Cisco OL-17037-01 User Manual
CHAP T E R
7
Controlling Lightweight Access Points
This chapter describes the Cisco lightweight access points and explains how to connect them to the
controller and manage access point settings. It contains these sections:
• Access Point Communication Protocols, page 7-2
• Configuring Global Credentials for Access Points, page 7-5
• Configuring Authentication for Access Points, page 7-9
• Embedded Access Points, page 7-14
• Autonomous Access Points Converted to Lightweight Mode, page 7-16
• Cisco Workgroup Bridges, page 7-34
• Configuring Backup Controllers, page 7-41
• Configuring Failover Priority for Access Points, page 7-46
• Configuring Country Codes, page 7-49
• Migrating Access Points from the -J Regulatory Domain to the -U Regulatory Domain, page 7-55
• Using the W56 Band in Japan, page 7-58
OL-17037-01
• Dynamic Frequency Selection, page 7-58
• Optimizing RFID Tracking on Access Points, page 7-59
• Configuring Probe Request Forwarding, page 7-62
• Retrieving the Unique Device Identifier on Controllers and Access Points, page 7-63
• Performing a Link Test, page 7-64
• Configuring Link Latency, page 7-67
• Configuring Power over Ethernet, page 7-70
• Configuring Flashing LEDs, page 7-74
• Viewing Clients, page 7-74
Cisco Wireless LAN Controller Configuration Guide
7-1
Access Point Communication Protocols
Access Point Communication Protocols
In controller software release 5.2 or later, Cisco lightweight access points use the IETF standard Control
and Provisioning of Wireless Access Points protocol (CAPWAP) to communicate between the controller
and other lightweight access points on the network. Controller software releases prior to 5.2 use the
Lightweight Access Point Protocol (LWAPP) for these communications.
CAPWAP, which is based on LWAPP, is a standard, interoperable protocol that enables a controller to
manage a collection of wireless access points. CAPWAP is being implemented in controller software
release 5.2 for these reasons:
• To provide an upgrade path from Cisco products that use LWAPP to next-generation Cisco products
that use CAPWAP
• To manage RFID readers and similar devices
• To enable controllers to interoperate with third-party access points in the future
LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a
CAPWAP controller is seamless. For example, the controller discovery process and the firmware
downloading process when using CAPWAP are the same as when using LWAPP. The one exception is
for Layer 2 deployments, which are not supported by CAPWAP.
Chapter 7 Controlling Lightweight Access Points
You can deploy CAPWAP controllers and LWAPP controllers on the same network. The
CAPWAP-enabled software allows access points to join either a controller running CAPWAP or LWAPP.
The only exception is the Cisco Aironet 1140 Series Access Point, which supports only CAPWAP and
therefore joins only controllers running CAPWAP. For example, an 1130 series access point can join a
controller running either CAPWAP or LWAPP whereas an 1140 series access point can join only a
controller running CAPWAP.
Guidelines for Using CAPWAP
Follow these guidelines when using CAPWAP:
• If your firewall is currently configured to allow traffic only from access points using LWAPP, you
must change the rules of the firewall to allow traffic from access points using CAPWAP.
• Make sure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP ports 12222
and 12223) are enabled and are not blocked by an intermediate device that could prevent an access
point from joining the controller.
• If access control lists (ACLs) are in the control path between the controller and its access points,
you need to open new protocol ports to prevent access points from being stranded.
The Controller Discovery Process
In a CAPWAP environment, a lightweight access point discovers a controller by using CAPWAP
discovery mechanisms and then sends the controller a CAPWAP join request. The controller sends the
access point a CAPWAP join response allowing the access point to join the controller. When the access
point joins the controller, the controller manages its configuration, firmware, control transactions, and
data transactions.
Upgrade and downgrade paths from LWAPP to CAPWAP or from CAPWAP to LWAPP are supported.
An access point with an LWAPP image starts the discovery process in LWAPP. If it finds an LWAPP
controller, it starts the LWAPP discovery process to join the controller. If it does not find a LWAPP
controller, it starts the discovery in CAPWAP. If the number of times that the discovery process starts
7-2
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 7 Controlling Lightweight Access Points
with one discovery type (CAPWAP or LWAPP) exceeds the maximum discovery count and the access
point does not receive a discovery response, the discovery type changes to the other type. For example,
if the access point does not discover the controller in LWAPP, it starts the discovery process in CAPWAP.
Note If an access point is in the UP state and its IP address changes, the access point tears down the existing
CAPWAP tunnel and rejoins the controller. In previous software releases, the access point notifies the
controller, and the session continues with the changed IP address without tearing down the session.
Note You must install software release 4.0.155.0 or later on the controller before connecting 1100 and 1300
series access points to the controller. The 1120 and 1310 access points were not supported prior to
software release 4.0.155.0.
Note The Cisco controllers cannot edit or query any access point information using the CLI if the name of the
access point contains a space.
Access Point Communication Protocols
Note Make sure that the controller is set to the current time. If the controller is set to a time that has already
occurred, the access point might not join the controller because its certificate may not be valid for that
time.
Access points must be discovered by a controller before they can become an active part of the network.
The lightweight access points support these controller discovery processes:
• Layer 3 CAPWAP or LWAPP discovery—Can occur on different subnets from the access point
and uses IP addresses and UDP packets rather the MAC addresses used by Layer 2 discovery.
