Split Tunneling introduced to Flexconnect APs in WLC7.3.x releases. This will allow certain traffic to be locally switched & all other traffic to Centrally switch from a Flexconnect AP.

In this post we will see how this feature can be enabled & use it in  Office Extend- Home user scenario. This feature works little bit differently with OEAP 600 series AP & will look at that in a separate post. In this post I have used 3502 AP model converted into Office Extend mode.

Below diagram shows a typical home users network connectivity. There won’t be an OEAP in normal set up, I have added it here since it is the primary focus of this post.

Once you changed the AP mode to Flexconnect  & priming it  for your corporate WLC (typically in a DMZ) it is ready to give to end user to plug it into his home network. Then it will give him the corporate SSID available at his home. If you are giving end user the capability of creating their own personal SSID then you can enable “office extend” feature on the AP itself. Refer this post to see how you could do that.

Prior to 7.3.x all corporate user devices traffic go back to wireless controller in their corporate office. In other words if that user connected to corporate SSID, he cannot access his local network devices (like printer, home PC, etc). Some times user want to print to his home printer while connecting to corporate SSID. This leads to enable this “Split Tunnel” feature on WLC software.

This is how it works. Let’s say you have setup your home personal network to 192.168.x.x (private network). You have completely different network at your corporate office (let’s say 131.172.x.x/16). Therefore when you connected to your office SSID while you are at home you will get 131.172.x.x range IP. If you are trying to access 192.168.x.x, from those IP, that traffic will go back to WLC & then it will drop since those private IP cannot routable across internet.

Once you enable split tunneling feature with defining ACL to classify what traffic need to locally switched, you can reach your home network devices while you are connecting to office SSID.

Here are the steps you need to follow. My wireless controller running with version 7.5.102.0 & you may see little bit different screens in your controller if version is different.

First you have to define a FlexConnect ACL to classify your local traffic. You can do this  in GUI vial “Security  -> Access Control List -> FlexConnect ACL-> New“. I have defined a ACL called “Flex-Split-Tunnel” like below. I have specified any traffic destined to 192.168.x.x to be treated as local traffic.

Then you need to create a FlexConnect Group & map this ACL to the WLAN you suppose to advertise via OEAP. You can do this in GUI via “Wireless -> FlexConnect Groups -> ACL Mapping -> WLAN ACL-mapping -> Local Split ACL Mapping” section. In my case I have created a group called “LTU-OEAP600″ & map “Flex-Split-Tunnel” ACL to two corporate WLAN named “eduroam” & “LTUWireless2″.

This is how you want to configure it in CLI

(WLC) >config flexconnect group ?            
<groupName>    flexconnect group name

(WLC) >config flexconnect group LTU-OEAP600

(WLC) >config ap flexconnect ?             
central-dhcp   Configures central-dhcp on AP per Wlan
local-split    Configures local-split on Wlan
policy         Add/Deletes policy flexconnect ACL on AP.
radius         Config flexconnect backup Radius Server in standalone mode
vlan           Enables/Disables VLAN on the flexconnect.
web-auth       Maps Web-Auth/Web Passthrough ACL to WLAN for an AP.
wlan           Configure wlan and vlan mapping

(WLC) >config ap flexconnect local-split ?               
<Wlan-Id>      Wlan Id

(WLC) >config ap flexconnect local-split 1 ?              
<Cisco AP>     Enter the name of the Cisco AP.

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN ?              
enable         Enable disables local-split tunnel on WLAN              
disable        Enable disables local-split tunnel on WLAN

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable ?               
acl            ACL configurations

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable acl ?              
<acl-name>     ACL Nam

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable acl Flex-Split-Tunnel            
(WLC) >config ap flexconnect local-split 2 OE-AP013-RasikaN enable acl Flex-Split-Tunnel
 

Then you can add FlexConnect AP into this group. If you tick the “Select AP from current controller” option it will list down all the FlexConnect AP in that controller where you can choose from. In my case I have put my home OEAP in to this group.

Here is the CLI way of doing this

(WLC) >config flexconnect ?             
acl            Configures Access Control Lists.
group          Configure flexconnect group tables.
join           Enables or disables the latency base join mode for an OfficeExtend AP
office-extend  Enables or disables the  OfficeExtend AP mode for a flexconnect AP

(WLC) >config flexconnect group ?              
<groupName>    flexconnect group name

(WLC) >config flexconnect group LTU-OEAP600 ?               
add            Adds flexconnect group 
ap             Configure flexconnect group AP information.
central-dhcp   Configures central-dhcp on Flexconnect group per Wlan
delete         Deletes flexconnect group
local-split    Config local-split acl on Flexconnect Group.
multicast      Sets Multicast/Broadcast across L2 Broadcast Domain on Overridden interface for locally switched clients
policy         Config policy acl on Flexconnect Group.
predownload    Sets Efficient Upgrade for group 
radius         RADIUS server for client authentication in standalone mode
vlan           Config Vlan on Flexconnect Group.
web-auth       Config web-auth acl on Flexconnect Group.
wlan-vlan      Configure Wlan-Vlan mapping on flexconnect group.

(WLC) >config flexconnect group LTU-OEAP600 ap ?               
add            Add AP <MacAddress> to flexconnect group table.
delete         Delete AP <MacAddress> from flexconnect group table.

(WLC) >config flexconnect group LTU-OEAP600 ap add ?               
<MacAddress>   AP Mac Address.

(WLC) >config flexconnect group LTU-OEAP600 ap add 70:81:05:03:7c:ef

By using following CLI you can verify your configurations.

(WLC) >show flexconnect ?              
acl            Display system Access Control Lists.
group          Display flexconnect group information.
office-extend  Display flexconnect OfficeExtend AP information.

(WLC) >show flexconnect acl ?               
summary        Display a summary of the Access Control Lists.
detailed       Display detailed Access Control List information.

(WLC) >show flexconnect acl summary  
ACL Name                         Status
-------------------------------- -------
Flex-Split-Tunnel                Applied

(BUN-PW00-WC01) >show flexconnect acl detailed Flex-Split-Tunnel
                   Source                        Destination                Source Port  Dest Port
Index        IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action
------ ------------------------------- ------------------------------- ---- ----------- ----------- ----- -------
     1         0.0.0.0/0.0.0.0             192.168.0.0/255.255.0.0      Any     0-65535     0-65535  Any Permit
     2         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any   Deny

(WLC) >show flexconnect group ?               
detail         Display detail for a specific flexconnect group.
summary        Display list of flexconnect groups.

(WLC) >show flexconnect group summary 
FlexConnect Group Summary: Count: 1
Group Name                # Aps
LTU-OEAP600                        1

(WLC) >show flexconnect group detail LTU-OEAP600 
Number of AP's in Group: 1 
70:81:05:03:7c:ef    OE-AP013-RasikaN     Joined 
Efficient AP Image Upgrade ..... Disabled

Master-AP-Mac     Master-AP-Name                    Model      Manual

Group Radius Servers Settings:
Type           Server Address    Port   
-------------  ----------------  -------
                                         Primary       Unconfigured      Unconfigured
                                                                                      Secondary     Unconfigured      Unconfigured
Group Radius AP Settings:
AP RADIUS server............ Disabled
EAP-FAST Auth............... Disabled
LEAP Auth................... Disabled
EAP-TLS Auth................ Disabled
EAP-TLS CERT Download....... Disabled
PEAP Auth................... Disabled
Server Key Auto Generated... No
Server Key..................     <hidden>    
Authority ID................ 436973636f0000000000000000000000
Authority Info.............. Cisco A_ID
PAC Timeout................. 0
Multicast on Overridden interface config: Disabled
Number of User's in Group: 0
Group-Specific FlexConnect Local-Split ACLs :
WLAN ID     SSID                            ACL 
--------   --------------------            ----- 
1          eduroam                          Flex-Split-Tunnel               
2          LTUWireless2                     Flex-Split-Tunnel               
Group-Specific FlexConnect Wlan-Vlan Mapping:
WLAN ID     Vlan ID          
--------   --------------------

WLAN ID   SSID                            Central-Dhcp  Dns-Override  Nat-Pat

Once you do this you are ready to test your feature. As you can see my client get 131.x.x.14 IP, but still I can reach my local network 192.168.20.x at home.

It is working fine, How can you see what changes it makes on the AP config once you enable this feature. “show derived config” is the CLI command you need to run on AP console to see config changes pushed by WLC to AP. Here is the relevant section of this output (not all). As you can see it will create NAT configuration with ACL defined for Split Tunneling (similar config you use in IOS device to configure split tunneling).

OE-AP013-RasikaN#show derived-config 

dot11 ssid LTUWireless2 1 <--Corporate SSID 1
dot11 ssid eduroam 2  <- Corporate SSID 2
dot11 ssid mrn-cciew 16 <- Personal SSID
!
interface Dot11Radio1
 antenna gain 0
 traffic-metrics aggregate-report
 peakdetect
 beamform ofdm
 mbssid
 speed  basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 power client local
 packet retries 64 drop-packet
 no cdp enable
!
interface Dot11Radio1.1
 encapsulation dot1Q 1
 bridge-group 18
!
interface Dot11Radio1.2
 encapsulation dot1Q 2
 bridge-group 18
!
interface Dot11Radio1.17
 encapsulation dot1Q 17 native
 bridge-group 1
!
interface Dot11Radio1.18
 encapsulation dot1Q 18
 bridge-group 18
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 bridge-group 1
!
interface BVI1
 ip address dhcp client-id BVI1
 ip nat outside
!
interface BVI18
 ip address 149.x.x.x 255.255.248.0 secondary <- gateway address of dyanamic interface for WLAN1
 ip address 131.x.x.x 255.255.248.0 <- gateway address of dyanamic interface for WLAN2
 ip nat inside
!
ip nat inside source list reap_local_central_acl interface BVI1 overload
!
ip access-list extended Flex-Split-Tunnel
 permit ip any 192.168.0.0 0.0.255.255
 deny   ip any any
ip access-list extended reap_local_central_acl
 permit ip 131.x.x.0 0.0.7.255 any <- WLAN1 dynamic interface subnet
 permit ip 149.x.x.0 0.0.7.255 any <- WLAN1 dynamic interface subnet
!
arp 149.x.x.18 04f7.e4ea.5b66 ARPA <- Client1 IP Address 
arp 131.x.x.14 a088.b435.c2f0 ARPA <- Client2 IP Address 

In next post we will see how this feature works in OEAP 600 series.

Reference:
1. Configuring FlexConnect – WLC 7.5 Release
2. FlexConnect Split Tunneling – Cisco DOC-27758

Related Posts

1. Split Tunneling in OEAP600

As described in the previous post, Split tunneling feature was available in FlexConnect AP since WLC 7.3.x onwards. Cisco introduced this feature to OEAP600 series AP model in WLC 7.5.x onwards. For OEAP 600 series this is limited to Printing services & forwarded well known printer ports traffic (shown below) back to local subnet behind OEAP.

– IPP (port :631)
– PDL (port :9100)
– MFP (port :9303)
– LPD, LPR (port :515)
– PSUS4 (port :34443)
– Generic printer server (port :35)

In this post we will see how we can configure this for those 600 series AP. Before go into Split Tunnel Configuration you should know few important points about this 600 series AP model.

1. It has 4-LAN ports (like home grade wireless internet router)
2. Port 4 is called Remote-LAN where you can extend one of your office wired vlan.
3. Max 15 client devices can connect via wireless for Corporate SSID advertise (not include personal SSID)
4. Max 4 wired clients supported.
5. WAN port has to connect to your home internet router (or any port where public internet access is available)
6. This AP need to configure for local DHCP for the personal SSID you create or local wired clients connecting via Port 1-3.(WAN port & Local LAN ports cannot be in same network)

When you connect this to your home network connectivity looks like this.

As you can see above when you plug OEAP600 series into your home network & you are planning to use personal SSID or Local LAN ports, those devices will get an IP defined by the AP itself. It won’t be the same home network you already having.(WAN port of the OEAP will be in same network 192.168.20.x/24)

Therefore with this AP model, if you enable split tunneling you would able to reach local network -10.30.83.0 /24 (sitting on OEAP itself) while you are connecting to corporate SSID. You won’t be able to access your home network -192.168.20.024 while you are connecting to corporate SSID.

Here how you configure this feature on WLC running 7.5.102.0 onwards for OEAP600 series AP. First of all you need to enable split tunneling globally. By default it was disabled (as shown) & you have to un-ticked that check box.

Here is the CLI command to enable this

(WLC) >config network oeap-600 ?
dual-rlan-ports Allows the use of OEAP-600 port 3 to function as a RLAN port in addition to port 4
local-network  Configures Local Network Access for OEAP-600 connecting to this controller
split-tunnel   Configures Split Tunnel (Printers) State for OEAP-600 connecting to this controller

(WLC) >config network oeap-600 split-tunnel ?
disable        Disables Split Tunnel State (Printers) for OEAP-600 connecting to this controller
enable         Enables Split Tunnel State (Printers) for OEAP-600 connecting to this controller

(WLC) >config network oeap-600 split-tunnel enable

Then you need to go to WLAN-Advanced settings where you can enable this feature for specific WLAN.

Here is CLI command to do the above

(WLC) >config wlan split-tunnel ?                               
<wlan id>      Enter WLAN Identifier between 1 and 512.

(WLC) >config wlan split-tunnel 1 ?               
enable         Enable Split Tunnel (Printers).
disable        Disable Split Tunnel (Printers).

(WLC) >config wlan split-tunnel 1 enable
(WLC) >config wlan split-tunnel 2 enable

You can verify your config in CLI like this,

(WLC) >show network summary 
RF-Network Name............................. test
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Enable
.
.
.
AP Discovery - NAT IP Only ................. Enabled
IP/MAC Addr Binding Check .................. Enabled
CCX-lite status ............................ Disable
oeap-600 dual-rlan-ports ................... Enable
oeap-600 local-network ..................... Enable
oeap-600 Split Tunneling (Printers)......... Enable
WebPortal Online Client .................... 0
mDNS snooping............................... Enabled
mDNS Query Interval......................... 15 minutes

(WLC) >show wlan 1
WLAN Identifier.................................. 1
Profile Name..................................... eduroam
Network Name (SSID).............................. eduroam
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
.
.
AVC Visibilty.................................... Enabled
AVC Profile Name................................. LTU-AVC-POLICY
Flow Monitor Name................................ Scrutinizer
Split Tunnel (Printers).......................... Enabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled

Now Split Tunneling is there in your OEAP600 series AP. Once you connect to corporate SSID (which is enabled with Split Tunnel) you can reach any device connect to your OEAP personal SSID or Local LAN ports.

So if you want to have print, then you have to move your printer back to OEAP local port. Then what above you other local devices in 192.168.20.x communicating back to Printer (or any device in 10.30.83.0/24 range). Since your home internet router does not know existence of a such network within your home, that won’t work.

What are the solution to get it working ?
1. You can add a static route entry in your home internet router pointing to OEAP for 10.30.83.0/24
2. Use your OEAP as home network & all wired connection behind OEAP (this works only you have 2-3 devices) as it has limited wired MAC address limit.
3. Turn off your home internet router wireless & only used OEAP personal SSID.

But if you are giving this solution to your corporate office staff to use at their home, do you want to involve their home network configuration ? most probably answer would be NO, since it will give you additional administrative overhead.

That’s why I preferred FlexConnect AP using as OEAP instead of giving OEAP600 to meet this requirement (local printing while connecting to corporate SSID). But commercial term wise OEAP would be a viable option if you planning to give this in volumes to your staff.

Ref
1. Configuring Office Extend Access Point – 7.5 Config Guide
2. 600 Series OEAP Config Guide

Related Posts

1. Split Tunneling with OEAP

I found this CiscoLive presentation (BRKCRS-2890-Converged Access QoS) is really useful to get an insight of QoS in these latest 3850 integrated controllers. Please go through it

Here are some snapshots of that presentation.

I am eager to learn this product (specially QoS in detail). I will do post about this product as I learn bit by bit

In this post we will see how to configure a Cisco3850 switch for basic wireless connectivity. This is part of Converged Access product platform & you should have some familiarity with new architecture (which will not discussed in this post). Here ae the few key points you need to remember when using 3850 as WLC.

1. You have to attach your access points directly to your 3850 switches (yes, every wiring closet you should have this in order to all building AP to be connect to this new environment)

2. Wireless management vlan & AP management vlan should be identical. If you configure vlan 21 as wireless management in 3850 switch all your APs connected to this switch should be on access vlan 21.

3. You have to enable Mobility Controller (MC) functionality to terminate CAPWAP (MC functionality can be in the same 3850 switch, another 3850 switch or 5508/5760 centralized controller). By default, when you enable wireless management, switch will act as Mobility Agent (MA) & not able to terminate CAPWAP.

4.“ipbase” or “ipservices” feature set to be there for MC functionality.”lanbase” cannot be used for MC functionality switch stack.

5. Given 3850 switch stack can support maximum 50 APs.

In my lab setup I have two 3850 switches stacked together. Before getting started, we will ensure we will have latest software code on this switch. At the time of this write up, IOS-XE 3.2.3SE is the latest code available for this 3850 platform. You can refer 3850 IOS-XE 3.2.x SE release note for more details of the features/restrictions/etc.

Let’s copy this new image to flash of our 3850.

3850-1#copy tftp://192.168.20.51/firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin flash:
Destination filename [cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin]? 
Accessing tftp://192.168.20.51/firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin...
Loading firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin from 192.168.20.51 (via Vlan999): 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!
[OK - 223743040 bytes]

There are two modes called “INSTALL” & “BUNDLE” available in these new switches. If you want to boot in “INSTALL” mode you have to copy the image onto flash first. In “BUNDLE” mode, you can still  keep the image on TFTP & boot from there if required. But in BUNDLE mode switch require more memory to do this function & preferred method is do it via “INSTALL” mode.

You can use “software install file <file_location> ” command to install new software onto your switch. At the end it will prompt to reload the switch as shown below.

