group AAA source-learning
!
interface GigabitEthernet0.BBB
encapsulation dot1Q BBB
bridge-group BBB
bridge-group BBB spanning-disabled
no bridge-group BBB source-learning
!
interface BVI1
!You may specify the MAC to identify AP in firewall
mac-address xxxx.yyyy.aaaa
!IP address of the AP in management VLAN
ip address MMM.MMM.MMM.MMM 255.255.255.MMM
!
!Gefault gateway in management VLAN
ip default-gateway MMM.MMM.MMM.MMM
ip forward-protocol nd
ip http server
ip http secure-server
!IP routing is needed for the AP to be able to see other hosts sitting not in management VLAN
bridge 1 route ip
ip routing
ip route 0.0.0.0 0.0.0.0 MMM.MMM.MMM.MMM

Ap fails to joun WLC: Reason for last AP connection failure DTLS handshake expired on WLC, or DTLS close alert from peer or Failed to authorize controller, SSC certificate validation failed on AP

https://networkphil.com/2019/08/06/troubleshooting-dtls-handshake-error-joining-cisco-2702i-access-point-to-9800-wireless-controller/
I was moving from vWLC to C9800 and my APs were failing to join.
First I checked compatiability list, but according to it all was good;
Than I tried to change the clock to 2 DEC 2022, that advice is most popular, but with no luck: AP said that certificate date is not yet actual.
I prepared to start clearing the AP flash and downloading some firmware that can fit the C9800 WLC, but suddenly found the site with the description of the similar experience.
My advise is: ignore everything except clear lwapp private-config on the AP.
wireless config vwlc-ssc key-size 2048 signature-algo sha256 password [password] contains error, you must type 7 (or other digit) before your password. After you hit that command you’ll not be able to access web admin panel because of certificate error, so the only way will be is to reload WLC without saving the config.

Windows PC not connecting to the known WiFi network after reboot:

When Windows PC can’t connect to the known wireless network after reboot and AP says:
%DOT11-4-MAXRETRIES: Packet to client reached max retries, removing the client
probably Windows PC didn’t disconnected from that wireless network properly before reboot and it’s session is still active on the AP.
You can try to configure session timeout less than default to fix this behavior:
int Dot11Radio0
packet retries 16 drop-packet
int Dot11Radio1
packet retries 16 drop-packet

vWLC don’t see the AP in the same subnet and AP donesn’t see the vWLC:

When you configure vWLC on ESXi you MUST set ALL VLANS (4095) on the Port Group that connects vWLC’s Management Interface AND you must allow ALL VLANs on the switch (just do not use switchport trunk allowed vlans).
If you will set only allowed VLANs on the switchport you will get DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection on the AP.

Ap doesn’t associate with vWLC because of obsolete certificates:

config certificate ssc hash validation disable
config ap cert-expiry-ignore mic enable
config ap cert-expiry-ignore ssc enable

WiFi network don’t work on client’s devices and switches don’t see the client’s MACs on arp table:

https://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_Virtual_Wireless_LAN_Controller_Deployment_Guide_8-2.html
https://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_Virtual_Wireless_LAN_Controller_Deployment_Guide_8-2.html
When you configure:
– vWLC on ESXi
– many Wlans each in separate VLAN
and your clients get the IP from DHCP, can ping controller’s IP in their VLAN, but they can’t ping the GW and everything behind it, probably you missed the configuration of the vSwitch’s security.
Allow Promiscous Mode
Allow MAC Address Changes
Allow Forged Transmits

Cisco Catalyst 9800-CL Wireless Controller for Cloud Deployment Guide:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-cl-dg.html

Ekahau info:

https://habr.com/ru/articles/448180/