• Over-the-air provisioning (OTAP)—This feature is supported by Cisco 4400 series controllers. If
this feature is enabled on the controller (on the controller General page), all associated access points
transmit wireless CAPWAP or LWAPP neighbor messages, and new access points receive the
controller IP address from these messages. This feature is disabled by default and should remain
disabled when all access points are installed.
Note You can find additional information about OTAP at this link:
http://www.ciscosystems.com/en/US/products/ps6366/products_tech_note09186a008093d
74a.shtml
• Locally stored controller IP address discovery—If the access point was previously associated to
a controller, the IP addresses of the primary, secondary, and tertiary controllers are stored in the
access point’s non-volatile memory. This process of storing controller IP addresses on an access
point for later deployment is called priming the access point.
• DHCP server discovery—This feature uses DHCP option 43 to provide controller IP addresses to
the access points. Cisco switches support a DHCP server option that is typically used for this
capability. For more information about DHCP option 43, see the “Using DHCP Option 43 and
DHCP Option 60” section on page 7-24.
OL-17037-01
• DNS discovery—The access point can discover controllers through your domain name server
(DNS). For the access point to do so, you must configure your DNS to return controller IP addresses
in response to CISCO-LWAPP-CONTROLLER.localdomain, where localdomain is the access point
Cisco Wireless LAN Controller Configuration Guide
7-3
Access Point Communication Protocols
domain name. When an access point receives an IP address and DNS information from a DHCP
server, it contacts the DNS to resolve CISCO-LWAPP-CONTROLLER.localdomain. When the DNS
sends a list of controller IP addresses, the access point sends discovery requests to the controllers.
Verifying that Access Points Join the Controller
When replacing a controller, you need to make sure that access points join the new controller.
Using the GUI to Verify that Access Points Join the Controller
Follow these steps to ensure that access points join the new controller.
Step 1 Follow these steps to configure the new controller as a master controller.
a. Click Controller > Advanced > Master Controller Mode to open the Master Controller
Configuration page.
b. Check the Master Controller Mode check box.
c. Click Apply to commit your changes.
Chapter 7 Controlling Lightweight Access Points
d. Click Save Configuration to save your changes.
Step 2 (Optional) Flush the ARP and MAC address tables within the network infrastructure. Ask your network
administrator for more information about this step.
Step 3 Restart the access points.
Step 4 Once all the access points have joined the new controller, configure the controller not to be a master
controller by unchecking the Master Controller Mode check box on the Master Controller
Configuration page.
Using the CLI to Verify that Access Points Join the Controller
Follow these steps to ensure that access points join the new controller.
Step 1 To configure the new controller as a master controller, enter this command:
config network master-base enable
Step 2 (Optional) Flush the ARP and MAC address tables within the network infrastructure. Ask your network
administrator for more information about this step.
Step 3 Restart the access points.
Step 4 To configure the controller not to be a master controller once all the access points have joined the new
controller, enter this command:
config network master-base disable
7-4
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 7 Controlling Lightweight Access Points
Viewing CAPWAP MTU Information
To view the maximum transmission unit (MTU) for the CAPWAP path on the controller, enter this
command. The MTU specifies the maximum size of any packet (in bytes) in a transmission.
show ap config general Cisco_AP
Information similar to the following appears:
Cisco AP Identifier.............................. 9
Cisco AP Name.................................... Maria-1250
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. 802.11bg:-A 802.11a:-A
Switch Port Number .............................. 1
MAC Address...................................... 00:1f:ca:bd:bc:7c
IP Address Configuration......................... DHCP
IP Address....................................... 1.100.163.193
IP NetMask....................................... 255.255.255.0
CAPWAP Path MTU............................... 1485
...
Configuring Global Credentials for Access Points
Debugging CAPWAP
Use these CLI commands to obtain CAPWAP debug information:
• debug capwap events {enable | disable}—Enables or disables debugging of CAPWAP events.
• debug capwap errors {enable | disable}—Enables or disables debugging of CAPWAP errors.
• debug capwap detail {enable | disable}—Enables or disables debugging of CAPWAP details.
• debug capwap info {enable | disable}—Enables or disables debugging of CAPWAP information.
• debug capwap packet {enable | disable}—Enables or disables debugging of CAPWAP packets.
• debug capwap payload {enable | disable}—Enables or disables debugging of CAPWAP payloads.
• debug capwap hexdump {enable | disable}—Enables or disables debugging of the CAPWAP
hexadecimal dump.
Configuring Global Credentials for Access Points
Cisco IOS access points are shipped from the factory with Cisco as the default enable password. This
password allows users to log into the non-privileged mode and execute show and debug commands,
posing a security threat. The default enable password must be changed to prevent unauthorized access
and to enable users to execute configuration commands from the access point’s console port.
In controller software releases prior to 5.0, you can set the access point enable password only for access
points that are currently connected to the controller. In controller software release 5.0 or later, you can
set a global username, password, and enable password that all access points inherit as they join the
controller. This includes all access points that are currently joined to the controller and any that join in
the future. If desired, you can override the global credentials and assign a unique username, password,
and enable password for a specific access point.
OL-17037-01
Cisco Wireless LAN Controller Configuration Guide
7-5
Configuring Global Credentials for Access Points
Also in controller software release 5.0 or later, after an access point joins the controller, the access point
enables console port security, and you are prompted for your username and password whenever you log
into the access point’s console port. When you log in, you are in non-privileged mode, and you must
enter the enable password in order to use the privileged mode.
Note These controller software release 5.0(or later) features are supported on all access points that have been
converted to lightweight mode, except the 1100 series. VxWorks access points are not supported.