3850-1#software install file flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
Preparing install operation ...
[1]: Copying software from active switch 1 to switch 2
[1]: Finished copying software to switch 2
[1 2]: Starting install operation
[1 2]: Expanding bundle flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
[1 2]: Copying package files
[1 2]: Package files copied
[1 2]: Finished expanding bundle flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
[1 2]: Verifying and copying expanded package files to flash:
[1 2]: Verified and copied expanded package files to flash:
[1 2]: Starting compatibility checks
[1 2]: Finished compatibility checks
[1 2]: Starting application pre-installation processing
[1 2]: Finished application pre-installation processing
[1]: Old files list:
 Removed cat3k_caa-base.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-infra.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 Removed cat3k_caa-platform.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-wcm.SPA.10.0.111.0.pkg
[2]: Old files list:
 Removed cat3k_caa-base.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-infra.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 Removed cat3k_caa-platform.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-wcm.SPA.10.0.111.0.pkg
[1]: New files list:
 Added cat3k_caa-base.SPA.03.02.03.SE.pkg
 Added cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 Added cat3k_caa-infra.SPA.03.02.03.SE.pkg
 Added cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 Added cat3k_caa-platform.SPA.03.02.03.SE.pkg
 Added cat3k_caa-wcm.SPA.10.0.120.0.pkg
[2]: New files list:
 Added cat3k_caa-base.SPA.03.02.03.SE.pkg
 Added cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 Added cat3k_caa-infra.SPA.03.02.03.SE.pkg
 Added cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 Added cat3k_caa-platform.SPA.03.02.03.SE.pkg
 Added cat3k_caa-wcm.SPA.10.0.120.0.pkg
[1 2]: Creating pending provisioning file
[1 2]: Finished installing software. New software will load on reboot.
[1 2]: Committing provisioning file
[1 2]: Do you want to proceed with reload? [yes/no]: yes
[2]: Reloading
[1]: Pausing before reload

Now if you look at your contents of your flash directory you will see multiple .pkg files .conf files. Depending on the image came with your switch & how many time you upgraded the switch, there could be multiple versions of the .conf files & .pkg files. You can clean this directory using “software clean” command which will result deleting all unwanted file from your directory. In this way you will only keep 3.2.3SE related files on your flash.

3850-1#dir
Directory of flash:/
85193 -rw- 2097152 Sep 28 2013 14:28:26 +10:00 nvram_config
85187 -rw- 74410468 Jan 1 1970 11:01:11 +11:00 cat3k_caa-base.SPA.03.02.00SE.pkg
85188 -rw- 2773680 Jan 1 1970 11:01:12 +11:00 cat3k_caa-drivers.SPA.03.02.00.SE.pkg
85189 -rw- 32478044 Jan 1 1970 11:01:12 +11:00 cat3k_caa-infra.SPA.03.02.00SE.pkg
85190 -rw- 30393116 Jan 1 1970 11:01:12 +11:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg
85191 -rw- 18313952 Jan 1 1970 11:01:12 +11:00 cat3k_caa-platform.SPA.03.02.00.SE.pkg
85192 -rw- 63402700 Jan 1 1970 11:01:12 +11:00 cat3k_caa-wcm.SPA.10.0.100.0.pkg
85199 -rw- 1224 Sep 28 2013 14:19:19 +10:00 packages.conf
85196 -rw- 8916 Sep 26 2013 15:59:58 +10:00 vlan.dat
85195 -rw- 114 Jun 6 2013 08:31:45 +10:00 express_setup.debug
85194 -rw- 1224 Sep 25 2013 02:20:20 +10:00 packages.conf.00-
 7750 -rw- 74369252 Sep 25 2013 02:20:16 +10:00 cat3k_caa-base.SPA.03.02.02.SE.pkg
 7751 -rw- 5808828 Sep 25 2013 02:20:16 +10:00 cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 7752 -rw- 32488292 Sep 25 2013 02:20:16 +10:00 cat3k_caa-infra.SPA.03.02.02.SE.pkg
 7753 -rw- 30403764 Sep 25 2013 02:20:16 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 7754 -rw- 16079584 Sep 25 2013 02:20:16 +10:00 cat3k_caa-platform.SPA.03.02.02.SE.pkg
 7755 -rw- 64580300 Sep 25 2013 02:20:17 +10:00 cat3k_caa-wcm.SPA.10.0.111.0.pkg
85186 -rw- 223743040 Sep 28 2013 13:30:24 +10:00 cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
85198 -rw- 1218 Jan 1 1970 11:01:22 +11:00 packages.conf.01-
30979 -rw- 74369716 Sep 28 2013 14:19:15 +10:00 cat3k_caa-base.SPA.03.02.03.SE.pkg
30980 -rw- 5808828 Sep 28 2013 14:19:15 +10:00 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
30981 -rw- 32496484 Sep 28 2013 14:19:15 +10:00 cat3k_caa-infra.SPA.03.02.03.SE.pkg
30982 -rw- 30418104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
30983 -rw- 16059104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-platform.SPA.03.02.03.SE.pkg
30984 -rw- 64586444 Sep 28 2013 14:19:15 +10:00 cat3k_caa-wcm.SPA.10.0.120.0.pkg
1621966848 bytes total (723390464 bytes free)

3850-1#software clean 
Preparing clean operation ...
[1 2]: Cleaning up unnecessary package files
[1 2]: No path specified, will use booted path flash:packages.conf
[1 2]: Cleaning flash:
[1]: Preparing packages list to delete ...
 cat3k_caa-base.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-infra.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 File is in use, will not delete.
 cat3k_caa-platform.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-wcm.SPA.10.0.120.0.pkg
 File is in use, will not delete.
 packages.conf
 File is in use, will not delete.
[2]: Preparing packages list to delete ...
 cat3k_caa-base.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-infra.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 File is in use, will not delete.
 cat3k_caa-platform.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-wcm.SPA.10.0.120.0.pkg
 File is in use, will not delete.
 packages.conf
 File is in use, will not delete.
[1]: Files that will be deleted:
 cat3k_caa-base.SPA.03.02.00SE.pkg
 cat3k_caa-base.SPA.03.02.02.SE.pkg
 cat3k_caa-drivers.SPA.03.02.00.SE.pkg
 cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 cat3k_caa-infra.SPA.03.02.00SE.pkg
 cat3k_caa-infra.SPA.03.02.02.SE.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 cat3k_caa-platform.SPA.03.02.00.SE.pkg
 cat3k_caa-platform.SPA.03.02.02.SE.pkg
 cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
 cat3k_caa-wcm.SPA.10.0.100.0.pkg
 cat3k_caa-wcm.SPA.10.0.111.0.pkg
 packages.conf.00-
 packages.conf.01-
[2]: Files that will be deleted:
 cat3k_caa-base.SPA.03.02.00SE.pkg
 cat3k_caa-base.SPA.03.02.02.SE.pkg
 cat3k_caa-drivers.SPA.03.02.00.SE.pkg
 cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 cat3k_caa-infra.SPA.03.02.00SE.pkg
 cat3k_caa-infra.SPA.03.02.02.SE.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 cat3k_caa-platform.SPA.03.02.00.SE.pkg
 cat3k_caa-platform.SPA.03.02.02.SE.pkg
 cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
 cat3k_caa-wcm.SPA.10.0.100.0.pkg
 cat3k_caa-wcm.SPA.10.0.111.0.pkg
 packages.conf.00-
 packages.conf.01-
[1 2]: Do you want to proceed with the deletion? [yes/no]: yes
[1 2]: Clean up completed

3850-1#dir
Directory of flash:/
85193 -rw- 2097152 Sep 28 2013 14:28:26 +10:00 nvram_config
85199 -rw- 1224 Sep 28 2013 14:19:19 +10:00 packages.conf
85196 -rw- 8916 Sep 26 2013 15:59:58 +10:00 vlan.dat
85195 -rw- 114 Jun 6 2013 08:31:45 +10:00 express_setup.debug
30979 -rw- 74369716 Sep 28 2013 14:19:15 +10:00 cat3k_caa-base.SPA.03.02.03.SE.pkg
30980 -rw- 5808828 Sep 28 2013 14:19:15 +10:00 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
30981 -rw- 32496484 Sep 28 2013 14:19:15 +10:00 cat3k_caa-infra.SPA.03.02.03.SE.pkg
30982 -rw- 30418104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
30983 -rw- 16059104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-platform.SPA.03.02.03.SE.pkg
30984 -rw- 64586444 Sep 28 2013 14:19:15 +10:00 cat3k_caa-wcm.SPA.10.0.120.0.pkg
1621966848 bytes total (1393401856 bytes free)

You can verify switch is having upgraded image in each member of the switch stack.

3850-1#sh ver | be SW 

Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
     1 56    WS-C3850-48P       03.02.03.SE       cat3k_caa-universalk9 INSTALL
     2 56    WS-C3850-48P       03.02.03.SE       cat3k_caa-universalk9 INSTALL

You can verify boot configuration of your switch using “show boot” CLI command. As you can see “packages.conf” file is the boot loading file used in the booting process. If this file is not exist or corrupted switch will go onto ROMMON mode.

3850-1#sh boot 
---------------------------
Switch 1
---------------------------
Current Boot Variables:
BOOT variable = flash:packages.conf;

Boot Variables on next reload:
BOOT variable = flash:packages.conf;
Manual Boot = no
Enable Break = no

You can access wireless controller GUI using https://<switch-ipaddress>/wireless URL.

It is different look & feel compare to CUWN controllers (5508,2504, etc). Let’s see how we can configure the wireless controller config on this switch. First of all you need to ensure you have the correct license to start with.

3850-1#show license right-to-use ?
 default Displays the default license information.
 detail Displays details of all the licenses in the stack.
 eula Displays the EULA text.
 mismatch Displays mismatch license information.
 slot Specify switch number
 summary Displays consolidated stack wide license information.
 usage Displays the usage details of all licenses.
 | Output modifiers
 <cr>

3850-1#show license right-to-use summary 
License Name Type Count Period left
-----------------------------------------------
 lanbase permanent N/A Lifetime
 apcount base 0 Lifetime
 apcount adder 0 Lifetime
 --------------------------------------------
 License Level In Use: ipbase
 License Level on Reboot: ipbase
 Evaluation AP-Count: Disabled
 Total AP Count Licenses: 0 
 AP Count Licenses In-use: 0
 AP Count Licenses Remaining: 0

In Converged Access architecture, 3850 can act as Mobility Agent (MA) or Mobility Controller (MC). By default it is a MA. Normally AP licence should be on a MC where CAPWAP tunnels from AP get terminated. In this case we have only 3850 switch for everything (MC & MA) so you have to install AP licence onto this switch. Remember that maximume 50 APs can be supported by a 3850 switch stack. In our case we will configure 25 licence each for the first two members of stack & all APs to be terminated in these two switches (max 25 in each member).

3850-1#license right-to-use ?
 activate activate particular license level
 deactivate deactivate particular license level

3850-1#license right-to-use activate ?
 apcount configure the AP-count licenses on the switch
 ipbase activate ipbase license on the switch
 ipservices activate Ipservices license on the switch
 lanbase activate lanbase license on the switch

3850-1#license right-to-use activate apcount ?
 <1-50> configure the number of adder licenses
 evaluation activate evaluation license

3850-1#license right-to-use activate apcount 50 ?
 slot Specify switch number

3850-1#license right-to-use activate apcount 50 slot ?
 <1-9> Specify switch number

3850-1#license right-to-use activate apcount 50 slot 1 ?
 acceptEULA automatically accept the EULA for the given license
 <cr>

3850-1#license right-to-use activate apcount 50 slot 1 acceptEULA 
3850-1#license right-to-use activate apcount 50 slot 2 acceptEULA 
% switch-2:stack-mgr:ACTIVATION FAIL : Total AP Count Licenses exceed maximum limit
!
3850-1#license right-to-use deactivate apcount 25 slot 1 
3850-1#license right-to-use activate apcount 25 slot 2 acceptEULA

You have to enable the MC functionality of 3850 by using the “wireless mobility controller” CLI command as shown below.

3850-1(config)#wireless mobility ?
 controller Configures mobility controller settings
 dscp Configures the Mobility inter controller DSCP value
 group Configures the Mobility group parameters
 load-balance Configure mobility load-balance status
 multicast Configures the Multicast Mode for mobility messages
 oracle Configures mobility oracle settings

3850-1(config)#wireless mobility controller ?
 ip no description
 peer-group Configures mobility peer groups 
 <cr>

3850-1(config)#wireless mobility controller

Now we are one step away to register our AP. To register AP you should nominate an interface as wireless management interface. You have to remember that all your AP should be configured with same vlan access port where you configured for wireless management, otherwise AP won’t join. In our case we will use vlan21 as wireless management interface & configure switch port connected to AP in vlan 21

interface Vlan21
 ip address 192.168.21.1 255.255.255.0
!
wireless management interface Vlan21
!
interface GigabitEthernet1/0/1
switchport access vlan 21
switchport mode access
spanning-tree portfast

Now if you type “show ap summary” you would see your AP get registered to your 3850 WLC

3850-1#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured

AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
bc16.6516.790e                    3602I     bc16.6516.790e  f41f.c298.c2a0  Registered

You can change any AP specific configuration by using “ap name <AP-NAME> x” CLI commands. Following are the all options available. we will change the name as example.

5508-1#ap name bc16.6516.790e ?

  ap-groupname      Set groupname
  bhrate            Bridge Backhaul Tx Rate
  bridgegroupname   Set bridgegroupname
  bridging          Enable Ethernet-to-Ethernet bridging
  capwap            AP Capwap parameters
  command           Remote execute a command on Cisco AP
  console-redirect  Enable redirecting remote debug output of Cisco AP to
                    console
  core-dump         Enable memory core dump on Cisco AP
  country           Configure the country of operation
  crash-file        Manage crash data and radio core files for Cisco AP
  dot11             Configures 802.11 parameters
  dot1x-user        Enable the 802.1X credential for the current AP
  ethernet          Configure Ethernet Port of the AP
  image             Configure image
  led               Enable LED-state for Cisco AP
  link-encryption   Enable link encryption state on Cisco AP
  link-latency      Enable Link Latency on Cisco AP
  location          Configure AP location
  mfp               Enable Management Frame Protection
  mgmtuser          Configures user name, password and secret for AP management
  mode              Select AP mode of operation
  monitor-mode      Monitor-mode channel optimization
  name              Configure AP name
  no                Negate a command or set its defaults
  power             Configure Cisco Power over Ethernet (PoE) feature for AP
  reset             Reset AP
  reset-button      Disable or enable reset button on AP
  shutdown          Disable AP
  slot              Set slot number
  sniff             Enable sniffing on dot11a/b radio
  ssh               Enable SSH
  static-ip         Set Cisco AP static IP address configuration
  stats-timer       Set the frequency at which statistics are sent from AP
  syslog            Set the system logging settings for Cisco AP
  tcp-adjust-mss    TCP MSS configuration for an AP
  telnet            Enable telnet for Cisco AP
  tftp-downgrade    Initiate AP image downgrade from a TFTP server

5508-1#ap name bc16.6516.790e name L3600-1

5508-1#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured

AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
L3600-1                           3602I     bc16.6516.790e  f41f.c298.c2a0  Registered

You can use “show ap name <AP_NAME> x” CLI commands to view specific AP configurations.

5508-1#show ap name L3600-1 ?                    
  auto-rf          Auto-RF information for a Cisco AP
  bhmode           Show Cisco Bridge Backhaul Mode
  bhrate           Show Cisco Bridge Backhaul Rate
  cac              Display Call Admission Control details
  capwap           AP Capwap parameters
  ccx              Shows ccx related information
  cdp              Shows Cisco AP cdp information
  channel          Shows the channel information of an Cisco AP
  config           Shows the configuration of an Cisco AP
  core-dump        Shows the AP memory core dump setting for an Cisco AP
  data-plane       Show data plane status
  dot11            Show 802.11 parameters
  ethernet         Shows ethernet information
  eventlog         Downloads and displays the event log of a Cisco AP
  image            Shows the images present on a Cisco AP
  inventory        Displays the inventory of a Cisco AP
  link-encryption  Show link encryption status
  service-policy   Show service policy information
  tcp-adjust-mss   Show tcp-adjust-mss  for an AP
  wlan             Show BSSIDs for each AP

5508-1#show ap name L3600-1 config general 
Cisco AP Name                                   : L3600-1
Cisco AP Identifier                             : 3
Country Code                                    : AU  - Australia
Regulatory Domain Allowed by Country            : 802.11bg:-A     802.11a:-N
AP Country Code                                 : AU  - Australia
AP Regulatory Domain                            : Unconfigured
Switch Port Number                              : Gi1/0/1
MAC Address                                     : bc16.6516.790e
IP Address Configuration                        : DHCP
IP Address                                      : 192.168.21.53
IP Netmask                                      : 255.255.255.0
Gateway IP Address                              : 192.168.21.254
CAPWAP Path MTU                                 : 1500
Telnet State                                    : Disabled
SSH State                                       : Disabled
Cisco AP Location                               : default location
Cisco AP Group Name                             : default-group
Administrative State                            : Enabled
Operation State                                 : Registered
AP Mode                                         : Local
AP Submode                                      : Not Configured
Remote AP Debug                                 : Disabled
Logging Trap Severity Level                     : informational
Software Version                                : 10.0.101.0
Boot Version                                    : 15.2.2.4
Stats Reporting Period                          : 180
LED State                                       : Enabled
PoE Pre-Standard Switch                         : Disabled
PoE Power Injector MAC Address                  : Disabled
Power Type/Mode                                 : Power Injector/Normal Mode
Number of Slots                                 : 2
AP Model                                        : 3602I
AP Image                                        : C3600-K9W8-M
IOS Version                                     : 15.2(2)JN$
Reset Button                                    : Enabled
AP Serial Number                                : FGL1721X3K5
AP Certificate Type                             : Manufacture Installed
Management Frame Protection Validation          : Disabled
AP User Mode                                    : Automatic
AP User Name                                    : Not Configured
AP 802.1X User Mode                             : Not Configured
AP 802.1X User Name                             : Not Configured
Cisco AP System Logging Host                    : 255.255.255.255
AP Up Time                                      : 3 days 20 hours 14 minutes 26 seconds 
AP CAPWAP Up Time                               : 3 days 20 hours 12 minutes 57 seconds 
Join Date and Time                              : 09/24/2013 19:01:11

If you want to configure global settings for all APs then you have to go for the configuration mode & then use “ap x ” CLI command as shown below. We will change Country code as example. You can add upto 20 country codes if you have AP in multiple countries.

3850-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
3850-1(config)#ap ?
  auth-list         Configure Access Point authorization list
  bridging          Enable/Disable Ethernet-to-Ethernet bridging on all Cisco APs
  capwap            ap capwap parameters
  cdp               Enable/Disable CDP for all Cisco APs
  core-dump         Enable/Disable memory core dump on all Cisco APs
  country           Configure the country of operation
  dot11             Configures 802.11 parameters
  dot1x             Configure the 802.1X credential for all APs
  ethernet          Configure Ethernet Port on all Cisco APs
  group             Manage AP Groups VLAN feature
  led               Enable/Disable LED-state for all Cisco APs
  link-encryption   Enable link encryption state on all Cisco AP's
  link-latency      Enable Link Latency on all Cisco AP's
  mgmtuser          Configure the user for AP management
  power             Configure Cisco Power over Ethernet (PoE) feature for all AP's
  reporting-period  Configure AP rogue/error reporting period
  reset-button      Enable/Disable reset button for all Cisco APs
  static-ip         Set Cisco AP static IP address configuration
  syslog            Configure the system logging settings for Cisco AP
  tcp-adjust-mss    Enable/Disable TCP MSS configuration for all Cisco APs
  tftp-downgrade    Initiate AP image downgrade from a TFTP server for all Cisco APs

3850-1(config)#ap country ?
  WORD  Enter the country code (e.g. US,MX,IN) upto a maximum of 20 countries

3850-1(config)#ap country AU
Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. 
Are you sure you want to continue? (y/n)[y]: y
3850-1(config)#

Next we will configure a WLAN.

5508-1(config)#wlan ?
  WORD      Enter Profile Name up to 32 alphanumeric characters
  shutdown  Enable/disable all WLANs

5508-1(config)#wlan MRN-CCIEW ?
  <1-64>  Create WLAN Identifier
  <cr>

5508-1(config)#wlan MRN-CCIEW 1 ?
  WORD  Enter SSID (Network Name) up to 32 alphanumeric characters
  <cr>

5508-1(config)#wlan MRN-CCIEW 1 MRN-CCIEW 
5508-1(config-wlan)#no shutdown

you can verify WLAN configuration in your “show running-config all” output.

5508-1#show running-config all | section wlan
wlan MRN-CCIEW 1 MRN-CCIEW
 accounting-list 
 channel-scan defer-time 100
 client association limit 0
 client vlan default
 dtim dot11 24ghz 1
 dtim dot11 5ghz 1
 exclusionlist timeout 60
 ip access-group web none
 ip access-group none
 ip dhcp server 0.0.0.0
 ipv6 traffic-filter web none
 ipv6 traffic-filter none
 mac-filtering 
 radio all
 security dot1x authentication-list 
 security dot1x encryption 104
 security static-wep-key authentication open
 security tkip hold-down 60
 security web-auth authentication-list 
 security web-auth parameter-map 
 service-policy client input unknown
 service-policy client output unknown
 service-policy input unknown
 service-policy output unknown
 session-timeout 1800
 no shutdown

You can configure any WLAN specific configs as shown below. You have to shutdown the WLAN before make any changes.

5508-1(config)#wlan MRN-CCIEW 1 MRN-CCIEW 
5508-1(config-wlan)#?
  aaa-override         AAA policy override
  accounting-list      Set the accounting list for IEEE 802.1x
  band-select          Allow|Disallow Band Select on a WLAN.
  broadcast-ssid       Set broadcast SSID on a WLAN
  call-snoop           Call Snooping support
  ccx                  Configure Cisco Client Extension options
  channel-scan         Configures off channel scanning deferral parameters
  chd                  Set CHD per WLAN
  client               WLAN configuration for clients
  datalink             WLAN Datalink commands
  default              Set a command to its defaults
  diag-channel         Set Diagnostics Channel Capability on a WLAN
  dtim                 Set the DTIM period for the WLAN 
  exclusionlist        Set exclusion-listing on WLAN
  exit                 Exit sub-mode
  ip                   WLAN IP configuration commands
  ipv6                 IPv6 WLAN subcommands
  load-balance         Allow|Disallow Load Balance on a WLAN.
  local-auth           Set the EAP Profile on a WLAN
  mac-filtering        Set MAC filtering support on WLAN
  media-stream         Configures media stream
  mfp                  Configures Management Frame Protection
  mobility             Configure mobility
  nac                  Configures Radius NAC support(Identity Service Engine).
  no                   Negate a command or set its defaults
  passive-client       Configures passive client feature
  peer-blocking        Configure peer-to-peer blocking on a WLAN
  radio                Configures the Radio Policy
  roamed-voice-client  Configure Roaming Attrbutes for Voice Clients
  security             Configures the security policy for a WLAN
  service-policy       Configure WLAN QOS Service Policy
  session-timeout      Configures client timeout
  shutdown             Disable WLAN
  sip-cac              Configure Wlan Sip-Cac attributes
  static-ip            Configures static IP client tunneling support on a WLAN.
  uapsd                Configure WMM UAPSD attributes for Wlan
  wgb                  Configures WGB support on the WLAN
  wmm                  Configures WMM (WME)

5508-1(config-wlan)#client vlan 51
% switch-1:wcm:Request failed - WLAN in the enabled state.

5508-1(config-wlan)#shut
5508-1(config-wlan)#client vlan 51

5508-1(config-wlan)#radio ?
  all      Enable all available radios
  dot11a   Enable 802.11a radio only
  dot11ag  Enable 802.11 a and g radios
  dot11bg  Enable 802.11b and g radios
  dot11g   Enable 802.11g radio only

5508-1(config-wlan)#radio dot11a 

5508-1(config-wlan)#wmm ?
  allowed  Allows WMM on the WLAN
  require  Requires WMM enabled clients on the WLAN

5508-1(config-wlan)#wmm require 

5508-1(config-wlan)#ip ?
  access-group  Specify WLAN ACL
  dhcp          Configure DHCP parameters for WLAN
  flow          Flexible Netflow commands
  multicast     Configure multicast
  verify        verify

5508-1(config-wlan)#ip dhcp ?
  opt82     Set DHCP option 82 for wireless clients on this WLAN 
  required  Specify whether DHCP address assignment is required
  server    Configures the WLAN's IPv4 DHCP Server

5508-1(config-wlan)#ip dhcp server 192.168.51.1

5508-1(config-wlan)#no shut

You can verify WLAN settings “show wlan id <WLAN_ID>” CLI command as shown below.

5508-1#show wlan id 1
WLAN Profile Name     : MRN-CCIEW
================================================
Identifier                                     : 1
Network Name (SSID)                            : MRN-CCIEW
Status                                         : Enabled
Broadcast SSID                                 : Enabled
Maximum number of Associated Clients           : 0
AAA Policy Override                            : Disabled
Network Admission Control
  NAC-State                                    : Disabled
Number of Active Clients                       : 0
Exclusionlist Timeout                          : 60
Session Timeout                                : 1800 seconds
CHD per WLAN                                   : Enabled
Webauth DHCP exclusion                         : Disabled
Interface                                      : 51
Interface Status                               : Unconfigured
Multicast Interface                            : Unconfigured
WLAN IPv4 ACL                                  : unconfigured
WLAN IPv6 ACL                                  : unconfigured
DHCP Server                                    : 192.168.51.1
DHCP Address Assignment Required               : Disabled
DHCP Option 82                                 : Disabled
DHCP Option 82 Format                          : ap-mac
DHCP Option 82 Ascii Mode                      : Disabled
DHCP Option 82 Rid Mode                        : Disabled
QoS Service Policy - Input
  Policy Name                                  : unknown
  Policy State                                 : None
QoS Service Policy - Output
  Policy Name                                  : unknown
  Policy State                                 : None
QoS Client Service Policy
  Input  Policy Name                           : unknown
  Output Policy Name                           : unknown
WMM                                            : Required
Channel Scan Defer Priority:
  Priority (default)                           : 4
  Priority (default)                           : 5
  Priority (default)                           : 6
Scan Defer Time (msecs)                        : 100
Media Stream Multicast-direct                  : Disabled
CCX - AironetIe Support                        : Enabled
CCX - Gratuitous ProbeResponse (GPR)           : Disabled
CCX - Diagnostics Channel Capability           : Disabled
Dot11-Phone Mode (7920)                        : Invalid
Wired Protocol                                 : None
Peer-to-Peer Blocking Action                   : Disabled
Radio Policy                                   : 802.11a only
DTIM period for 802.11a radio                  : 1
DTIM period for 802.11b radio                  : 1
Local EAP Authentication                       : Disabled
Mac Filter Authorization list name             : Disabled
Accounting list name                           : Disabled
802.1x authentication list name                : Disabled
Security
    802.11 Authentication                      : Open System
    Static WEP Keys                            : Disabled
    802.1X                                     : Disabled
    Wi-Fi Protected Access (WPA/WPA2)          : Enabled
        WPA (SSN IE)                           : Disabled
        WPA2 (RSN IE)                          : Enabled
            TKIP Cipher                        : Disabled
            AES Cipher                         : Enabled
        Auth Key Management
            802.1x                             : Enabled
            PSK                                : Disabled
            CCKM                               : Disabled
    CKIP                                       : Disabled
    IP Security                                : Disabled
    IP Security Passthru                       : Disabled
    L2TP                                       : Disabled
    Web Based Authentication                   : Disabled
    Conditional Web Redirect                   : Disabled
    Splash-Page Web Redirect                   : Disabled
    Auto Anchor                                : Disabled
    Sticky Anchoring                           : Enabled
    Cranite Passthru                           : Disabled
    Fortress Passthru                          : Disabled
    PPTP                                       : Disabled
    Infrastructure MFP protection              : Enabled
    Client MFP                                 : Optional
    Webauth On-mac-filter Failure              : Disabled
    Webauth Authentication List Name           : Disabled
    Webauth Parameter Map                      : Disabled
    Tkip MIC Countermeasure Hold-down Timer    : 60
Call Snooping                                  : Disabled
Passive Client                                 : Disabled
Non Cisco WGB                                  : Disabled
Band Select                                    : Disabled
Load Balancing                                 : Disabled
IP Source Guard                                : Disabled

By default WLAN is configured with WPA2/AES. So if you want to check basic client connectivity you can disable it. Then you should be able to connect your wireless client to this new SSID.

In a separate post we will see how to configure different security methods for a given SSID.

References:
1. Working with IOS file system-3850 IOS-XE
2. Consolidated Platform Config Guide IOS-EX Release 3SE -3850
3. Cisco AireOS to IOS-XE Migration Guide
4. Getting Started with 5760 & 3850 -Cisco DOC#34430
5. Password Recovery on Cat3850 – Cisco DOC#35289

Related Posts

1. Getting Started with 5760
2. WLAN security configs in 3850
3. WLAN QoS Configs in 3850
4. 3850 Password Recovery
5. Converged Access Mobility

This is one feature I was waiting for long time. In previous models of controllers ( such as 5508,2504, WiSM2) with software code 7.4 onwards you can have some sort of visibility via AVC (Application Visibility & Control) & export netflow data to a collector. But you have to have particular Netflow Collector (Plixer or Cisco Prime Assurance) in order to view these exported netflow information as flow format is not exactly v9.0 compatible.

With new 3850, it is standard netflow v9.0 & nothing different in wireless traffic (since traffic terminated at the switch itself). In this post we will see how to configure netflow for a WLAN created on 3850. Here is the basic topology for the post.

I have defined a SSID called “3850″ with open authentication for simplicity. Here is the WLAN configuration looks like.

wlan 3850 17 3850
 no broadcast-ssid
 client vlan WLN-STF-1
 ip dhcp server x.x.26.100
 radio dot11a
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no shutdown

If you want to monitor the traffic to/from this WLAN you need to configure a flow monitor & apply that either inbound or outbound direction. In Flexible NetFlow you have this advantage where you can apply different flow monitors to the same interface depend on what flow information you want to monitor. In Traditional NetFlow(TNF) you have to collect all supported parameters and it cannot be customized. Flow monitor consist of flow record (only 1 allow) & flow exporters (multiple exporter allow). Here is the summary of config steps.

Let’s define flow record named “WLAN”

3850-1(config)#flow record WLAN

3850-1(config-flow-record)#match ?
  datalink   Datalink (layer2) fields
  flow       Flow identifying fields
  interface  Interface fields
  ipv4       IPv4 fields
  ipv6       IPv6 fields
  transport  Transport layer fields

3850-1(config-flow-record)#match ipv4 ?
  destination  IPv4 destination address based fields
  protocol     IPv4 protocol
  source       IPv4 source address based fields
  tos          IPv4 type of service
  ttl          IPv4 TTL
  version      IP version from IPv4 header
3850-1(config-flow-record)#collect ?
  counter    Counter fields
  interface  Interface fields
  timestamp  Timestamp fields
  transport  Transport layer fields

3850-1(config-flow-record)#collect cou
3850-1(config-flow-record)#collect counter ?
  bytes    Total number of bytes
  packets  Total number of packets

3850-1(config-flow-record)#collect counter by
3850-1(config-flow-record)#collect counter bytes ?
  layer2  Total number of layer 2 bytes
  long    Total number of bytes (64 bit counter)

flow record WLAN
 match ipv4 version
 match ipv4 tos
 match ipv4 ttl
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 collect counter bytes long
 collect counter packets long

Here is my flow exporter named “FLK-1″ configuration. I have used Fluke Netflow Tracker as collector.

3850-1(config)#flow exporter FLK-1
3850-1(config-flow-exporter)#?
  default          Set a command to its defaults
  description      Provide a description for this Flow Exporter
  destination      Export destination configuration
  dscp             Optional DSCP
  exit             Exit from Flow Exporter configuration mode
  export-protocol  Export protocol version
  no               Negate a command or set its defaults
  option           Select an option for exporting
  source           Originating interface
  template         Flow Exporter template configuration
  transport        Transport protocol
  ttl              Optional TTL or hop limit

flow exporter FLK-1
 destination x.x.8.216
 source Vlan999
 transport udp 9995

Then you can define the flow monitor & assign flow record & flow exporter onto it. In my case I have defined two different flow monitors called V4-IN & V4-OUT, but still use the same record & exporter for simplicity. But you can use different record in different monitor (single record per monitor) & multiple exporter if you have more than 1 netflow collectors.

3850-1(config)#flow monitor V4-IN
3850-1(config-flow-monitor)#?
  cache        Configure Flow Cache parameters
  default      Set a command to its defaults
  description  Provide a description for this Flow Monitor
  exit         Exit from Flow Monitor configuration mode
  exporter     Add an Exporter to use to export records
  no           Negate a command or set its defaults
  record       Specify Flow Record to use to define Cache

flow monitor V4-IN
 exporter FLK-1
 record WLAN
!
flow monitor V4-OUT
 exporter FLK-1
 record WLAN

Now you can apply this to the WLAN you configured earlier.

3850-1(config)#wlan 3850
3850-1(config-wlan)#ip flow monitor V4-IN input
3850-1(config-wlan)#ip flow monitor V4-OUT output

Now it is time to see what’s coming in & going out in this WLAN. I am playing some youtube video on iPhone5 & tablet device while making a call between 7925G & 7965 Phones.  Here is the traffic coming from these wireless devices.

Now if you want to look at what type of DSCP values coming from 7925G we can look detail of that as below.

Now if you want to look at down stream traffic to wireless clients I can see it as below. As expected, youtube video played on iPhone5 & tablet get most of the bandwidth.

Now if you trying to look at applications (or protocol) you would see something like this. But why all categorize as TCP or UDP port 0. This is because when we defined the flow record we did not include to collect these information.

Let’s add source-port & destination-port to the flow record. You have to remove the flow record from the monitor before doing any modification.

flow record WLAN
 +match transport source-port
 +match transport destination-port

Now let’s monitor the traffic & see whether it get captured. It’s all come with Application name/port numbers since we capturing that infromation.

Before finishing off this post it is worth to note that these flow monitor command cannot be applied on SVI interfaces (or vlan interfaces).

3850-1(config)#interface vlan 1420
3850-1(config-if)#ip flow monitor V4-IN ?
  input    Apply Flow Monitor on input traffic
  output   Apply Flow Monitor on output traffic
  sampler  Optional Sampler to apply to this Flow Monitor

3850-1(config-if)#ip flow monitor V4-IN input 
% Flow Monitor: Flow Monitor 'V4-IN' flexible netflow not supported on vlan interfaces

If you want to apply this for L3 interface it has to be proper L3 physical interface. Anyway if your 3850 acting as proper L3 switch then you shoud have routed port from that switch to your core & you can apply flow monitor on that routed port. In my case we are having layer 2 access model & as long as we can monitor WLAN traffic at that level we are fine with that.

Ref: Configuring Flexible Netflow – 3850 Config Guide

Related Posts

1. Getting Started with 3850
2. Configuring Netflow on WLC 7.4

Cisco has released IOS XE 3.3.0SE on 7th October for 3850 & 5760 Platforms. What’s new in this version ? There are lots of major enhancement & new features. Support for 802.11ac , mDNS (bonjour service) & AVC are the major enhancement as far as I can see.

Here are the main highlights of this new release & you can refer to full feature list in this release note.

1. Support for 802.11ac module—The 802.11ac radio module (for 3602 AP), which is based on the IEEE 802.11ac Wave 1 standard, is available on the Cisco lightweight access points.