The global credentials that you configure on the controller are retained across controller and access point
reboots. They are overwritten only if the access point joins a new controller that is configured with a
global username and password. If the new controller is not configured with global credentials, the access
point retains the global username and password configured for the first controller.
Note You need to keep careful track of the credentials used by the access points. Otherwise, you might not be
able to log into an access point’s console port. If you ever need to return the access points to the default
Cisco/Cisco username and password, you must clear the controller’s configuration and the access point’s
configuration to return them to factory default settings. To clear the controller’s configuration, choose
Commands > Reset to Factory Default > Reset on the controller GUI, or enter clear config on the
controller CLI. To clear the access point’s configuration, enter clear ap config Cisco_AP on the
controller CLI. Once the access point rejoins a controller, it adopts the default Cisco/Cisco username and
password.
Chapter 7 Controlling Lightweight Access Points
You can use the controller GUI or CLI to configure global credentials for access points that join the
controller.
Using the GUI to Configure Global Credentials for Access Points
Using the controller GUI, follow these steps to configure global credentials for access points that join
the controller.
Step 1 Click Wireless > Access Points > Global Configuration to open the Global Configuration page (see
Figure 7-1).
Figure 7-1 Global Configuration Page
7-6
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 7 Controlling Lightweight Access Points
Step 2 In the Username field, enter the username that is to be inherited by all access points that join the
controller.
Step 3 In the Password field, enter the password that is to be inherited by all access points that join the
controller.
Step 4 In the Enable Password field, enter the enable password that is to be inherited by all access points that
join the controller.
Step 5 Click Apply to send the global username, password, and enable password to all access points that are
currently joined to the controller or that join the controller in the future.
Step 6 Click Save Configuration to save your changes.
Step 7 If desired, you can choose to override the global credentials for a specific access point and assign a
unique username, password, and enable password to this access point. Follow these steps to do so:
a. Click Access Points > All APs to open the All APs page.
b. Click the name of the access point for which you want to override the global credentials.
c. Click the Credentials tab. The All APs > Details for (Credentials) page appears (see Figure 7-2).
Figure 7-2 All APs > Details for (Credentials) Page
Configuring Global Credentials for Access Points
OL-17037-01
d. Check the Over-ride Global Credentials check box to prevent this access point from inheriting the
global username, password, and enable password from the controller. The default value is
unchecked.
e. In the Username, Password, and Enable Password fields, enter the unique username, password, and
enable password that you want to assign to this access point.
Note The information that you enter is retained across controller and access point reboots and if
the access point joins a new controller.
f. Click Apply to commit your changes.
g. Click Save Configuration to save your changes.
Note If you ever want to force this access point to use the controller’s global credentials, simply
uncheck the Over-ride Global Credentials check box.
Cisco Wireless LAN Controller Configuration Guide
7-7
Chapter 7 Controlling Lightweight Access Points
Configuring Global Credentials for Access Points
Using the CLI to Configure Global Credentials for Access Points
Using the controller CLI, follow these steps to configure global credentials for access points that join
the controller.
Step 1 To configure the global username, password, and enable password for all access points currently joined
to the controller as well as any access points that join the controller in the future, enter this command:
config ap mgmtuser add username user password password enablesecret enable_password all
Step 2 If desired, you can choose to override the global credentials for a specific access point and assign a
unique username, password, and enable password to this access point. To do so, enter this command:
config ap mgmtuser add username user password password enablesecret enable_password Cisco_AP
The credentials that you enter in this command are retained across controller and access point reboots
and if the access point joins a new controller.
Note If you ever want to force this access point to use the controller’s global credentials, enter this
command: config ap mgmtuser delete Cisco_AP. The following message appears after you
execute this command: “AP reverted to global username configuration.”
Step 3 To save your changes, enter this command:
save config
Step 4 To verify that global credentials are configured for all access points that join the controller, enter this
command:
show ap summary
Information similar to the following appears:
Number of APs.................................... 1
Global AP User Name.............................. globalap
AP Name Slots AP Model Ethernet MAC Location Port Country
-------- ------ ------------------- ------------------ ------------------ ---- ------HReap 2 AIR-AP1131AG-N-K9 00:13:80:60:48:3e default location 1 US
Note If global credentials are not configured, the Global AP User Name field shows “Not
Configured.”
Step 5 To see the global credentials configuration for a specific access point, enter this command:
show ap config general Cisco_AP
Note The name of the access point is case sensitive.
7-8
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 7 Controlling Lightweight Access Points
Configuring Authentication for Access Points
Information similar to the following appears:
Cisco AP Identifier.............................. 0
Cisco AP Name.................................. HReap
...
AP User Mode..................................... AUTOMATIC
AP User Name..................................... globalap
...
Note If this access point is configured for global credentials, the AP User Mode fields shows
“Automatic.” If the global credentials have been overwritten for this access point, the AP User
Mode field shows “Customized.”
Configuring Authentication for Access Points
You can configure 802.1X authentication between a lightweight access point and a Cisco switch. The
access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with
anonymous PAC provisioning.
This feature is supported on the following hardware:
• Cisco Aironet 1130, 1140, 1240, and 1250 series access points
• All controller platforms running in local, hybrid-REAP, monitor, or sniffer mode. Bridge mode is
not supported.
Note In hybrid-REAP mode, you cannot configure local switching with 802.1X authentication;
you can configure central switching only.
• All Cisco switches that support authentication
Note Refer to the Release Notes for Cisco Wireless LAN Controllers and Lightweight Access
Points for Release 5.2 for a list of supported switch hardware and minimum supported
software.
You can configure global authentication settings that all access points inherit as they join the controller.
This includes all access points that are currently joined to the controller and any that join in the future.
If desired, you can override the global authentication settings and assign unique authentication settings
for a specific access point.
Observe the following flow for configuring authentication for access points:
1. If the access point is new, do the following:
a. Boot the access point with the installed recovery image.
b. If you choose not to follow this suggested flow and instead enable 802.1X authentication on the
switch port connected to the access point prior to the access point joining the controller, enter
the following command:
OL-17037-01
lwapp ap dot1x username username password password
Cisco Wireless LAN Controller Configuration Guide
7-9
Configuring Authentication for Access Points
Note If you choose to follow this suggested flow and enable 802.1X authentication on the
Note This command is available only for access points that are running the 5.1 or 5.2 recovery
c. Connect the access point to the switch port.
2. Install the 5.1 or 5.2 image on the controller and reboot the controller.
3. Allow all access points to join the controller.
4. Configure authentication on the controller. See the “Using the GUI to Configure Authentication for
Access Points” section on page 7-10 or the “Using the CLI to Configure Authentication for Access
Points” section on page 7-12 for information on configuring authentication on the controller.
5. Configure the switch to allow authentication. See the “Configuring the Switch for Authentication”
section on page 7-14 for information on configuring the switch for authentication.
Chapter 7 Controlling Lightweight Access Points
switch port after the access point has joined the controller and received the configured
802.1X credentials, you do not need to enter this command.
image.
Using the GUI to Configure Authentication for Access Points
Using the controller GUI, follow these steps to configure authentication for access points that join the
controller.
Step 1 Click Wireless > Access Points > Global Configuration to open the Global Configuration page
(see Figure 7-3).
Figure 7-3 Global Configuration Page
7-10
Step 2
Step 3 In the Username field, enter the username that is to be inherited by all access points that join the
Under 802.1x Supplicant Credentials, check the 802.1x Authentication check box.
controller.
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 7 Controlling Lightweight Access Points
Step 4 In the Password and Confirm Password fields, enter the password that is to be inherited by all access
points that join the controller.
Note You must enter a strong password in these fields. Strong passwords have the following
characteristics:
- They are at least eight characters long.
- They contain a combination of upper- and lowercase letters, numbers, and symbols.
- They are not a word in any language.
Step 5 Click Apply to send the global authentication username and password to all access points that are
currently joined to the controller and to any that join the controller in the future.
Step 6 Click Save Configuration to save your changes.
Step 7 If desired, you can choose to override the global authentication settings and assign a unique username
and password to a specific access point. Follow these steps to do so:
a. Click Access Points > All APs to open the All APs page.
b. Click the name of the access point for which you want to override the authentication settings.
c. Click the Credentials tab to open the All APs > Details for (Credentials) page (see Figure 7-4).
Configuring Authentication for Access Points
Figure 7-4 All APs > Details for (Credentials) Page
d.
Under 802.1x Supplicant Credentials, check the Over-ride Global Credentials check box to
prevent this access point from inheriting the global authentication username and password from the
controller. The default value is unchecked.
e. In the Username, Password, and Confirm Password fields, enter the unique username and password
that you want to assign to this access point.
Note The information that you enter is retained across controller and access point reboots and
whenever the access point joins a new controller.
OL-17037-01
Cisco Wireless LAN Controller Configuration Guide
7-11
Chapter 7 Controlling Lightweight Access Points
Configuring Authentication for Access Points
f. Click Apply to commit your changes.
g. Click Save Configuration to save your changes.
Note If you ever want to force this access point to use the controller’s global authentication
settings, simply uncheck the Over-ride Global Credentials check box.
Using the CLI to Configure Authentication for Access Points
Using the controller CLI, follow these steps to configure authentication for access points that join the
controller.
Step 1 To configure the global authentication username and password for all access points currently joined to
the controller as well as any access points that join the controller in the future, enter this command:
config ap dot1xuser add username user password password all
Note You must enter a strong password for the password parameter. Strong passwords have the
following characteristics:
- They are at least eight characters long.
- They contain a combination of upper- and lowercase letters, numbers, and symbols.
- They are not a word in any language.
Step 2 If desired, you can choose to override the global authentication settings and assign a unique username
and password to a specific access point. To do so, enter this command:
config ap dot1xuser add username user password password Cisco_AP
Note You must enter a strong password for the password parameter. See the note in Step 1 for the
characteristics of strong passwords.
The authentication settings that you enter in this command are retained across controller and access point
reboots and whenever the access point joins a new controller.
Note If you ever want to force this access point to use the controller’s global authentication settings,
enter this command: config ap dot1xuser delete Cisco_AP. The following message appears
after you execute this command: “AP reverted to global username configuration.”
Step 3 To save your changes, enter this command:
save config
7-12
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 7 Controlling Lightweight Access Points
Step 4 If you ever want to disable 802.1X authentication for all access points or for a specific access point, enter
this command:
config ap dot1xuser disable {all | Cisco_AP}
Note You can disable 802.1X authentication for a specific access point only if global 802.1X
authentication is not enabled. If global 802.1X authentication is enabled, you can disable 802.1X
for all access points only.