The 802.11ac module provides enterprise-class reliability and wired-network-like performance. The 802.11ac module supports three spatial streams and 80 MHz-wide channels for a maximum data rate of 1.3 Gbps. The 802.11ac standard is a 5-GHz-only technology, which is faster and a more scalable version of the 802.11n standard.

2. Application Visibility (AV)—Classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR2) engine and provides application-level visibility into Wi-Fi networks.

3. Nine-member stacks—Up to nine switches can participate in a switch stack. All switches must be running the same feature set. Previous versions allow only upto 6 members in a swtich stack.

4. Service Discovery Gateway feature (mDNS)—Enables multicast Domain Name System (mDNS) to operate across Layer 3 boundaries by filtering, caching, and redistributing services from one Layer 3 domain to another. This feature enhances Bring Your Own Device (BYOD).

5. Wireshark—A packet analyzer program that supports multiple protocols and presents information in a text-based user interface.

There are no new addition to the AP models supported by this image and list is same as the previous version. The new 3700 series AP is not supported in this release.(you require AireOS 7.6 for with legacy controller like 5508, 2504 or WiSM2 to support 3700 AP model).

Here is the software compatibility matrix with this new software code.

It is time to upgrade my 3850 & 5760 & play with this enhanced features.

I got my CCIE (Wireless) Certification & Plaque today. It is another moment of joy in my family life. This sorts of satisfaction is never come easily, you have to earn it

Related Posts

1. 20th Aug was my Lucky Day
2. Words of Appreciation
3. How to become a CCIE Wireless

Today (2nd Nov 2013) my blog reached a milestone. Blog stats shows it has reached 100,000 hits & I am impressed with that. When I started my blog in April 2012, I never thought it would become this popular, but I was wrong   I started this blog as my study notes in preparation for my CCIE wireless exam. Within very short period, I realized it benefits lot of other people & that motivated me to keep it going. Even after I passed my lab exam on Aug 2013, I keep this blog running as it become the conduit between me & the rest of the world to communicate on wireless technology topics.

As always, starting was the difficult part & I have done few blog posts (18 in total) during initial 6 months. As my CCIE studies get serious , I have done more than 180 posts during 2013 & blog become more attractive.

My blog helped me to keep in touch with lots of other Network professionals. If my blog was not there, I may not know about these blokes. Now it is being followed by 103 users .

Here is the some of interesting statistics of my blog. This shows the monthly hit count & it is reaching 20k per month.

Here is the weekly statistics. You can see a peak around week#34 (due to my successful lab attempt on 20th Aug). Year 2013 starts with 1500 per week & now it is around 4000 hits per week.

Here is daily hit-count and 931 was the maximum so far. It was the day after I passed my CCIE wireless lab exam (21st Aug 2013).

Here is the stats where my readers are coming from. Most readers based in USA & account for more than 30% of the hits during this period. India, Australia, Germany, UK, Canada, Sweden, France, Thailand & Greece are the rest of top 10 countries in the list.

Also below gives the top blog posts based on the hit count.

As you can see most people interest to see “How many CCIEs in the world ?“. Then “Lightweigth to Autonomous AP conversion“, “Backup & Restore WLC config” post become number 2 & 3 respectively. Also QoS & Multicast related posts are dominating in the list. These two technologies are my favorites & I spent lots of time to do a good post about these. I think readers are like that.

“How to become a CCIE wireless ? ” also become a popular one which has got 1200 hits within first 3 months of its publication. I am sure next 100k hits won’t take that long based on the current trend.

I am thankful to every one of you read my blog & gave some encouragement during my study period (specially after failing my exam in 1st attempt in May 2013).

Thank you for reading my blog & good luck for your CCIE studies….

In this post we will see how to configure a wireless bridge (Root & Non-Root Bridge) with EAP-FAST security. Here is the basic topology for the post & I have used two 1310 AP with 12.4(25d)JA software version.

Here is the G1/0/6 Config of C3750-1 switch. Since wireless bridge has to carry multiple vlan traffic (in my case 20-21) it has to configure as a trunk port.

hostname C3750-1
!
ip dhcp excluded-address 192.168.21.1 192.168.21.50
ip dhcp excluded-address 192.168.21.254
ip dhcp pool VLAN21
 network 192.168.21.0 255.255.255.0
 default-router 192.168.21.254 
!
interface Vlan20
 ip address 192.168.20.254 255.255.255.0
interface Vlan21
 ip address 192.168.21.254 255.255.255.0
!
interface GigabitEthernet1/0/6
 description 1310-1 (ROOT BRIDGE)
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport trunk allowed vlan 20,21
 switchport mode trunk

Here is the Root Bridge configuration without any security configurations. Later on we will configure the EAP-FAST for this. Note that for native vlan (20) to be configured with bridge group 1. Also SSID configured as “infrastructure-ssid” to ensure only infrastructure device could associate to it (no normal clients)

hostname 1310-1
!
dot11 ssid BRIDGE
   vlan 20
   authentication open
   infrastructure-ssid
!
interface Dot11Radio0
 ssid BRIDGE
 station-role root bridge
!
interface Dot11Radio0.20
 encapsulation dot1Q 20 native
 bridge-group 1
interface Dot11Radio0.21
 encapsulation dot1Q 21
 bridge-group 21
!
interface FastEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
interface FastEthernet0.21
 encapsulation dot1Q 21 
 bridge-group 21
!
interface BVI1
 ip address 192.168.20.13 255.255.255.0
ip default-gateway 192.168.20.254

Here is the Non-Root Bridge Configuration

hostname 1310-2
!
dot11 ssid BRIDGE
   vlan 20
   authentication open
   infrastructure-ssid
!
interface Dot11Radio0
 ssid BRIDGE
 station-role non-root bridge
!
interface Dot11Radio0.20
 encapsulation dot1Q 20 native
 bridge-group 1

interface Dot11Radio0.21
 encapsulation dot1Q 21
 bridge-group 21
!
interface FastEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1

interface FastEthernet0.21
 encapsulation dot1Q 21
 bridge-group 21
!
interface BVI1
 ip address 192.168.20.14 255.255.255.0
ip default-gateway 192.168.20.254

With this configuration, you should see your non-root bridge associating to your root bridge.

1310-2#Nov  8 20:39:46.316: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, 
Associated To AP 1310-1 001b.2a30.48b0 [None]

1310-1#sh dot11 ass
802.11 Client Stations on Dot11Radio0: 
SSID [BRIDGE] : 
MAC Address    IP address      Device        Name            Parent         State     
001b.2a30.48c0 192.168.20.14   bridge        1310-2          self           Assoc    

1310-1#sh dot11 ass 001b.2a30.48c0
Address           : 001b.2a30.48c0     Name             : 1310-2
IP Address        : 192.168.20.14      Interface        : Dot11Radio 0
Device            : bridge             Software Version : 12.4
CCX Version       : 5                  Client MFP       : Off

State             : Assoc              Parent           : self               
SSID              : BRIDGE                          
VLAN              : 20
Hops to Infra     : 1                  Association Id   : 1
Clients Associated: 1                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : Off
Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -75  dBm           Connected for    : 80 seconds
Signal to Noise   : 24  dB            Activity Timeout : 30 seconds
Power-save        : Off                Last Activity    : 1 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 3341               Packets Output   : 10247     
Bytes Input       : 378995             Bytes Output     : 1405473   
Duplicates Rcvd   : 0                  Data Retries     : 521       
Decrypt Failed    : 0                  RTS Retries      : 12        
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0

Here is the R2960 switch configuration. I have given switch management IP from vlan 20.

hostname R2960
!
interface GigabitEthernet0/2
 switchport access vlan 21
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/8
 switchport trunk native vlan 20
 switchport trunk allowed vlan 20,21
 switchport mode trunk
!
interface Vlan20
 ip address 192.168.20.15 255.255.255.0
!
ip default-gateway 192.168.20.254

If you define a DHCP (or you can statically assign a IP for Laptop) for vlan 21, you should see Laptop will get an IP from 192.168.21.0/24 network. In my case Laptop got 192.168.21.51 IP address & I can ping it from my C3750-1 switch.

C3750-1#ping 192.168.21.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

As long as this works you can move on to adding security for this configuration. First we will configure 1310-1(root bridge) as RADIUS server. If you using AP as radius server, you can configure either LEAP, EAP-FAST or MAC authentication methods. In this example we will disable LEAP & MAC authentications. For highest security we have used WPA2/AES.

aaa new-model
aaa group server radius RAD-GROUP
 server 192.168.20.13 auth-port 1812 acct-port 1813
aaa authentication login EAP-METHODS group RAD-GROUP
radius-server local
  no authentication leap
  no authentication mac
  nas 192.168.20.13 key 0 MRN-CCIEW
  user nonroot password nonrootpw
radius-server host 192.168.20.13 auth-port 1812 acct-port 1813 key 0 MRN-CCIEW

dot11 ssid BRIDGE
   authentication open eap EAP-METHODS
   authentication network-eap EAP-METHODS
   authentication key-management wpa version 2
interface Dot11Radio0
 encryption vlan 20 mode ciphers aes-ccm

Then we can configure the Non-Root Bridge with EAP-FAST credential which we defined on the Root Bridge.

1310-2(config)#eap profile FAST
1310-2(config-eap-profile)#method ?
  fast      EAP-FAST method allowed
  gtc       EAP-GTC method allowed
  leap      EAP-LEAP method allowed
  md5       EAP-MD5 method allowed
  mschapv2  EAP-MSCHAPV2 method allowed
  tls       EAP-TLS method allowed

1310-2(config-eap-profile)#method fast 
1310-2(config)#dot1x credentials FAST
1310-2(config-dot1x-creden)#username nonroot
1310-2(config-dot1x-creden)#password nonrootpw
!
1310-2(config)#dot11 ssid BRIDGE
1310-2(config-ssid)#authentication open eap EAP-METHODS 
1310-2(config-ssid)#authentication network-eap EAP-METHODS 
1310-2(config-ssid)#authentication key-management wpa version 2
1310-2(config-ssid)#dot1x eap profile FAST
1310-2(config-ssid)#dot1x credentials FAST
!
1310-2(config-ssid)#interface Dot11Radio0
1310-2(config-if)# encryption vlan 20 mode ciphers aes-ccm

Once you do this you should see your Non-Root Bridge associated with Root Bridge using EAP-FAST.

1310-2(config-if)#
Nov  8 21:16:51.796: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
Nov  8 21:16:52.063: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, 
Associated To AP 1310-1 001b.2a30.48b0 [EAP-FAST WPAv2]

1310-1#
Nov  8 21:11:42.430: %DOT11-6-ASSOC: Interface Dot11Radio0, 
Station 1310-2 001b.2a30.48c0 Associated KEY_MGMT[WPAv2]

1310-1#sh dot11 associations 001b.2a30.48c0
Address           : 001b.2a30.48c0     Name             : 1310-2
IP Address        : 192.168.20.14      Interface        : Dot11Radio 0
Device            : bridge             Software Version : 12.4
CCX Version       : 5                  Client MFP       : On

State             : EAP-Assoc          Parent           : self               
SSID              : BRIDGE                          
VLAN              : 20
Hops to Infra     : 1                  Association Id   : 1
Clients Associated: 1                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -75  dBm           Connected for    : 214 seconds
Signal to Noise   : 24  dB            Activity Timeout : 30 seconds
Power-save        : Off                Last Activity    : 1 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 41                 Packets Output   : 365       
Bytes Input       : 4556               Bytes Output     : 42485     
Duplicates Rcvd   : 0                  Data Retries     : 2         
Decrypt Failed    : 0                  RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0         
Session timeout   : 0 seconds
Reauthenticate in : never

So now you wireless bridge connection is more secure. Make sure you can ping the remote client

C3750-1#ping 192.168.21.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Hope this is useful for you.

In new 3850 switch model, you can take packet captures within switch itself (no longer required to port span by connecting a pc which is running wireshark). This switch model comes with embeded wireshark feature.

You should have IOS-XE 3.3.0 or later images to have this feature. Here is few things to remember when taking wireless packet captures

* The only form of wireless capture is a CAPWAP tunnel capture.
*  When capturing CAPWAP tunnels, no other interface types can be used as attachment points on the same capture point.
* Capturing multiple CAPWAP tunnels is supported.
* Core filters are not applied and should be omitted when capturing a CAPWAP tunnel.
* To capture a CAPWAP data tunnel, each CAPWAP tunnel is mapped to a physical port and an appropriate ACL will be applied to filter the traffic.
*  To capture a CAPWAP non-data tunnel, the switch is set to capture traffic on all ports and apply an appropriate ACL to filter the traffic.

Here how you can get a packet capture from it.

I have one AP connected to my 3850 & it uses “Ca0″ interface to terminate CAPWAP tunnel on to it. So we will capture the packets going in/out form this interface. There are two active clients connected to this AP while taking the packet capture.

3850-1#sh capwap summary 

CAPWAP Tunnels General Statistics:
  Number of Capwap Data Tunnels       = 1  
  Number of Capwap Mobility Tunnels   = 0  
  Number of Capwap Multicast Tunnels  = 0  

Name   APName                           Type PhyPortIf Mode      McastIf
------ -------------------------------- ---- --------- --------- -------
Ca0    L3502-1                          data Gi1/0/1   unicast   -      

Name   SrcIP           SrcPort DestIP          DstPort DtlsEn MTU   Xact
------ --------------- ------- --------------- ------- ------ ----- ----
Ca0    10.15.4.255     5247    10.15.5.253     48645   No     1449  0    

3850-1#show wireless client summary 
Number of Local Clients : 2

MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
04f7.e4ea.5b66 L3502-1                          17   UP                 11n(5)   
2c54.2dea.f4ea L3502-1                          17   UP                 11a

There are 3 basic steps involve in capturing process.

1. Define your source interface (Ca0 interface in this example)

3850-1#monitor capture ?
  WORD  Name of the Capture 

3850-1#monitor capture MY_CAP ?
  access-list    access-list to be attached 
  buffer         Buffer options
  class-map      class name to attached 
  clear          Clear Buffer
  control-plane  Control Plane 
  export         Export Buffer
  file           Associated file attributes
  interface      Interface
  limit          Limit Packets Captured
  match          Describe filters inline
  start          Enable Capture
  stop           Disable Capture 
  vlan           Vlan

3850-1#monitor capture MY_CAP interface ?
  GigabitEthernet     GigabitEthernet IEEE 802.3z
  TenGigabitEthernet  Ten Gigabit Ethernet
  Vlan                Catalyst Vlans
  capwap              Capwap-Tunnel
  range               interface range command

3850-1#monitor capture MY_CAP interface capwap ?
  WORD  Capwap ID List Eg. 0-10, 15

3850-1#monitor capture MY_CAP interface capwap 0 ?
  both  Inbound and outbound packets
  in    Inbound packets
  out   Outbound packets

3850-1#monitor capture MY_CAP interface capwap 0 both

2. Set your filter for the capture (for CAPWAP interfaces no filtering option supported). To filtering you can use ACL or “match” statements as shown below. Note that I have not used it for this example.

3850-1#monitor capture MY_CAP match ?
  any   all packets
  ipv4  IPv4 packets only
  ipv6  IPv6 packets only
  mac   MAC filter configuration

3850-1#monitor capture MY_CAP match ipv4 ?
  A.B.C.D/nn  IPv4 source Prefix <network>/<length>, e.g., 192.168.0.0/16
  any         Any source prefix
  host        A single source host
  protocol    Protocols

3850-1#monitor capture MY_CAP match ipv4 any ?
  A.B.C.D/nn  IPv4 destination Prefix <network>/<length>, e.g., 192.168.0.0/16
  any         Any destination prefix
  host        A single destination host

3850-1#monitor capture MY_CAP match ipv4 any any

3850-1#monitor capture MY_CAP access-list ?
  WORD  access-list name

3850-1#monitor capture MY_CAP access-list ACL ?
  buffer         Buffer options
  control-plane  Control Plane 
  file           Associated file attributes
  interface      Interface
  limit          Limit Packets Captured
  vlan           Vlan
  <cr>

3. Define your destination (you can use internal flash or USB flash as the file destination)

3850-1#monitor capture MY_CAP file location ?
  crashinfo-1:     Location of the pcap file
  crashinfo:       Location of the pcap file
  flash-1:         Location of the pcap file
  flash:           Location of the pcap file
  stby-usbflash0:  Location of the pcap file
  usbflash0-1:     Location of the pcap file
  usbflash0-2:     Location of the pcap file
  usbflash0:       Location of the pcap file

3850-1#monitor capture MY_CAP file location flash:MY_CAP.pcap ?
  access-list    access-list to be attached 
  buffer-size    Size of temporary buffer (to reduce packet loss)
  class-map      class name to attached 
  control-plane  Control Plane 
  interface      Interface
  limit          Limit Packets Captured
  match          Describe filters inline
  ring           Store the contents in a circular file chain
  size           Size of the file(s)
  vlan           Vlan
  <cr>

3850-1#monitor capture MY_CAP file location flash:MY_CAP.pcap buffer-size ?
  <1-100>  Buffer size in MB  : Min 1 : Max 100

3850-1#monitor capture MY_CAP file location flash:MY_CAP.pcap buffer-size 10 ?
  access-list    access-list to be attached 
  class-map      class name to attached 
  control-plane  Control Plane 
  interface      Interface
  limit          Limit Packets Captured
  match          Describe filters inline
  ring           Store the contents in a circular file chain
  size           Size of the file(s)
  vlan           Vlan
  <cr>

3850-1#monitor capture MY_CAP file location flash:MY_CAP.pcap buffer-size 10 

4. You can activate/de-activate the packet capture as shown below. I have left it running for 30s-60s & then stopped

3850-1#monitor capture MY_CAP start
.
.
.
3850-1#monitor capture MY_CAP stop 

As you can see file is available in 3850′s flash.