Step 5 To view the authentication settings for all access points that join the controller, enter this command:
show ap summary
Information similar to the following appears:
Number of APs.................................... 1
Global AP User Name.............................. globalap
Global AP Dot1x User Name........................ globalDot1x
...
Configuring Authentication for Access Points
Note If global authentication settings are not configured, the Global AP Dot1x User Name field shows
“Not Configured.”
Step 6 To view the authentication settings for a specific access point, enter this command:
show ap config general Cisco_AP
Note The name of the access point is case sensitive.
Information similar to the following appears:
Cisco AP Identifier.............................. 0
Cisco AP Name.................................. HReap
...
AP Dot1x User Mode............................... AUTOMATIC
AP Dot1x User Name............................... globalDot1x
...
Note If this access point is configured for global authentication, the AP Dot1x User Mode fields shows
“Automatic.” If the global authentication settings have been overwritten for this access point, the
AP Dot1x User Mode field shows “Customized.”
OL-17037-01
Cisco Wireless LAN Controller Configuration Guide
7-13
Embedded Access Points
Configuring the Switch for Authentication
On the switch CLI, enter these commands to enable 802.1X authentication on a switch port:
Switch# configure terminal
Switch(config)# dot1x system-auth-control
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# radius-server host ip_addr auth-port port acct-port port key key
Switch(config)# interface fastethernet2/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end
Chapter 7 Controlling Lightweight Access Points
Embedded Access Points
Controller software release 5.1 or later supports the AP801, which is the integrated access point on the
Cisco 800 Series Integrated Services Routers (ISRs). This access point uses a Cisco IOS software image
that is separate from the router Cisco IOS software image. It can operate as an autonomous access point
that is configured and managed locally, or it can operate as a centrally managed access point utilizing
the CAPWAP or LWAPP protocol. The AP801 is preloaded with both an autonomous Cisco IOS release
and a recovery image for the unified mode.
Note Before you use an AP801 Series Lightweight Access Point with controller software release 5.2, you must
upgrade the software in the Cisco 800 Series Integrated Services Router (ISR) to Cisco IOS Release
12.4(22)T.
When you want to use the AP801 with a controller, you must enable the recovery image for the unified
mode on the access point by entering this CLI command on the router in privileged EXEC mode:
service-module wlan-ap 0 bootimage unified.
Note If the service-module wlan-ap 0 bootimage unified command does not work successfully, make sure
that the software license is still eligible.
After enabling the recovery image, enter this CLI command on the router to shut down and reboot the
access point: service-module wlan-ap 0 reload. After the access point reboots, it discovers the
controller, downloads the full CAPWAP or LWAPP software release from the controller, and acts as a
lightweight access point.
7-14
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 7 Controlling Lightweight Access Points
Note To use the CLI commands mentioned above, the router must be running Cisco IOS Release 12.4(20)T or
later. If you experience any problems, refer to the “Troubleshooting an Upgrade or Reverting the AP to
Autonomous Mode” section in the ISR configuration guide at this URL:
http://cisco.com/en/US/docs/routers/access/800/860-880-890/software/configuration/guide/admin_ap.h
tml#wp1061143
In order to support CAPWAP or LWAPP, the router must be activated with at least the Cisco Advanced
IP Services IOS license-grade image. A license is required to upgrade to this IOS image on the router.
Refer to this URL for licensing information:
http://cisco.com/en/US/docs/routers/access/800/860-880-890/software/activation/Software_Activation
_on_Cisco_Integrated_Routers.html
After the AP801 boots up with the recovery image for the unified mode, it requires an IP address to
communicate with the controller and to download its unified image and configuration from the
controller. The router can provide DHCP server functionality, the DHCP pool to reach the controller, and
setup option 43 for the controller IP address in the DHCP pool configuration. Use the following
configuration to perform this task:
ip dhcp pool pool_name
Embedded Access Points
network ip_address subnet_mask
dns-server ip_address
default-router ip_address
option 43 hex controller_ip_address_in_hex
Example:
ip dhcp pool embedded-ap-pool
network 60.0.0.0 255.255.255.0
dns-server 171.70.168.183
default-router 60.0.0.1
option 43 hex f104.0a0a.0a0f /* single WLC IP address(10.10.10.15) in hex format */
The AP801 802.11n radio supports lower power levels than the 802.11n radio in the Cisco Aironet 1250
series access points. The AP801 stores the radio power levels and passes them to the controller when the
access point joins the controller. The controller uses the supplied values to limit the user’s configuration.
The AP801 can be used in hybrid-REAP mode. Refer to Chapter 13 for more information on hybrid
REAP.
Note For more information on the AP801, refer to the documentation for the Cisco 800 Series ISRs at this
URL:
http://www.cisco.com/en/US/products/hw/routers/ps380/tsd_products_support_series_home.html
OL-17037-01
Cisco Wireless LAN Controller Configuration Guide
7-15
Chapter 7 Controlling Lightweight Access Points
Autonomous Access Points Converted to Lightweight Mode
Autonomous Access Points Converted to Lightweight Mode
You can use an upgrade conversion tool to convert autonomous Cisco Aironet 1100, 1130AG, 1200,
1240AG, and 1300 Series Access Points to lightweight mode. When you upgrade one of these access
points to lightweight mode, the access point communicates with a controller and receives a configuration
and software image from the controller.
Refer to the Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode document for
instructions on upgrading an autonomous access point to lightweight mode. You can find this document
at this URL:
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc
.html
Guidelines for Using Access Points Converted to Lightweight Mode
Keep these guidelines in mind when you use autonomous access points that have been converted to
lightweight mode:
• Converted access points support 2006, 4400, and WiSM controllers only. When you convert an
autonomous access point to lightweight mode, the access point can communicate with Cisco 2006
series controllers, 4400 series controllers, or the controllers on a Cisco WiSM only.
• Access points converted to lightweight mode do not support Wireless Domain Services (WDS).
Converted access points communicate only with Cisco wireless LAN controllers and cannot
communicate with WDS devices. However, the controller provides functionality equivalent to WDS
when the access point associates to it.
• In controller software release 4.2 or later, all Cisco lightweight access points support 16 BSSIDs per
radio and a total of 16 wireless LANs per access point. In previous releases, they supported only 8
BSSIDs per radio and a total of 8 wireless LANs per access point. When a converted access point
associates to a controller, only wireless LANs with IDs 1 through 16 are pushed to the access point.
7-16
• Access points converted to lightweight mode must get an IP address and discover the controller
using DHCP, DNS, or IP subnet broadcast.
• After you convert an access point to lightweight mode, the console port provides read-only access
to the unit.
• The 1130AG and 1240AG access points support hybrid-REAP mode. See Chapter 13 for details.
• The upgrade conversion tool adds the self-signed certificate (SSC) key-hash to only one of the
controllers on the Cisco WiSM. After the conversion has been completed, add the SSC key-hash to
the second controller on the Cisco WiSM by copying the SSC key-hash from the first controller to
the second controller. To copy the SSC key-hash, open the AP Policies page of the controller GUI
(Security > AAA > AP Policies) and copy the SSC key-hash from the SHA1 Key Hash column
under AP Authorization List (see Figure 7-6). Then, using the second controller’s GUI, open the
same page and paste the key-hash into the SHA1 Key Hash field under Add AP to Authorization
List. If you have more than one Cisco WiSM, use WCS to push the SSC key-hash to all the other
controllers.
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 7 Controlling Lightweight Access Points
Autonomous Access Points Converted to Lightweight Mode
Reverting from Lightweight Mode to Autonomous Mode
After you use the upgrade tool to convert an autonomous access point to lightweight mode, you can
convert the access point from a lightweight unit back to an autonomous unit by loading a Cisco IOS
release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point is
associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is
not associated to a controller, you can load the Cisco IOS release using TFTP. In either method, the
access point must be able to access a TFTP server that contains the Cisco IOS release to be loaded.
Using a Controller to Return to a Previous Release
Follow these steps to revert from lightweight mode to autonomous mode using a wireless LAN
controller:
Step 1 Log into the CLI on the controller to which the access point is associated.
Step 2 Enter this command:
config ap tftp-downgrade tftp-server-ip-address filename access-point-name
Step 3 Wait until the access point reboots and reconfigure the access point using the CLI or GUI.
Using the MODE Button and a TFTP Server to Return to a Previous Release
Follow these steps to revert from lightweight mode to autonomous mode by using the access point
MODE (reset) button to load a Cisco IOS release from a TFTP server:
Step 1 The PC on which your TFTP server software runs must be configured with a static IP address in the range
of 10.0.0.2 to 10.0.0.30.
Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.123-7.JA.tar for a
1200 series access point) in the TFTP server folder and that the TFTP server is activated.
Step 3 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200
series access point.
Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
Step 5 Disconnect power from the access point.
Step 6 Press and hold the MODE button while you reconnect power to the access point.
Note The MODE button on the access point must be enabled. Follow the steps in the “Disabling the
Reset Button on Access Points Converted to Lightweight Mode” section on page 7-33 to check
the status of the access point MODE button.
OL-17037-01
Step 7 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds), and release the
MODE button.
Cisco Wireless LAN Controller Configuration Guide
7-17
Autonomous Access Points Converted to Lightweight Mode
Step 8 Wait until the access point reboots as indicated by all LEDs turning green followed by the Status LED
blinking green.
Step 9 After the access point reboots, reconfigure the access point using the GUI or the CLI.
Authorizing Access Points
In controller software releases prior to 5.2, the controller may either use self-signed certificates (SSCs)
to authenticate access points or send the authorization information to a RADIUS server (if access points
have manufactured-installed certificates [MICs]). In controller software release 5.2, you can configure
the controller to use a local significant certificate (LSC).
Authorizing Access Points Using SSCs
The Control and Provisioning of Wireless Access Points protocol (CAPWAP) secures the control
communication between the access point and controller by means of a secure key distribution requiring
X.509 certificates on both the access point and controller. CAPWAP relies on a priori provisioning of
the X.509 certificates. Cisco Aironet access points shipped before July 18, 2005 do not have a MIC, so
these access points create an SSC when upgraded to operate in lightweight mode. Controllers are
programmed to accept local SSCs for authentication of specific access points and do not forward those
authentication requests to a RADIUS server. This behavior is acceptable and secure.
Chapter 7 Controlling Lightweight Access Points
Authorizing Access Points Using MICs
You can configure controllers to use RADIUS servers to authorize access points using MICs. The
controller uses an access point’s MAC address as both the username and password when sending the
information to a RADIUS server. For example, if the MAC address of the access point is 000b85229a70,
both the username and password used by the controller to authorize the access point are 000b85229a70.
Note The lack of a strong password by the use of the access point’s MAC address should not be an issue
because the controller uses MIC to authenticate the access point prior to authorizing the access point
through the RADIUS server. Using MIC provides strong authentication.