3850-1#dir
Directory of flash:/
85193  -rwx     2097152  Oct 29 2013 09:18:33 +11:00  nvram_config
85186  -rw-   257016048  Oct 15 2013 10:46:31 +11:00  cat3k_caa-universalk9.SPA.03.03.00.SE.150-1.EZ.bin
85188  -rw-        1214   Oct 8 2013 09:16:25 +11:00  packages.conf.00-
61955  -rw-        5430  Nov 12 2013 13:28:00 +11:00  MY_CAP.pcap

You can open it using Wireshark application or view from the switch itself(it is always good to analyze this using wireshark application as if you do it on swith, it can consume switch resources like CPU/memory) . Here is how you can view it on switch itself.

3850-1#show monitor capture file flash:MY_CAP.pcap
  1   0.000000 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
  2   0.288031 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
  3   1.899999  10.15.4.255 -> 10.15.5.253  CAPWAP CAPWAP-Control - Primary Discovery Response
  4   1.899999  10.15.4.255 -> 10.15.5.253  CAPWAP CAPWAP-Control - Primary Discovery Response
  5   2.656008 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
  6   2.961992  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
  7   2.961992  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
  8   2.961992  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
  9   2.967988  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 10   2.967988  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 11   2.967988  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 12   2.972993  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 13   3.099985 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 14   4.455015 2c:3f:38:2b:57:00 -> 2c:3f:38:2b:57:00 WLCCP U, func=UI; SNAP, OUI 0x004096 (Cisco Wireless (Aironet) L2), PID 0x0000
 15   4.456022 2c:3f:38:2b:57:00 -> 2c:3f:38:2b:57:00 WLCCP U, func=UI; SNAP, OUI 0x004096 (Cisco Wireless (Aironet) L2), PID 0x0000
 16   5.071987 x.y.104.252 -> 224.0.0.2    HSRP Advertise (state Passive)
 17   5.278037 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
 18   5.911992 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 19   7.406021  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 20   7.411026  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 21   7.411026  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 22   7.417022  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 23   7.422027  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 24   7.428023  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 25   8.266029 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
 26   8.684007 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 27  10.191976 2c:3f:38:2b:57:00 -> 2c:3f:38:2b:57:00 WLCCP U, func=UI; SNAP, OUI 0x004096 (Cisco Wireless (Aironet) L2), PID 0x0000
 28  11.266029 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
 29  11.360033 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 30  12.763013 10.11.255.40 -> x.y.104.190 SKINNY CallStateMessage 
 31  12.763013 10.11.255.40 -> x.y.104.190 SKINNY SelectSoftKeysMessage 
 32  12.769009 x.y.104.190 -> 10.11.255.40 TCP 1036 > 2000 [ACK] Seq=1 Ack=37 Win=15840 Len=0 TSV=243324138 TSER=1861909984
 33  12.769009 10.11.255.40 -> x.y.104.190 SKINNY 0x00000145 (Unknown) 0x00000144 (Unknown) 0x0000014A (Unknown) SetLampMessage SetRingerMessage 
 34  12.771008 x.y.104.190 -> 10.11.255.40 TCP 1036 > 2000 [ACK] Seq=1 Ack=65 Win=15840 Len=0 TSV=243324138 TSER=1861909984
 35  12.777004 x.y.104.190 -> 10.11.255.40 TCP 1036 > 2000 [ACK] Seq=1 Ack=289 Win=15840 Len=0 TSV=243324139 TSER=1861909988
 36  13.717010 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
 37  13.836007 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 38  14.177984 00:00:00:00:00:00 -> 2c:3f:38:2b:57:00 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
 39  15.023985 x.y.104.190 -> 10.11.255.40 SKINNY KeepAliveMessage 
 40  15.023985 10.11.255.40 -> x.y.104.190 SKINNY KeepAliveAckMessage 
 41  15.026991 x.y.104.190 -> 10.11.255.40 TCP 1036 > 2000 [ACK] Seq=13 Ack=301 Win=15840 Len=0 TSV=243324364 TSER=1861912240
 42  15.171988 00:00:00:00:00:00 -> 2c:3f:38:2b:57:00 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
 43  16.166983 00:00:00:00:00:00 -> 2c:3f:38:2b:57:00 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
 44  16.392029 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
 45  16.667009 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 46  16.926990  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 47  17.159980 00:00:00:00:00:00 -> 2c:3f:38:2b:57:00 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
 48  17.573020 x.y.104.190 -> 10.11.255.40 SKINNY SoftKeyEventMessage 
 49  17.573020 10.11.255.40 -> x.y.104.190 SKINNY SetRingerMessage 
 50  17.573020 10.11.255.40 -> x.y.104.190 SKINNY SetSpeakerModeMessage 
 51  17.573020 10.11.255.40 -> x.y.104.190 SKINNY SetLampMessage 
 52  17.577017 x.y.104.190 -> 10.11.255.40 TCP 1036 > 2000 [ACK] Seq=37 Ack=329 Win=15840 Len=0 TSV=243324619 TSER=1861914780

If you want to see specific frame in detail (eg Frame 38) you can do that as well.

3850-1#show monitor capture file flash:MY_CAP.pcap detailed | beg Frame 38
Frame 38: 122 bytes on wire (976 bits), 122 bytes captured (976 bits)
    Arrival Time: Nov 12, 2013 03:04:08.970942000 UTC
    Epoch Time: 1384225448.970942000 seconds
    [Time delta from previous captured frame: 0.341977000 seconds]
    [Time delta from previous displayed frame: 0.341977000 seconds]
    [Time since reference or first frame: 14.177984000 seconds]
    Frame Number: 38
    Frame Length: 122 bytes (976 bits)
    Capture Length: 122 bytes (976 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:capwap:wlan]
Ethernet II, Src: cc:ef:48:9b:e0:45 (cc:ef:48:9b:e0:45), Dst: 58:bf:ea:b6:56:c3 (58:bf:ea:b6:56:c3)
    Destination: 58:bf:ea:b6:56:c3 (58:bf:ea:b6:56:c3)
        Address: 58:bf:ea:b6:56:c3 (58:bf:ea:b6:56:c3)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: cc:ef:48:9b:e0:45 (cc:ef:48:9b:e0:45)
        Address: cc:ef:48:9b:e0:45 (cc:ef:48:9b:e0:45)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.15.5.253 (10.15.5.253), Dst: 10.15.4.255 (10.15.4.255)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 108
    Identification: 0xa865 (43109)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (17)
    Header checksum: 0xb341 [correct]
        [Good: True]
        [Bad: False]
    Source: 10.15.5.253 (10.15.5.253)
    Destination: 10.15.4.255 (10.15.4.255)
User Datagram Protocol, Src Port: 48645 (48645), Dst Port: 5247 (5247)
    Source port: 48645 (48645)
    Destination port: 5247 (5247)
    Length: 88
    Checksum: 0x0000 (none)
        [Good Checksum: False]
        [Bad Checksum: False]
Control And Provisioning of Wireless Access Points
    Preamble
        Version: 0
        Type: CAPWAP Header (0)
    Header
        Header Length: 4
        Radio ID: 0
        Wireless Binding ID: IEEE 802.11 (1)
        Header flags
            1... .... . = Payload Type: Native frame format (see Wireless Binding ID field)
            .0.. .... . = Fragment: Don't Fragment
            ..0. .... . = Last Fragment: More fragments follow
            ...1 .... . = Wireless header: Wireless Specific Information is present
            .... 0... . = Radio MAC header: No Radio MAC Address
            .... .0.. . = Keep-Alive: No Keep-Alive
            .... ..00 0 = Reserved: Not set
        Fragment ID: 0
        Fragment Offset: 0
        Reserved: 0
        Wireless length: 4
        Wireless data: 00000000
        Wireless data ieee80211 Frame Info: 00000000
            Wireless data ieee80211 RSSI (dBm): 0
            Wireless data ieee80211 SNR (dB): 0
            Wireless data ieee80211 Data Rate (Mbps): 0
        Padding for 4 Byte Alignement: 000000
IEEE 802.11 Probe Request, Flags: ........
    Type/Subtype: Probe Request (0x04)
    Frame Control: 0x0040 (Swapped)
        Version: 0
        Type: Management frame (0)
        Subtype: 4
        Flags: 0x0
            .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
            .... .0.. = More Fragments: This is the last fragment
            .... 0... = Retry: Frame is not being retransmitted
            ...0 .... = PWR MGT: STA will stay up
            ..0. .... = More Data: No data buffered
            .0.. .... = Protected flag: Data is not protected
            0... .... = Order flag: Not strictly ordered
    Duration: 0
    Destination address: 2c:3f:38:2b:57:00 (2c:3f:38:2b:57:00)
    Source address: 00:00:00:00:00:00 (00:00:00:00:00:00)
    BSS Id: 2c:3f:38:2b:57:00 (2c:3f:38:2b:57:00)
    Fragment number: 0
    Sequence number: 0
IEEE 802.11 wireless LAN management frame
    Tagged parameters (40 bytes)
        Vendor Specific: 00:40:96: Aironet Unknown
            Tag Number: 221 (Vendor Specific)
            Tag length: 9
            Vendor: 00:40:96
            Aironet IE type: Unknown (37)
            Aironet IE data: 017ae93ff1
        Vendor Specific: 00:40:96: Aironet Unknown
            Tag Number: 221 (Vendor Specific)
            Tag length: 27
            Vendor: 00:40:96
            Aironet IE type: Unknown (37)
            Aironet IE data: 00012c542deaf4ea0101270095007ae5c1abf09002c5c9

You can copy these file from switch Flash to wherever you wanted. Here is the few  screenshot of this wireshark capture.

3850-1#copy flash tftp:                           
Source filename [MY_CAP.pcap]? 
Address or name of remote host []? x.y.13.2                               
Destination filename [MY_CAP.pcap]? 
!!!!!!!!!!!!!!!!!
3908147 bytes copied in 21.010 secs (186014 bytes/sec)

Here is a good reference for wired interface packet capturing using the same feature.

Refer this config guide (for IOS-XE 3.3.0) section for the Wireshark configuration of this version.

Hope you will enjoy this new feature available for easy troubleshooting.

In this post we will see how to confiugre an Autonomous AP to authenticate users with external RADIUS server. I have used ACS v5.2 as my RADIUS Server.  1142N access point with IOS image c1140-k9w7-mx.124-25d.JA used for this exercise. Here is basic topology for the post.

Here is the basic configuration of AP with open authentication & Switch. You need to make sure this configuration is working before proceeding to the RADIUS configuration. I used only Radio 1(5GHz) for simplicity.

hostname C3750-1 <= Switch Configuration 
!
ip dhcp excluded-address 192.168.143.1 192.168.143.50
ip dhcp pool VLAN143
 network 192.168.143.0 255.255.255.0
 default-router 192.168.143.1 
 option 150 ip 10.10.205.20 
 domain-name mrn.com
 dns-server 192.168.200.1 
!
interface GigabitEthernet1/0/11
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 143,999
 switchport mode trunk
!
interface Vlan100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan143
 ip address 192.168.143.1 255.255.255.0
!
interface Vlan999
 ip address 192.168.99.1 255.255.255.0

hostname A1142-1 <= AP Configuration
!
dot11 ssid TEST
   vlan 143
   authentication open
   guest-mode
!
interface Dot11Radio1
 ssid TEST
!
interface Dot11Radio1.143
 encapsulation dot1Q 143
 bridge-group 143
!
interface Dot11Radio1.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface GigabitEthernet0.143
 encapsulation dot1Q 143
 bridge-group 143
!
interface GigabitEthernet0.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.99.99 255.255.255.0
ip default-gateway 192.168.99.1

When configuring RADIUS for any IOS device, here are the 3 steps you needs to follow.

1. Define the RADIUS server/or servers.
2. Create a RADIUS Server Group (listing defined servers).
3. Create a method-list, that points to the RADIUS group created.

When working with the RADIUS, you could be easily locked yourself out unless you do the required configuration 100% correct. Therefore always good practice to have a safe way of accessing the IOS device, even if you made a mistake. So before starting rest of the configuration we will configure Console Line not to do any authentications.

line con 0
no login authentication

First command to enter is “aaa new-model“. Then you can define the radius server configuration as shown below. I have used “Cisco123″ as shared key & timeout value of 10s (by default 5s)

A1142-1(config)#radius-server ?
  accounting          Accounting information configuration
  attribute           Customize selected radius attributes
  authorization       Authorization processing information
  backoff             Retry backoff pattern(Default is retransmits with
                      constant delay)
  cache               AAA auth cache default server group
  challenge-noecho    Data echoing to screen is disabled during
                      Access-Challenge
  configure-nas       Attempt to upload static routes and IP pools at startup
  dead-criteria       Set the criteria used to decide when a radius server is
                      marked dead
  deadtime            Time to stop using a server that doesn't respond
  directed-request    Allow user to specify radius server to use with `@server'
  domain-stripping    Strip the domain from the username
  host                Specify a RADIUS server
  key                 encryption key shared with the radius servers
  local               Configure local RADIUS server
  optional-passwords  The first RADIUS request can be made without requesting a
                      password
  retransmit          Specify the number of retries to active server
  retry               Specify how the next packet is sent after timeout.
  source-ports        source ports used for sending out RADIUS requests
  timeout             Time to wait for a RADIUS server to reply
  transaction         Specify per-transaction parameters
  unique-ident        Higher order bits of Acct-Session-Id
  vsa                 Vendor specific attribute configuration

radius-server host 192.168.100.2 auth-port 1812 acct-port 1813 key Cisco123                                                                                                                                1D5A5E57
radius-server timeout 10

As a 2nd Step, you can define the RADIUS server group & then list the server you defined. I have used “RAD_GRP” as my RADIUS group name.

A1142-1(config)#aaa group server radius RAD_GRP
A1142-1(config-sg-radius)#?
RADIUS Server-group commands:
  accounting      Specify a RADIUS attribute filter for accounting
  attribute       Customize selected radius attributes
  authorization   Specify a RADIUS attribute filter for authorization
  backoff         Retry backoff pattern (Default is retransmits with constant
                  delay)
  cache           cached DB profile configuration
  deadtime        Specify time in minutes to ignore an unresponsive server
  default         Set a command to its defaults
  exit            Exit from RADIUS server-group configuration mode
  ip              Internet Protocol config commands
  no              Negate a command or set its defaults
  server          Specify a RADIUS server
  server-private  Define a private RADIUS server (per group)

A1142-1(config-sg-radius)#server 192.168.100.2 auth-port 1812 acct-port 1813

As final step, you can define method lists & pointing it to the RADIUS group you defined & apply it to a WLAN (or SSID) created. Method List name “EAP_MTD” used in my example. Additionally I have configured WPA2/AES for added security.

A1142-1(config)#aaa authentication login EAP_MTD group RAD_GRP
!
A1142-1(config)#dot11 ssid TEST
A1142-1(config-ssid)#   authentication open eap EAP_MTD
A1142-1(config-ssid)#   authentication network-eap EAP_MTD
A1142-1(config-ssid)#   authentication key-management wpa version 2
!
A1142-1(config)#interface Dot11Radio1
A1142-1(config-if)# encryption vlan 143 mode ciphers aes-ccm

That’s pretty much the configuration on the AP itself. You have to configure ACS5.2. In ACS you have to configure the shared secret for this AP. Either you can individually configure each NAS devices or you can configure a Default Network Device which will be applicable to any device connecting to ACS. I have used default device method.

Then make sure you have created a Username/Password for testing. In my example I have used local user (test/test123) within ACS. Also if you want to do EAP-TLS make sure you installed necessary certificates on ACS & Test Client (not explain in this post) & they are correctly listed in Certificate Authority Section.

For TLS to work you need to have certificates installed & TLS request pointing to the Identity Store created for TLS.

I have defined an Identity Store for all EAP-TLS requests.

Then I have defined a custom attribute named NAS-IP & called “NAS-IP-Address” attribute in RADIUS-IETF dictionary.For simple scenario like our case, we can use default permit rule without any custom policy, but if you want  to do some filtering based on RADIUS request coming from this NAS IP, then this method is very useful.

Next to make sure all required protocol is permitted though ACS. (Access Policies -> Default Network Access -> Allowed Protocols)

In the Access Policies -> Default Network Access -> Identity section, you have to specify if the request is EAP-TLS, use the Identity Store defined for TLS. By default all request go to Internal Users Identity Store. So I have created a rule based selection to pointing all TLS to go for “CCIE-TLS-Internal” identity store created in a previous step.

Then you can create a policy by adding the custom attribute created (NAS-IP) in to Custom Condition. You can do this by hitting “Customize” button under Access Policies -> Default Network Access -> Authorization section. (Some other attributes aslo shown, but not relevant to this example)

Here is the policy looks like. Simply give “Permit Access” for any RADIUS request coming from NAS-IP 192.168.99.99 (Our Access Point IP)

Once you save the configuration, it is all ready to testing. I have used a Laptop as EAP-TLS client & iPhone5 as PEAP client. You can see the client associations on AP CLI

A1142-1#show dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [TEST] : 
MAC Address    IP address      Device        Name            Parent         State     
0022.fa94.6858 192.168.143.55  ccx-client    A1142-1         self           EAP-Assoc
04f7.e4ea.5b66 192.168.143.54  unknown       -               self           EAP-Assoc

A1142-1#show dot11 associations 0022.fa94.6858
Address           : 0022.fa94.6858     Name             : A1142-1
IP Address        : 192.168.143.55     Interface        : Dot11Radio 1
Device            : ccx-client         Software Version : NONE 
CCX Version       : 4                  Client MFP       : Off

State             : EAP-Assoc          Parent           : self               
SSID              : TEST                            
VLAN              : 143
Hops to Infra     : 1                  Association Id   : 2
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
Current Rate      : 54.0               Capability       : WMM 11h
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -49  dBm           Connected for    : 90 seconds
Signal to Noise   : 48  dB            Activity Timeout : 20 seconds
Power-save        : On                 Last Activity    : 0 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 649                Packets Output   : 179       
Bytes Input       : 129364             Bytes Output     : 35033     
Duplicates Rcvd   : 1                  Data Retries     : 3         
Decrypt Failed    : 0                  RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0         
Session timeout   : 0 seconds
Reauthenticate in : never

A1142-1#show dot11 associations 04f7.e4ea.5b66
Address           : 04f7.e4ea.5b66     Name             : NONE
IP Address        : 192.168.143.54     Interface        : Dot11Radio 1
Device            : unknown            Software Version : NONE 
CCX Version       : NONE               Client MFP       : Off

State             : EAP-Assoc          Parent           : self               
SSID              : TEST                            
VLAN              : 143
Hops to Infra     : 1                  Association Id   : 1
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
Current Rate      : m7.-               Capability       : WMM 11h
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -44  dBm           Connected for    : 2952 seconds
Signal to Noise   : 53  dB            Activity Timeout : 57 seconds
Power-save        : On                 Last Activity    : 1 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 469                Packets Output   : 97        
Bytes Input       : 26761              Bytes Output     : 9326      
Duplicates Rcvd   : 0                  Data Retries     : 1         
Decrypt Failed    : 0                  RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0         
Session timeout   : 0 seconds
Reauthenticate in : never

In ACS as well you can monitor the successful authentications of these clients. Here is the “Monitoring & Reports -> Launching Monitoring & Report Viewer-> RADIUS Authentication” results.

If you want to look details you can click the “Magnify Glass” icon. This is the best way of troubleshooting if clients connection is not successful. It will give the failure reason & you be directed to the right direction in troubleshooting. Here is a part of PEAP authentication came from my iPhone5 client.

Hope this is useful for anyone wanted to play with an Autonomous AP & external RADIUS for authentication.

In this post we will  see how to configure WLAN on 3850  switches. In the below topology single 3850 switch stack is acting as MC/MA (WLC functionality)

I have mainly used CLI method for the configuration & if you prefer GUI over CLI you can use that as well.  Before starting WLAN configuration make sure your 3850 is configured as MC in order to act as WLC functionality. You need to have “wirelesss mobility controller” command on your switch to make it MC (by default it is MA). Also note that AP & wireless management should be on the same vlan.(999 in my case).

Since this 3850 act as MC (Mobility Controller), you have to define a dynamic interface where users will get map into. I have used vlan1410 (10.141.96.0/21) for this.

3850-1#sh vlan brief
999  SW-MGMT                          active 
1410 WLN-STD-6                        active    
1420 WLN-STF-1                        active  
!
interface GigabitEthernet1/0/2
 switchport access vlan 999
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/48
 switchport trunk native vlan 800
 switchport trunk allowed vlan 999,1410,1420
 switchport mode trunk
!
wireless mobility controller
wireless management interface Vlan999
wireless mobility group name LTU-CA
wireless rf-network LTU-CA
!
interface Vlan999
 ip address 10.15.4.255 255.255.254.0
!
interface Vlan1410
 ip address 10.141.103.253 255.255.248.0
!
ip default-gateway 10.15.5.250

In addition to the above 6500 switch is configured as gateway for all the vlans.

interface Vlan999
 description SW-MGMT
 ip address 10.15.5.250 255.255.254.0
 ip pim sparse-mode
!
interface Vlan1410
 ip address 10.141.103.250 255.255.248.0
 ip helper-address x.x.26.100
 ip pim sparse-mode

Now we can start configuring WLAN.

3850-1(config)#wlan ?
  WORD      Enter Profile Name up to 32 alphanumeric characters
  shutdown  Enable/disable all WLANs

3850-1(config)#wlan OPEN ?
  <1-64>  Create WLAN Identifier
  <cr>

3850-1(config)#wlan OPEN 19 ?
  WORD  Enter SSID (Network Name) up to 32 alphanumeric characters
  <cr>

3850-1(config)#wlan OPEN 19 OPEN

Now if you look at the running configuration you will see the following

3850-1#sh run | sec wlan
wlan OPEN 19 OPEN
 shutdown

It’s nothing much showing, what about all default settings of this WLAN ? If you want to see this you need to issue “sh running-config all” command. So here it is & all the default settings.

3850-1#sh running-config all | sec wlan OPEN
wlan OPEN 19 OPEN
 accounting-list 
 assisted-roaming dual-list
 assisted-roaming neighbor-list
 broadcast-ssid
 ccx aironet-iesupport
 channel-scan defer-priority 4
 channel-scan defer-priority 5
 channel-scan defer-priority 6
 channel-scan defer-time 100
 chd
 client association limit ap 0
 client association limit radio 0
 client association limit 0
 client vlan default
 dtim dot11 24ghz 1
 dtim dot11 5ghz 1
 exclusionlist
 exclusionlist timeout 60
 ip access-group web 
 ip access-group 
 ip dhcp server 0.0.0.0
 ipv6 traffic-filter web none
 ipv6 traffic-filter none
 mac-filtering 
 mfp client
 mfp infrastructure-protection
 mobility anchor sticky
 radio all
 security wpa
 security wpa akm dot1x
 security wpa wpa2
 security wpa wpa2 ciphers aes
 security dot1x authentication-list 
 security dot1x encryption 104
 security ft over-the-ds
 security ft reassociation-timeout 20
 security pmf association-comeback 1
 security pmf saquery-retry-time 200
 security static-wep-key authentication open
 security tkip hold-down 60
 security web-auth authentication-list 
 security web-auth parameter-map 
 service-policy client input unknown
 service-policy client output unknown
 service-policy input unknown
 service-policy output unknown
 session-timeout 1800
 wmm allowed
 shutdown

So by default security is set to WPA2/AES, interface map to vlan 1 (default), broadcast SSID,etc. In this first example we will change it to open authentication. Also we have mapped it to client vlan 1410 (WLN-STD-6) & remove WPA security.

3850-1(config)#wlan OPEN 19 OPEN 
3850-1(config-wlan)#no security wpa 
3850-1(config-wlan)#client vlan vlan1410
3850-1(config-wlan)#no shut

3850-1(config-wlan)#do sh run | sec wlan OPEN
wlan OPEN 19 OPEN
 client vlan WLN-STD-6
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no shutdown

Since I am using WLAN ID higher than 16, I have to use a AP Group to advertise this SSID. So I have created a AP Group called “3850″ & map this WLAN onto it with interface vlan 1410. You can assign AP into AP Group by using “ap name <AP-NAME> ap-group <Group-Name>” CLI command

3850-1(config)#ap group 3850
3850-1(config-apgroup)#?
  default      Set a command to its defaults
  description  Specify the description for the AP group
  exit         Exit sub-mode
  no           Negate a command or set its defaults
  wlan         Add WLAN to ap group

3850-1(config-apgroup)#wlan ?
  WORD  Enter WLAN name

3850-1(config-apgroup)#wlan OPEN 
3850-1(config-wlan-apgroup)#?
  default       Set a command to its defaults
  exit          Exit sub-mode
  no            Negate a command or set its defaults
  radio-policy  Configures Radio Policy on given AP-Group
  vlan          Configures the WLANs vlan

3850-1(config-wlan-apgroup)#vlan ?
  WORD  Specify the vlan name or vlan id

3850-1(config-wlan-apgroup)#vlan WLN-STD-6

3850-1#ap name L3502-1 ap-groupname 3850
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n)[y]: y

Once you do this you should be able to connect to this SSID

Here is the client details

3850-1#show wireless client mac-address a088.b435.c2f0 detail 

Client MAC Address : a088.b435.c2f0
Client Username: N/A
AP MAC Address : 2c3f.382b.5700
AP Name: L3502-1
AP slot : 1
Client State : Associated
Wireless LAN Id : 19
Wireless LAN Name: OPEN
BSSID : 2c3f.382b.570d
Connected For : 95 secs 
Protocol : 802.11n - 5 GHz
Channel : 64
Client IIF-ID : 0xc3ab4000000088
ASIC : 0
IPv4 Address : 10.141.99.247
IPv6 Address : Unknown
Association Id : 2
Authentication Algorithm : Open System
Status Code : 0
Session Timeout : 0
Client CCX version : 4
Client E2E version : 1
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : Not supported
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : OFF
Current Rate : m15
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : DHCP_REQD
Client Entry Create Time : 1293325 seconds
Policy Type : N/A
Encryption Cipher : None
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
Interface : WLN-STD-6
VLAN : 1410
Quarantine VLAN : 0
Access VLAN : 1410
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Not implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 90
  Fast BSS Transition : Not implemented
Fast BSS Transition Details :
Client Statistics:
  Number of Bytes Received : 196611
  Number of Bytes Sent : 8767
  Number of Packets Received : 1477
  Number of Packets Sent : 166
  Number of EAP Id Request Msg Timeouts : 0
  Number of EAP Request Msg Timeouts : 0
  Number of EAP Key Msg Timeouts : 0
  Number of Data Retries : 4
  Number of RTS Retries : 0
  Number of Duplicate Received Packets : 0
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -49 dBm
  Signal to Noise Ratio : 44 dB
Assisted-Roaming  Prediction List:
Nearby AP Statistics:
  L3502-1(slot1)
    antenna0: 58 seconds ago -61 dBm
    antenna1: 58 seconds ago -51 dBm

Now if you want to configure this as WPA2/AES with PSK you can add the below configuration. Since we have disabled WPA first you need to enable it prior to configure WPA2. Also before configuring PSK you need to disable dot1x

3850-1(config-wlan)#security wpa                           
3850-1(config-wlan)#security wpa wpa2 ciphers aes 
3850-1(config-wlan)#no security wpa akm dot1x 
3850-1(config-wlan)#security wpa akm psk set-key ascii 0 Cisco123

This time you have to use the PSK defined to connect this WLAN.

Here is the client statistics

3850-1#sh wireless client mac-address a088.b435.c2f0 detail 

Client MAC Address : a088.b435.c2f0
Client Username: N/A
AP MAC Address : 2c3f.382b.5700
AP Name: L3502-1
AP slot : 1
Client State : Associated
Wireless LAN Id : 19
Wireless LAN Name: OPEN
BSSID : 2c3f.382b.570d
Connected For : 189 secs 
Protocol : 802.11n - 5 GHz
Channel : 64
Client IIF-ID : 0xcc9bc000000097
ASIC : 0
IPv4 Address : 10.141.99.247
IPv6 Address : Unknown
Association Id : 2
Authentication Algorithm : Open System
Status Code : 0
Session Timeout : 0
Client CCX version : 4
Client E2E version : 1
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : Not supported
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : OFF
Current Rate : m15
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : DHCP_REQD
Client Entry Create Time : 1296794 seconds
Policy Type : WPA2
Authentication Key Management : PSK
Encryption Cipher : CCMP (AES)
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
Interface : WLN-STD-6
VLAN : 1410
Quarantine VLAN : 0
Access VLAN : 1410
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities

In GUI (https://10.15.4.255/wireless), you have to go to “Configuration -> Wireless -> WLAN” & then any features under General, Security, QoS, AVC & Advance tab (see below)

In next post we will see how to configure dot1x WLAN with ACS/ISE.

Related Posts

1. Getting Started with 3850
2. WLAN configs with 3850 – Part 2
3. 3850 Password Recovery
4. Converged Access Mobility
5. 3850- Flexible Netflow
6. Wireshark Capture in 3850

Here is a snapshot of a peak hour (1:00 -2:00PM) wireless client distribution in my campus network over past 2 years. It almost ~150% growth of number of  devices connected to the network over wireless.

I would like to see another color (802.11ac) into this graph from Q1-2014 onwards.

Here is the number of devices distributed per user on a random day. Average 1.4 devices per user.

Here is the client distribution per protocol on this day. More than 85% users are having devices supporting 802.11n.

Are you ready with your wireless network to meet these sort of demand ?

In this post we will see how to configure 802.1x WLAN with 3850. I have used ISE v1.2 as my radius server. Here is the topology for the post

when configuring RADIUS on a IOS device, it is 3 step process

1. Define RADIUS server or servers.
2. Define a RADIUS group or groups (listing number of RADIUS server within that).
3. Define a method list that points to one of the group defined.

Let’s define the RADIUS server first. You need to enter “aaa new-model” command prior to any RADIUS configs. As you can see below, it will add automatically “aaa session-id common” command as well.

3850-1(config)#aaa new-model 
3850-1#sh archive config differences nvram:startup-config system:running-config 
!Contextual Config Diffs:
+aaa new-model
+aaa session-id common

Here how you can define a RADIUS server

3850-1(config)#radius server ?
  WORD  Name for the radius server configuration

3850-1(config)#radius server ISE-DEV ?
  <cr>

3850-1(config)#radius server ISE-DEV 
3850-1(config-radius-server)#?
RADIUS server sub-mode commands:
  address          Specify the radius server address
  automate-tester  Configure server automated testing.
  backoff          Retry backoff pattern(Default is retransmits with constant delay)
  exit             Exit from RADIUS server configuration mode
  key              Per-server encryption key
  no               Negate a command or set its defaults
  non-standard     Attributes to be parsed that violate RADIUS standard
  pac              Protected Access Credential key
  retransmit       Number of retries to active server (overrides default)
  timeout          Time to wait (in seconds) for this radius server to reply (overrides default)
3850-1(config-radius-server)#address ?
  ipv4  IPv4 Address
  ipv6  IPv6 Address

3850-1(config-radius-server)#address ipv4 ?
  Hostname or A.B.C.D  IPv4 Address of radius server

3850-1(config-radius-server)#address ipv4 10.129.0.5 ?
  acct-port  UDP port for RADIUS accounting server (default is 1646)
  alias      1-8 aliases for this server (max. 8)
  auth-port  UDP port for RADIUS authentication server (default is 1645)
  <cr>

3850-1(config-radius-server)#address ipv4 10.129.0.5 auth-port 1812 acct-port 1813 ?
  <cr>

3850-1(config-radius-server)#address ipv4 10.129.0.5 auth-port 1812 acct-port 1813 
3850-1(config-radius-server)#key Cisco123
3850-1(config-radius-server)#exit

Next we will define a group called “RAD-GRP”

3850-1(config)#aaa group server ?
  ldap     Ldap server-group definition
  radius   Radius server-group definition
  tacacs+  Tacacs+ server-group definition

3850-1(config)#aaa group server radius ?
  WORD  Server-group name

3850-1(config)#aaa group server radius RAD-GRP
3850-1(config-sg-radius)#?
RADIUS Server-group commands:
  accounting        Specify a RADIUS attribute filter for accounting
  attribute         Customize selected radius attributes
  authorization     Specify a RADIUS attribute filter for authorization
  backoff           Retry backoff pattern (Default is retransmits with constant delay)
  cache             cached DB profile configuration
  deadtime          Specify time in minutes to ignore an unresponsive server
  default           Set a command to its defaults
  domain-stripping  Strip the domain from the username
  exit              Exit from RADIUS server-group configuration mode
  ip                Internet Protocol config commands
  ipv6              IPv6 config commands
  key-wrap          Configure RADIUS key-wrap feature
  load-balance      Server group load-balancing options.
  mac-delimiter     MAC Delimiter for Radius Compatibility Mode
  no                Negate a command or set its defaults
  server            Specify a RADIUS server
  server-private    Define a private RADIUS server (per group)
  subscriber        Configures MAC Filtering RADIUS Compatibility mode
  throttle          Throttle requests to radius server

3850-1(config-sg-radius)#server ?
  Hostname or A.B.C.D  IP address of RADIUS server
  name                 Name of radius server

3850-1(config-sg-radius)#server name ISE-DEV ?
  <cr>

3850-1(config-sg-radius)#server name ISE-DEV 
3850-1(config-sg-radius)#exit
3850-1(config)#

Next step is to define method lists.

3850-1(config)#aaa ?
  accounting       Accounting configurations parameters.
  attribute        AAA attribute definitions
  authentication   Authentication configurations parameters.
  authorization    Authorization configurations parameters.
  cache            AAA cache definitions
  common-criteria  AAA Common Criteria
  configuration    Authorization configuration parameters.
  dnis             Associate certain AAA parameters to a specific DNIS number
  group            AAA group definitions
  local            AAA Local method options
  max-sessions     Adjust initial hash size for estimated max sessions
  memory           AAA memory parameters
  nas              NAS specific configuration
  new-model        Enable NEW access control commands and functions.(Disables OLD commands.)
  password         Configure password/secret related settings
  pod              POD processing
  policy           AAA policy parameters
  server           Local AAA server
  service-profile  Service-Profile parameters
  session-id       AAA Session ID
  traceback        Traceback recording
  user             AAA user definitions

3850-1(config)#aaa authentication ?
  arap             Set authentication lists for arap.
  attempts         Set the maximum number of authentication attempts
  banner           Message to use when starting login/authentication.
  dot1x            Set authentication lists for IEEE 802.1x.
  enable           Set authentication list for enable.
  eou              Set authentication lists for EAPoUDP
  fail-message     Message to use for failed login/authentication.
  login            Set authentication lists for logins.
  onep             Set authentication lists for ONEP
  password-prompt  Text to use when prompting for a password
  ppp              Set authentication lists for ppp.
  sgbp             Set authentication lists for sgbp.
  suppress         Do not send access request for a specific type of user.
  username-prompt  Text to use when prompting for a username

3850-1(config)#aaa authentication dot1x ?
  WORD     Named authentication list (max 31 characters, longer will be rejected).
  default  The default authentication list.

3850-1(config)#aaa authentication dot1x LTU-DOT1X group RAD-GRP

Since you are using Authentication, Authorization & Accounting you can define a method list for those as well.

3850-1(config)#aaa authorization ?
  auth-proxy           For Authentication Proxy Services
  cache                For AAA cache configuration
  commands             For exec (shell) commands.
  config-commands      For configuration mode commands.
  configuration        For downloading configurations from AAA server
  console              For enabling console authorization
  credential-download  For downloading EAP credential from Local/RADIUS/LDAP
  exec                 For starting an exec (shell).
  multicast            For downloading Multicast configurations from an AAA server
  network              For network services. (PPP, SLIP, ARAP)
  onep                 For ONEP authorization service
  policy-if            For diameter policy interface application.
  prepaid              For diameter prepaid services.
  radius-proxy         For proxying radius packets
  reverse-access       For reverse access connections
  subscriber-service   For iEdge subscriber services (VPDN etc)
  template             Enable template authorization

3850-1(config)#aaa authorization network LTU-AUTH group RAD-GRP
3850-1(config)#aaa accounting network LTU-DOT1X start-stop group RAD-GRP

If you want to RADIUS server to override authorization values, in the global config you have to enable it. In this post we will not use this AAA override feature.