Note If you use the MAC address as the username and password for access point authentication on a RADIUS
AAA server, do not use the same AAA server for client authentication.
7-18
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 7 Controlling Lightweight Access Points
Authorizing Access Points Using LSCs
You can use an LSC if you want your own public key infrastructure (PKI) to provide better security, to
have control of your certificate authority (CA), and to define policies, restrictions, and usages on the
generated certificates.
The LSC CA certificate is installed on access points and controllers. You need to provision the device
certificate on the access point. The access point gets a signed X.509 certificate by sending a certRequest
to the controller. The controller acts as a CA proxy and receives the certRequest signed by the CA for
the access point.
Note Access points that are configured for bridge mode are not supported.
Using the GUI to Configure LSC
Using the controller GUI, follow these steps to enable the use of LSC on the controller.
Step 1 Click Security > Certificate > LSC to open the Local Significant Certificates (LSC) page (see
Figure 7-5).
Autonomous Access Points Converted to Lightweight Mode
Figure 7-5 Local Significant Certificates (LSC) Page
Step 2
Step 3 To enable LSC on the system, check the Enable LSC on Controller check box.
Step 4 In the CA Server URL field, enter the URL to the CA server. You can enter either a domain name or an
Click the General tab.
IP address.
Step 5 In the Params fields, enter the parameters for the device certificate. The key size is a value from 384 to
2048 (in bits), and the default value is 2048.
OL-17037-01
Step 6 Click Apply to commit your changes.
Cisco Wireless LAN Controller Configuration Guide
7-19
Autonomous Access Points Converted to Lightweight Mode
Step 7 To add the CA certificate into the controller’s CA certificate database, hover your cursor over the blue
drop-down arrow for the certificate type and choose Add.
Step 8 To provision the LSC on the access point, click the AP Provisioning tab and check the Enable AP
Provisioning check box.
Step 9 To add access points to the provision list, enter the access point MAC address in the AP Ethernet MAC
Addresses field and click Add.
Note To remove an access point from the provision list, hover your cursor over the blue drop-down
arrow for the access point and choose Remove.
Note If you configure an access point provision list, only the access points in the provision list are
provisioned when you enable AP provisioning. If you do not configure an access point provision
list, all access points with a MIC or SSC certificate that join the controller are LSC provisioned.
Step 10 Click Apply to commit your changes.
Chapter 7 Controlling Lightweight Access Points
Using the CLI to Configure LSC
Using the controller CLI, follow these steps to enable the use of LSC on the controller.
Step 1 To enable LSC on the system, enter this command:
config certificate lsc {enable | disable}
Step 2 To configure the URL to the CA server, enter this command:
config certificate lsc ca-server http://url:port/path
where url can be either a domain name or IP address.
Note You can configure only one CA server. To configure a different CA server, delete the configured
Step 3 To add the LSC CA certificate into the controller’s CA certificate database, enter this command:
config certificate lsc ca-cert {add | delete}
Step 4 To configure the parameters for the device certificate, enter this command:
config certificate lsc subject-params country state city orgn dept email
Note The common name (CN) is generated automatically on the access point using the current
CA server using the config certificate lsc ca-server delete command; then configure a different
CA server.
MIC/SSC format Cxxxx-MacAddr, where xxxx is the product number.
7-20
Step 5 To configure a key size, enter this command:
config certificate lsc other-params keysize
The keysize is a value from 384 to 2048 (in bits), and the default value is 2048.
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 7 Controlling Lightweight Access Points
Step 6 To add access points to the provision list, enter this command:
config certificate lsc ap-provision auth-list add AP_mac_addr
Note To remove access points from the provision list, enter this command: config certificate lsc
ap-provision auth-list delete AP_mac_addr.
Note If you configure an access point provision list, only the access points in the provision list are
provisioned when you enable AP provisioning (in Step 8). If you do not configure an access
point provision list, all access points with a MIC or SSC certificate that join the controller are
LSC provisioned.
Step 7 To configure the number of times that the access point attempts to join the controller using an LSC before
the access point reverts to the default certificate (MIC or SSC), enter this command:
config certificate lsc ap-provision revert-cert retries
where retries is a value from 0 to 255, and the default value is 3.
If you set the number of retries to a non-zero value and the access point fails to join the controller using
an LSC after the configured number of retries, the access point reverts to the default certificate.
Autonomous Access Points Converted to Lightweight Mode
If you set the number of retries to 0 and the access point fails to join the controller using an LSC, the
access point does not attempt to join the controller using the default certificate.
Note If you are configuring LSC for the first time, Cisco recommends that you configure a non-zero
value.
Step 8 To provision the LSC on the access point, enter this command:
config certificate lsc ap-provision {enable | disable}
Step 9 To view the LSC summary, enter this command:
show certificate lsc summary
Information similar to the following appears:
LSC Enabled.......................................... Yes
LSC CA-Server........................................ http://10.0.0.1:8080/caserver
LSC AP-Provisioning.................................. Yes
Provision-List................................... Not Configured
LSC Revert Count in AP reboots................... 3
LSC Params:
Country.......................................... 4
State............................................ ca
City............................................. ss
Orgn............................................. org
Dept............................................. dep
Email............................................ dep@co.com
KeySize.......................................... 390
OL-17037-01
LSC Certs:
CA Cert.......................................... Not Configured
RA Cert....................................... Not Configured
Cisco Wireless LAN Controller Configuration Guide
7-21
Autonomous Access Points Converted to Lightweight Mode
Step 10 To view details about the access points that are provisioned using LSC, enter this command:
show certificate lsc ap-provision
Information similar to the following appears:
LSC AP-Provisioning........................... Yes
Provision-List................................ Present
Idx Mac Address
--- -----------1 00:18:74:c7:c0:90
Using the GUI to Authorize Access Points
Using the controller GUI, follow these steps to authorize access points.
Step 1 Click Security > AAA > AP Policies to open the AP Policies page (see Figure 7-6).
Chapter 7 Controlling Lightweight Access Points
Figure 7-6 AP Policies Page
Step 2
If you want the access point to accept self-signed certificates (SSCs), manufactured-installed certificates
(MICs), or local significant certificates (LSCs), check the appropriate check box.
Step 3 If you want the access points to be authorized using a AAA RADIUS server, check the Authorize MIC
APs against auth-list or AAA check box.
7-22
Step 4 If you want the access points to be authorized using an LSC, check the Authorize LSC APs against
auth-list check box.
Step 5 Click Apply to commit your changes.
Step 6 Follow these steps to add an access point to the controller’s authorization list:
a. Click Add to access the Add AP to Authorization List area.
b. In the MAC Address field, enter the MAC address of the access point.
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 7 Controlling Lightweight Access Points
c. From the Certificate Type drop-down box, choose MIC, SSC, or LSC.
d. Click Add. The access point appears in the access point authorization list.
Note To remove an access point from the authorization list, hover your cursor over the blue drop-down
arrow for the access point and choose Remove.
Note To search for a specific access point in the authorization list, enter the MAC address of the access
point in the Search by MAC field and click Search.
Using the CLI to Authorize Access Points
Using the controller CLI, follow these steps to authorize access points.
Autonomous Access Points Converted to Lightweight Mode
Step 1 To configure an access point authorization policy, enter this command:
config auth-list ap-policy {authorize-ap {enable | disable} | authorize-lsc-ap {enable | disable}}
Step 2 To configure an access point to accept manufactured-installed certificates (MICs), self-signed
certificates (SSCs), or local significant certificates (LSCs), enter this command:
config auth-list ap-policy {mic | ssc | lsc {enable | disable}}
Step 3 To add an access point to the authorization list, enter this command:
config auth-list add {mic | ssc | lsc} ap_mac [ap_key]
where ap_key is an optional key hash value equal to 20 bytes or 40 digits.
Note To delete an access point from the authorization list, enter this command:
config auth-list delete ap_mac.
Step 4 To view the access point authorization list, enter this command:
show auth-list
Information similar to the following appears:
Authorize MIC APs against AAA ....................... disabled
Authorize LSC APs against Auth-List ................. disabled
Allow APs with MIC - Manufactured Installed C ....... enabled
Allow APs with SSC - Self-Signed Certificate ........ enabled
Allow APs with LSC - Locally Significant Cert ....... enabled
OL-17037-01
Mac Addr Cert Type Key Hash
----------------------- ---------- --------------------------------------------00:12:79:de:65:99 SSC ca528236137130d37049a5ef3d1983b30ad7e543
00:16:36:91:9a:27 MIC 593f34e7cb151997a28cc7da2a6cac040b329636
Cisco Wireless LAN Controller Configuration Guide
7-23
Autonomous Access Points Converted to Lightweight Mode
Using DHCP Option 43 and DHCP Option 60
Cisco Aironet access points use the type-length-value (TLV) format for DHCP option 43. DHCP servers
must be programmed to return the option based on the access point’s DHCP Vendor Class Identifier
(VCI) string (DHCP Option 60). Tab le 7-1 lists the VCI strings for Cisco access points capable of
operating in lightweight mode.
Table 7-1 VCI Strings For Lightweight Access Points
Access Point VCI String
Cisco Aironet 1130 Series Cisco AP c1130
Cisco Aironet 1140 Series Cisco AP c1140
Cisco Aironet 1200 Series Cisco AP c1200
Cisco Aironet 1240 Series Cisco AP c1240
Cisco Aironet 1250 Series Cisco AP c1250
Cisco AP801 Embedded Access Point Cisco AP801
Chapter 7 Controlling Lightweight Access Points
This is the format of the TLV block:
• Type: 0xf1 (decimal 241)
• Length: Number of controller IP addresses * 4
• Value: List of the IP addresses of controller management interfaces
Refer to the product documentation for your DHCP server for instructions on configuring DHCP option
43. The Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode document contains
example steps for configuring option 43 on a DHCP server.
Troubleshooting the Access Point Join Process
Access points can fail to join a controller for many reasons: a RADIUS authorization is pending,
self-signed certificates are not enabled on the controller, the access point and controller’s regulatory
domains do not match, and so on.
Controller software release 5.2 enables you to configure the access points to send all CAPWAP-related
errors to a syslog server. You do not need to enable any debug commands on the controller because all
of the CAPWAP error messages can be viewed from the syslog server itself.
The state of the access point is not maintained on the controller until it receives a CAPWAP join request
from the access point. Therefore, it can be difficult to determine why the CAPWAP discovery request
from a certain access point was rejected. In order to troubleshoot such joining issues without enabling
CAPWAP debug commands on the controller, the controller collects information for all access points
that send a discovery message to this controller and maintains information for any access points that have
successfully joined this controller.
7-24
The controller collects all join-related information for each access point that sends a CAPWAP discovery
request to the controller. Collection begins with the first discovery message received from the access
point and ends with the last configuration payload sent from the controller to the access point.
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Loading...