3850-1(config)#aaa server radius ?
  dynamic-author  Local server profile for RFC 3576 support
  policy-device   Local server profile for RADIUS External Policy Delegation client
  proxy           Local server profile for RADIUS proxy clients
  sesm            Local server profile for a SESM client

3850-1(config)#aaa server radius dynamic-author 
3850-1(config-locsvr-da-radius)#?
RADIUS Application commands:
  auth-type   Specify the server authorization type
  client      Specify a RADIUS client
  default     Set a command to its defaults
  domain      Username domain options
  exit        Exit from RADIUS application configuration mode
  ignore      Override behaviour to ignore certain parameters
  no          Negate a command or set its defaults
  port        Specify port on which local radius server listens
  server-key  Encryption key shared with the radius clients

3850-1(config-locsvr-da-radius)#client 10.129.0.5 ?
  server-key  Specify a RADIUS client server-key
  vrf         Virtual Routing/Forwarding parameters
  <cr>

3850-1(config-locsvr-da-radius)#client 10.129.0.5 server-key Cisco123
3850-1(config-locsvr-da-radius)#auth-type ?
  all          Matches when all attributes match
  any          Matches when all sent attributes match
  session-key  Matches with session key attribute only

3850-1(config-locsvr-da-radius)#auth-type any 
3850-1(config-locsvr-da-radius)#exit

Before you move on, you need to make sure 802.1x globally enable on your 3850. “dot1x system-auth-control” command will do this for you.

3850-1(config)#dot1x system-auth-control 

In summary here are the config lines we have added so far.

3850-1#sh archive config differences nvram:startup-config system:running-config 
!Contextual Config Diffs:
+aaa new-model
+dot1x system-auth-control
+aaa group server radius RAD-GRP
 +server name ISE-DEV
+aaa authentication dot1x LTU-DOT1X group RAD-GRP
+aaa authorization network LTU-AUTH group RAD-GRP
+aaa accounting network LTU-DOT1X start-stop group RAD-GRP
+aaa server radius dynamic-author
 +client 10.129.0.5 server-key Cisco123
 +auth-type any
+aaa session-id common
+radius server ISE-DEV
 +address ipv4 10.129.0.5 auth-port 1812 acct-port 1813
 +key Cisco123

Now we will configure ISE to add this 3850 as client for that RADIUS server. You can add individual devices by navigating to “Administration > Network Resources > Network Devices”. In this example I have used “Default Device” so I do not want to individually add these devices. I have used “Cisco123″ which is the shared-key used in 3850 configuration.

Also to test, I have configured a local user called “user1″ with password “Cisco123″ by navigating to “Administration > Identity Management > Identities > User” as shown below.

By default most of the EAP protocols are allowed by ISE. You can verify the allow protocol list by navigating “Policy > Policy Elements > Results > Authentication > Allowed Protocols > Default Network Access”

Then you can define the authentication method for WLAN users. I have defined a new rule for dot1x called “LTU-DOT1x”

You should select allow protocol as “Default Network Access” & save the policy.

Let’s configure the SSID called “3850″ for dot1x authentication. Remember that once you create a new SSID it will be automatically config with WPA2/AES with dot1x. We will point to “LTU-DOT1X” authentication method list we created.

wlan 3850 17 3850
 client vlan WLN-STD-6
 security dot1x authentication-list LTU-DOT1X
 no shutdown

Since we created WLAN-ID greater than 16, will create the AP group and map SSID to the required vlan interface. Finally add the AP on to the AP group as shown below.

3850-1(config)#ap group 3850
3850-1(config-apgroup)#wlan 3850
3850-1(config-wlan-apgroup)#vlan WLN-STD-6
!
3850-1#ap name L3502-1 ap-groupname 3850
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n)[y]: y

Now if you connect to the SSID with the credential we created on ISE, you should be able to join the network.

You can monitor the client connection details via ISE or 3850 CLI.

3850-1#sh wireless client summary 
Number of Local Clients : 3
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
04f7.e4ea.5b66 L3502-1                          17   UP                 11n(5)   
2c54.2dea.f4ea L3502-1                          17   AUTHENTICATING     11a      
a088.b435.c2f0 L3502-1                          17   UP                 11n(5)

3850-1#show wireless client mac-address a088.b435.c2f0 detail 

Client MAC Address : a088.b435.c2f0
Client Username : user1
AP MAC Address : 2c3f.382b.5700
AP Name: L3502-1
AP slot : 1
Client State : Associated
Wireless LAN Id : 17
Wireless LAN Name: 3850
BSSID : 2c3f.382b.570f
Connected For : 1512 secs 
Protocol : 802.11n - 5 GHz
Channel : 64
Client IIF-ID : 0xc9c900000000a6
ASIC : 0
IPv4 Address : 10.141.99.247
IPv6 Address : Unknown
Association Id : 2
Authentication Algorithm : Open System
Status Code : 0
Client CCX version : 4
Client E2E version : 1
Re-authentication Timeout : 297 (1801)
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : Not supported
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : ON
Current Rate : m15
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : L2AUTHCOMPLETE
Client Entry Create Time : 1461570 seconds
Policy Type : WPA2
Authentication Key Management : 802.1x
Encryption Cipher : CCMP (AES)
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : PEAP
Interface : WLN-STD-6
VLAN : 1410
Quarantine VLAN : 0
Access VLAN : 1410
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Not implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 90
  Fast BSS Transition : Not implemented
Fast BSS Transition Details :
Client Statistics:
  Number of Bytes Received : 459653
  Number of Bytes Sent : 17967
  Number of Packets Received : 4204
  Number of Packets Sent : 336
  Number of EAP Id Request Msg Timeouts : 0
  Number of EAP Request Msg Timeouts : 0
  Number of EAP Key Msg Timeouts : 0
  Number of Data Retries : 4
  Number of RTS Retries : 0
  Number of Duplicate Received Packets : 2
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -49 dBm
  Signal to Noise Ratio : 46 dB
Assisted-Roaming  Prediction List:
Nearby AP Statistics:
  L3502-1(slot1)
    antenna0: 7 seconds ago -59 dBm
    antenna1: 7 seconds ago -52 dBm

Below reference document guides you if you want to do a similar thing via GUI
Cisco Doc ID 116600 

Related Posts

1. Getting Started with 3850
2. WLAN configs with 3850 – Part 1
3. 3850 Password Recovery
4. Converged Access Mobility
5. 3850- Flexible Netflow
6. Wireshark Capture in 3850

In previous posts we looked at 3850 is acting as MC/MA without having centralized controller for MC functionality. But if your environment is large, then from scalability point of view it is advisable to have a Centralized controller for MC & all your 3850/3650 switches will act as MA.

Here is a complete test setup I will be using for future posts, but in this post we will see how to get start with 5760 basic configuration.

So here is physical looks like of this product.

Since this is pretty much work as a L3 switch, it is best practice to connect this to network as VTP transparent switch. Also note that it can handle up to 128 vlans.

5760-1#sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : LTU-CA
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 44ad.d903.9d00
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Feature VLAN:
--------------
VTP Operating Mode                : Transparent
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 6
Configuration Revision            : 0
MD5 digest                        : 0x36 0xFF 0xF8 0xDF 0x53 0x18 0xF6 0x52 
                                    0xE5 0x36 0xC0 0xF9 0xDF 0xA1 0xE6 0x83

If you not set it to transparent mode & connect this to a network having larger number of vlans you may see msg like below

5760-1(config-if)#
*Mar 31 23:59:34.583: %NGWC_PLATFORM_FEP-1-FRU_PS_ACCESS: Switch 1: power supply A is not responding
*Apr 1 00:02:23.112: *simSvcRcvTask: 1 wcm: %SIM-3-ADD_SIM_L2INTF_FAILED: Adding of the vlan failed: tree insertion failure. 
*Apr 1 00:02:23.115: *simSvcRcvTask: 1 wcm: %LOG-3-Q_IND: Adding of the vlan failed: tree insertion failure
*Apr  1 00:02:23.131: %SPANTREE_VLAN_SW-2-MAX_INSTANCE: Platform limit of 128 STP instances exceeded. No instance created for VLAN99

Management port of 5760, you have to configure as a host. It is by default in a VRF called “Mgmt-vrf”. So you have to configure a default gateway for this VRF to reach your rest of network.

If the service port is in use, the management interface must be on a different supernet from the service-port interface

interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 10.13.5.254 255.255.254.0
 no ip route-cache
 negotiation auto
!
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.13.5.250

I have connected this Mgmt port to G6/1 of my 6506-E. Mgmt port of 5760 should be connected to a switchport configured as Access vlan.

interface GigabitEthernet6/1
 description 5760-MGMT-VL999
 switchport
 switchport access vlan 999
!
interface Vlan999
 description SW-MGMT
 ip address 10.13.5.252 255.255.254.0
 no ip redirects
 no ip unreachables
 ip pim sparse-mode
 standby 99 ip 10.13.5.250

Once you do this port configuration you can accessible this from your network. If you want to use this port for TFTP/FTP file transfers, then you can configure it like below

5760-1(config)#ip ftp ?
  passive           Connect using passive mode
  password          Specify password for FTP connections
  source-interface  Specify interface for source address in FTP connections
  username          Specify username for FTP connections
!
5760-1(config)#ip ftp username networks
5760-1(config)#ip ftp password xxxxxx
5760-1(config)#ip ftp source-interface g0/0

5760-1(config)#ip tftp ?
  blocksize         Specify TFTP client blocksize
  boot-interface    Force interface to use for TFTP booting
  min-timeout       Set minimum timeout period for retransmission
  source-interface  Specify interface for source address in TFTP connections

5760-1(config)#ip tftp source-interface g0/0

Then you have to define a wireless management interface. I have used vlan 1600 as management interface. Also created two additional vlan for WLAN testing in future. You need to configure a default route to the gateway address of your management interface. Also you need to ensure vlan 1600 used as wireless management interface.

interface Vlan1600
 ip address 10.160.49.1 255.255.254.0
!
wireless management interface vlan 1600
!
ip route 0.0.0.0 0.0.0.0 10.160.49.250

5760-1#sh vlan brief 
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Te1/0/1, Te1/0/2, Te1/0/3, Te1/0/4
1410 WLN-STD-6                        active    
1420 WLN-STF-1                        active    
1600 NET-MGT-1                        active

Then you can configure the 10G interfaces, depend on how many you want to activate. I have used 2x 10G as single Port Channel for this. You can bundle all 6 ports to make 60Gbps throughput. Since this is IOS based controller it is supporting LACP, PAgP or Manual (“ON” mode) . I have used mode on for simplicity.

**** HERE IS 5760 CONFIGURATION *****

interface TenGigabitEthernet1/0/5
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk
 channel-group 16 mode on
!
interface TenGigabitEthernet1/0/6
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk
 channel-group 16 mode on
!
interface Port-channel16
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk

****** HERE IS THE CONFIG ON 6506-E ******

interface TenGigabitEthernet4/15
 description 5760WLC-20G ETH-CH
 switchport
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk
 channel-group 16 mode on
!
interface TenGigabitEthernet4/16
 description 5760WLC-20G ETH-CH
 switchport
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk
 channel-group 16 mode on
!
interface Port-channel16
 description WLC5760-20G
 switchport
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk

You can configure Port-Channel load balancing as “src-dst-ip” instead of default “src-mac” method. 6506-E, by default doing “src-dst-ip” load balancing.

5760-1(config)#port-channel load-balance ?
  dst-ip                 Dst IP Addr
  dst-mac                Dst Mac Addr
  dst-mixed-ip-port      Dst IP Addr and TCP/UDP Port
  dst-port               Dst TCP/UDP Port
  extended               Extended Load Balance Methods
  src-dst-ip             Src XOR Dst IP Addr
  src-dst-mac            Src XOR Dst Mac Addr
  src-dst-mixed-ip-port  Src XOR Dst IP Addr and TCP/UDP Port
  src-dst-port           Src XOR Dst TCP/UDP Port
  src-ip                 Src IP Addr
  src-mac                Src Mac Addr
  src-mixed-ip-port      Src IP Addr and TCP/UDP Port
  src-port               Src TCP/UDP Port

5760-1(config)#port-channel load-balance src-dst-ip 

5760-1#show etherchannel load-balance 
EtherChannel Load-Balancing Configuration:
        src-dst-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
  IPv4: Source XOR Destination IP address
  IPv6: Source XOR Destination IP address

5760-1#sh etherchannel summary 
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
16     Po16(SU)         -        Te1/0/5(P)  Te1/0/6(P)  

Make sure you configure NTP, & your 5760 is sync with it. Also username/password configured to access this via GUI

5760-1(config)#username admin privilege 15 password 0 Cisco123
5760-1#sh run | in ntp
ntp server x.x.4.104
ntp server x.x.4.103

5760-1#sh run | in clock
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00

5760-1#show ntp associations 
  address         ref clock       st   when   poll reach  delay  offset   disp
*~x.x.4.104   x.x.131.118    2     84    128   377  0.952   3.035  4.226
+~x.x.4.103   x.x.192.50     2     92    128   377  0.963   2.782  3.103
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

5760-1#sh clock 
16:43:51.564 AEDT Thu Dec 12 2013

That’s pretty much the basic configuration & you should be able to access 5760 GUI using its management IP (https://10.160.49.1/wireless) using admin/Cisco123 credentials.

You can check the license level as below & if you do not have permanent license you activate evaluation license for 90days using “license right-to-use activate apcount evaluation acceptEULA ” CLI command. If it is permanent license you can activate them using “license right-to-use activate apcount <No of AP>  slot {1 |2} acceptEULA “.

5760-1#show license right-to-use summary 
  License Name    Type     Count   Period left
-----------------------------------------------
  apcount      base        0        Lifetime
  apcount      adder       1000     Lifetime

--------------------------------------------
 Evaluation AP-Count: Disabled
Total AP Count Licenses: 1000
AP Count Licenses In-use: 0
AP Count Licenses Remaining: 1000

You have to upgrade software image depend on the IOS-XE image come with your 5760. In my case I have already upgraded it (you can follow  Getting Started with 3850 post to see detail) to 3.9.6 since I am doing beta trial with 3700 series AP.

5760-1#sh ver
.
.
.
License Level: Ipservices
License Type: Permanent
Next reload license Level: Ipservices

cisco AIR-CT5760 (i686) processor with 10485760K bytes of physical memory.
Processor board ID FOC1727V0MT
2 Virtual Ethernet interfaces
6 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
10485760K bytes of physical memory.
255000K bytes of Crash Files at crashinfo:.
3612840K bytes of Flash at flash:.
0K bytes of Dummy USB Flash at usbflash0:.
0K bytes of  at webui:.

Base Ethernet MAC Address          : 44:ad:d9:03:9d:00
Motherboard Assembly Number        : 73-14448-04
Motherboard Serial Number          : FOC172568FD
Model Revision Number              : A0
Model Number                       : AIR-CT5760
System Serial Number               : FOC1727V0MT

Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
*    1 6     AIR-CT5760         03.09.06.MZP      ct5760-ipservicesk9   INSTALL

Configuration register is 0x201 (will be 0x102 at next reload)

Here is consolidated configuration guide (for IOS-XE3.3 which is the latest at the time of this write up) that you should refer. yes it is 1818 page guide & takes time to absorb it.

Consolidated Platform Configuration Guide, Cisco IOS XE Release3.3SE (Cisco WLC 5700 Series)

In next post, we will see how we can use this controller to associate with 3850 (MA) to register AP.

Related Posts

1. Getting Started with 3850
2. WLAN configs with 3850 – Part 1
3. WLAN configs with 3850 – Part 2
4. 3850 Password Recovery
5. Converged Access Mobility
6. 3850- Flexible Netflow
7. Wireshark Capture in 3850
8. 3850(MA) with 5760(MC)

If you already read one of my previous post (Lightweight to Autonomous (vice versa) Conversion…) you may konw one way of doing this AP conversion.

In this post we will see how to do the same task using Mode/Reset button of the Access point. Number 1 in the below diagram shows this Reset button of the given AP.

You can use this mode/reset button when you do not know password or your AP firmware is corrupted,etc. In our case, even the firmware is not corrupted, we can use this button to load an image from a TFTP server. In this scenario, AP is looking for a specifically named image file to load. So if you keep a Autonomous image file with the correct named syntax, AP will load that image once we do this.

Before starting we will look at some of the AP model Autonomous & Lightweigth recovery images. As you can see below certain AP models are having common images (like 2600,3600 or 1040, 1140 or 1260,3500) for this purpose.

In this example I am using 3500 series AP & therefore I have downloaded ap3g1-k9w7-tar.152-4.JA1.tar & ap3g1-rcvk9w8-tar.152-4.JA1.tar files onto my TFTP server. Now you need to rename these in order to load it to AP when it is resetting using mode button. Below shows the how it should be renamed. Since it expecting same default filename you have to make sure correct file renames depend on you are doing LAP-> AAP or AAP->LAP conversion process.

Since AP resetting to factory default, it will always takes 10.0.0.1 IP. So your TFTP server should be on the same subnet (most of the time your PC act as TFTP server directly connect AP ethernet port). Here is my TFTP/PC IP seettings

Now everything is ready for the conversion. First we will take Lightweight AP & convert it to Autonomous. Ensure you have renamed “ap3g1-k9w7-tar.152-4.JA1.tar ” file to “ap3g1-k9w7-tar.default” & available it on your TFTP server.

To do this you need to hold the mode/reset button for 20s (until the LED become solid RED) while powering on the AP. You can watch the console output to see what’s happening in the background.

using MCNG ddr static values from serial eeprom
ddr init done

IOS Bootloader - Starting system.
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................
Xmodem file system is available.

DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x8200083f, 0x40000000
RQDC, RFDC : 0x80000033, 0x00000218

PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
64bit PCIE devices
PCIEx: initialization done
flashfs[0]: 41 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31739904
flashfs[0]: Bytes used: 14926336
flashfs[0]: Bytes available: 16813568
flashfs[0]: flashfs fsck took 10 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: cc:ef:48:72:0f:b5
Ethernet speed is 1000 Mb - FULL duplex
button is pressed, wait for button to be released...
button pressed for 23 seconds
process_config_recovery: set IP address and config to default 10.0.0.1
process_config_recovery: image recovery
image_recovery: Download default IOS tar image tftp://255.255.255.255/ap3g1-k9w7-tar.default

examining image...
extracting info (283 bytes)
Image info:
    Version Suffix: k9w7-.152-2.JB
    Image Name: ap3g1-k9w7-mx.152-2.JB
    Version Directory: ap3g1-k9w7-mx.152-2.JB
    Ios Image Size: 1126912
    Total Image Size: 12257792
    Image Feature: WIRELESS LAN|LWAPP
    Image Family: AP3G1
    Wireless Switch Management Version: 7.4.1.37
Extracting files...
.
.
.
.
extracting ap3g1-k9w7-mx.152-2.JB/info (283 bytes)
extracting info.ver (283 bytes)
Deleting current version: flash:/ap3g1-k9w8-mx.v152_2_jb.201310220755...done.
New software image installed in flash:/ap3g1-k9w7-mx.152-2.JB
Configuring system to use new image...done.
Requested system reload in progress...download took about 731 seconds
Loading "flash:/ap3g1-k9w7-mx.152-2.JB/ap3g1-k9w7-mx.152-2.JB"...################

File "flash:/ap3g1-k9w7-mx.152-2.JB/ap3g1-k9w7-mx.152-2.JB" uncompressed and installed, entry point: 0x4000
executing...

You will see AP is downloading the “.default” image from your TFTP server.

Once image is fully loaded, AP will reboot & come up as a Autonomous AP. Noticed that “ap>” promt indicating it is an Autonomous AP on its default settings.

ap>en
Password: Cisco
ap#sh ver
Cisco IOS Software, C3500 Software (AP3G1-K9W7-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Mon 10-Dec-12 23:42 by prod_rel_team

ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 12.4 [mpleso-ap_jmr3_esc_0514 125]

ap uptime is 2 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g1-k9w7-mx.152-2.JB/ap3g1-k9w7-xx.152-2.JB"
Last reload reason:

Now you can follow the same process, if you want to convert it back to Lightweight. Make sure “ap3g1-rcvk9w8-tar.152-4.JA1.tar” file is renamed to “ap3g1-k9w7-tar.default” file is available on your TFTP server.(you may have to remove or rename previously used .default file for LAP->AAP conversion)

IOS Bootloader - Starting system.
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................
Xmodem file system is available.

DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x8200083f, 0x40000000
RQDC, RFDC : 0x80000033, 0x00000218

PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
64bit PCIE devices
PCIEx: initialization done
flashfs[0]: 198 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31739904
flashfs[0]: Bytes used: 15564800
flashfs[0]: Bytes available: 16175104
flashfs[0]: flashfs fsck took 10 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: cc:ef:48:72:0f:b5
Ethernet speed is 1000 Mb - FULL duplex
button is pressed, wait for button to be released...
button pressed for 21 seconds
process_config_recovery: set IP address and config to default 10.0.0.1
process_config_recovery: image recovery
image_recovery: Download default IOS tar image tftp://255.255.255.255/ap3g1-k9w7-tar.default

examining image...
extracting info (263 bytes)
Image info:
    Version Suffix: rcvk9w8-
    Image Name: ap3g1-rcvk9w8-mx
    Version Directory: ap3g1-rcvk9w8-mx
    Ios Image Size: 123392
    Total Image Size: 7598592
    Image Feature: WIRELESS LAN|LWAPP
    Image Family: AP3G1
    Wireless Switch Management Version: 7.4.1.37
Extracting files...
ap3g1-rcvk9w8-mx/ (directory) 0 (bytes)
extracting ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-mx (113080 bytes)........................
extracting ap3g1-rcvk9w8-mx/ap3g1-boot-m_upg (393216 bytes).....................................................................................
extracting ap3g1-rcvk9w8-mx/u-boot.bin (393216 bytes).....................................................................................
extracting ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-xx (6686892 bytes)...

Now your AP is back in Lightweight mode & it is ready to register for a WLC.

APccef.4872.0fb5#sh ver
Cisco IOS Software, C3500 Software (AP3G1-RCVK9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Mon 10-Dec-12 23:48 by prod_rel_team

ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 12.4 [mpleso-ap_jmr3_esc_0514 125]

Networks-ISE-Test uptime is 0 minutes
System returned to ROM by reload
System image file is "flash:/ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-xx"
Last reload reason:

Here are some of reference document you should read.

1. http://www.cisco.com/en/US/docs/wireless/access_point/12.4.25d.JA/Configuration/guide/scg12.4.25d.JA-chap22-trouble.html
2.

Related Posts

1. Lightweight to Autonomous (vice versa) Conversion

In this post we will use 3850 (acting as MA) to communicate with centralized 5760 (acting as MC). Below diagram summarize overall mobility concept in Converged Access (CA) deployment.

• A Mobility Domain (MD) is the entire domain across which client roaming is supported. It is a collection of mobility groups. For example, a campus network can be considered as a mobility domain.
• A Mobility Group (MG) is a collection of mobility subdomains across which fast roaming is supported. The mobility group can be one or more buildings within a campus across which frequent roaming is supported.
• A Mobility Subdomain (MSD) is an autonomous portion of the mobility domain network. Each mobility subdomain contains one mobility controller (MC) and a collection of SPGs. A subdomain is equivalent to an 802.11r key domain.
• A Switch Peer Group (SPG) is a collection of mobility agents.
• The Mobility Oracle (MO) acts as the point of contact for mobility events that occur across mobility subdomains. The mobility oracle also maintains a local database of each client in the entire mobility domain, their home and current subdomain. There is only one MO for an entire mobility domain. The Cisco WLC 5700 Series Controllers or CUWN controller can act as MO.
• The Mobility Controller (MC) provides mobility management services for inter-SPG roaming events. The MC sends the configuration like SPG name and SPG peer member list to all of the mobility agents under its subdomain. The WLC 5700 , 3850 Switch, or CUWN controller can act as MC. The MC has MC functionality and MA functionality that is running internally into it.
• The Mobility Agent (MA) is the component that maintains client mobility state machine for a mobile client. All APs are connected to the mobility agent

In converged access, fast roaming is available within a Mobility Group (not like between mobility groups in Unified Wireless). If it is inter-mobility group roaming client has to full-authenticate. Within a mobility group you can have multiple sub-domain.Each sub-domain should have its own MC & that will keep the client database within that sub-domain. Within a sub-domain, you can create SPGs (Switch Peer Groups) to optimize roaming by constrain roaming traffic to small area (eg for a building). Below diagram represent this concept.

Next question is what is max SPG in a sub-domain ? max mobility sub-domain (MSD) per MG ? Max MC in a mobility domain (MD) ?. Below table summarize & keep these in mind when designing CA solutions.

So here is my test topology. Effectively it is  within a single mobility sub-domain where 5760 acting as MC & two SPGs.

Let’s configure 3850-2 (MA) to communicate with 5760 (MC) to register L3602-1 AP.Here is the basic configuration on 3850

3850-2#sh archive config differences nvram:startup-config system:running-config
interface GigabitEthernet1/0/1
 +description L3602-1
 +switchport access vlan 1610
 +switchport mode access
 +spanning-tree portfast

+interface Vlan1610
 +ip address 10.161.33.22 255.255.254.0
+wireless management interface Vlan1610

Then you need to tell 3850 about its Mobility Controller (MC) as below. If firewall or NAT devices sitting between MA & MC then you need to use “public-ip” option as well. In my configuration it is not required.

3850-2(config)#wireless mobility controller ?
  ip          no description
  peer-group  Configures mobility peer groups  
  <cr>

3850-2(config)#wireless mobility controller ip ?
  A.B.C.D  IP address of mobility controller

3850-2(config)#wireless mobility controller ip 10.160.49.1 ?
  public-ip  no description
  <cr>

3850-2(config)#wireless mobility controller ip 10.160.49.1

You can verify 3850 mobility configuration using “show wireless mobility summary” CLI command. As expected mobility is down since we haven’t configure the MC yet. Also SPG name is blank. MA will learn its SPG name via MC.

3850-2#show wireless mobility summary 
Mobility Agent Summary:
Mobility Role                                   : Mobility Agent
Mobility Protocol Port                          : 16666
Mobility Switch Peer Group Name                 : 
Multicast IP Address                            : 0.0.0.0
DTLS Mode                                       : Enabled
Mobility Domain ID for 802.11r                  : 0xac34
Mobility Keepalive Interval                     : 10
Mobility Keepalive Count                        : 3
Mobility Control Message DSCP Value             : 0
Switch Peer Group Members Configured            : 0

Link Status is Control Link Status : Data Link Status
The status of Mobility Controller: 
IP              Public IP            Link Status
------------------------------------------------
10.160.49.1     10.160.49.1          DOWN : DOWN 

Let’s move on to 5760(MC) & start configuring it.  We will give “BUN-1″ for the group-name & then will create a SPG called “SPG1″ and add 3850-2 as member of that SPG.

5760-1(config)#wireless mobility group ?
  keepalive          Keepalive ping parameters to be configured
  member             Add/Change a Mobility group member to the list
  multicast-address  Configures the Multicast IP Address for a non-local mobility group
  name               Configures the Mobility domain name

5760-1(config)#wireless mobility group name ?
  WORD  Enter ASCII String up to 31 characters, case sensitive

5760-1(config)#wireless mobility group name BUN-1

5760-1(config)#wireless mobility ?
  controller  Configures mobility controller settings
  dscp        Configures the Mobility inter controller DSCP value
  group       Configures the Mobility group parameters
  multicast   Configures the Multicast Mode for mobility messages
  oracle      Configures mobility oracle settings

5760-1(config)#wireless mobility controller ?
  peer-group  Configures mobility peer groups  

5760-1(config)#wireless mobility controller peer-group ?
  WORD  Add or delete a peer group

5760-1(config)#wireless mobility controller peer-group SPG1 ?
  bridge-domain-id  Configure bridge domain Id
  member            Add or delete a peer group member
  multicast         Configures multicast settings of a peer group
  <cr>

5760-1(config)#wireless mobility controller peer-group SPG1 

5760-1(config)#wireless mobility controller peer-group SPG1 member ?
  ip  IP address of a peer group member

5760-1(config)#wireless mobility controller peer-group SPG1 member ip ?
  A.B.C.D  IP address of a peer group member

5760-1(config)#wireless mobility controller peer-group SPG1 member ip 10.161.33.22 ?
  public-ip  Public IP address of a peer group member
  <cr>

5760-1(config)#wireless mobility controller peer-group SPG1 member ip 10.161.33.22

Once you do this, you can see mobility paths (control & data) are up

5760-1#show  wireless mobility summary 
Mobility Controller Summary:
Mobility Role                                   : Mobility Controller
Mobility Protocol Port                          : 16666
Mobility Group Name                             : BUN-1
Mobility Oracle                                 : Disabled
Mobility Oracle IP Address                      : 0.0.0.0
DTLS Mode                                       : Enabled
Mobility Domain ID for 802.11r                  : 0xac34
Mobility Keepalive Interval                     : 10
Mobility Keepalive Count                        : 3
Mobility Control Message DSCP Value             : 48
Mobility Domain Member Count                    : 1

Link Status is Control Link Status : Data Link Status
Controllers configured in the Mobility Domain:
IP               Public IP        Group Name       Multicast IP     Link Status
-------------------------------------------------------------------------------
10.160.49.1      -                BUN-1          0.0.0.0          UP   : UP 

Switch Peer Group Name            : SPG1
Switch Peer Group Member Count    : 1
Bridge Domain ID                  : 0
Multicast IP Address              : 0.0.0.0
IP               Public IP             Link Status
--------------------------------------------------
10.161.33.22     10.161.33.22          UP   : UP  

Now if you go to 3850-2 & check the mobility summary  you should see the paths are UP & it is learning its SPG name as well.

3850-2#show wireless mobility summary 
Mobility Agent Summary:
Mobility Role                                   : Mobility Agent
Mobility Protocol Port                          : 16666
Mobility Switch Peer Group Name                 : SPG1
Multicast IP Address                            : 0.0.0.0
DTLS Mode                                       : Enabled
Mobility Domain ID for 802.11r                  : 0xac34
Mobility Keepalive Interval                     : 10
Mobility Keepalive Count                        : 3
Mobility Control Message DSCP Value             : 48
Switch Peer Group Members Configured            : 1

Link Status is Control Link Status : Data Link Status
The status of Mobility Controller: 
IP              Public IP            Link Status
------------------------------------------------
10.160.49.1     10.160.49.1          UP   : UP                      

Switch Peer Group members:
IP              Public IP            Data Link Status
-----------------------------------------------------
10.161.33.22    10.161.33.22         UP

Now let’s try to register the AP. Prior to that make sure your 5760/3850 is configured for the correct regulatory domain/country code. Keep in mind you need to disable the radio bands prior to change the country code.

5760-1#show wireless country configured 
 Configured Country.............................: US  - United States
 Configured Country Codes 
        US  - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

5760-1(config)#ap dot11 5ghz shutdown
5760-1(config)#ap dot11 24ghz shutdown 
5760-1(config)#ap country AU                                                       
Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. 
Are you sure you want to continue? (y/n)[y]: y
5760-1(config)#no ap dot11 5ghz shutdown 
5760-1(config)#no ap dot11 24ghz shutdown 

5760-1# show wireless country configured 
 Configured Country.............................: AU  - Australia
 Configured Country Codes 
        AU  - Australia : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

Make sure you have same configured on your MA as well.

3850-2#show wireless country configured 
Configured Country.............................: US  - United States
 Configured Country Codes 
        US  - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

3850-2(config)#ap dot11 5ghz shutdown 
3850-2(config)#ap dot11 24ghz shutdown 
3850-2(config)#ap country AU
Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. 
Are you sure you want to continue? (y/n)[y]: y
3850-2(config)#no ap dot11 5ghz shutdown 
3850-2(config)#no ap dot11 24ghz shutdown 

3850-2(config)#do show wireless country configured 
 Configured Country.............................: AU  - Australia
 Configured Country Codes 
        AU  - Australia : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

Here is the AP console output of successful registration.

*Mar  1 00:00:28.563: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar  1 00:00:29.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar  1 00:00:31.951: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed
*Mar  1 00:00:31.951: DPAA Initialization Complete
*Mar  1 00:00:31.951: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Mar  1 00:00:32.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar  1 00:00:56.927: Logging LWAPP message to 255.255.255.255.
*Mar  1 00:01:01.667: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar  1 00:01:02.755: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  1 00:01:03.047: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.161.33.241, mask 255.255.254.0, hostname L3602-1
*Mar  1 00:01:03.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar  1 00:01:03.847: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar  1 00:01:04.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Translating "CISCO-CAPWAP-CONTROLLER.ltu.edu.au"...domain server (131.172.2.2)
*Mar  1 00:01:12.967: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar  1 00:01:12.967: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.ltu.edu.au
*Mar  1 00:01:22.967: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
*Dec 12 22:15:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.161.33.22 peer_port: 5246
*Dec 12 22:15:40.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.161.33.22 peer_port: 5246
*Dec 12 22:15:40.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.161.33.22
*Dec 12 22:15:40.559: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 12 22:15:40.567: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 12 22:15:40.571: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller 3850-2
*Dec 12 22:15:40.631: ac_first_hop_mac - IP:10.161.33.22 Hop IP:10.161.33.22 IDB:BVI1
*Dec 12 22:15:40.635: Setting AC first hop MAC: 7c95.f380.27e7

If you look at MA, you should see this L3602-1 is registered to it. If you look at the license, it does not have any license & it is always come from a MC.

3850-2#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
L3602-1                           3602I     4c00.82df.a4c1  f84f.57e3.1460  Registered  

3850-2#sh license right-to-use summary 
  License Name    Type     Count   Period left
-----------------------------------------------
  ipbase       permanent   N/A      Lifetime
  apcount      base        0        Lifetime
  apcount      adder       0        Lifetime
--------------------------------------------
License Level In Use: ipbase
License Level on Reboot: ipbase
Evaluation AP-Count: Disabled
Total AP Count Licenses: 0
AP Count Licenses In-use: 0
AP Count Licenses Remaining: 0

On my 5760, I can see this AP

5760-1#show wireless mobility ap-list 
Number of AP entries in the mobility group : 2
Number of AP entries in the sub-domain     : 2

AP name                           AP radio MAC      Controller IP     Learnt from       
--------------------------------------------------------------------------------------
APccef.4872.0fc3                  2c3f.382b.5260    10.160.49.1       Self              
L3602-1                           f84f.57e3.1460    10.161.33.22      Mobility Agent    

Controller IP     AP Count    
----------------------------
10.160.49.1       1           
10.161.33.22      1

Here is a CSC forum post listing all useful CA reference materials. Please read all of those if you are interested to learn.
https://supportforums.cisco.com/thread/2249117

Related Posts

1. Getting Started with 3850
2. Getting Started with 5760

In most of the practical scenarios, you have to place a 5760 controller in a existing CUWN (Cisco Unified Wireless Network) environment. In this post we will see how to configure a WLAN on 5760 to support those CUWN setup.

As shown in the above diagram we will use L3502-2 AP to register to 5760-1 controller. In this case CAPWAP will be terminate on 5760 itself as AP connected to a 3750X series switch where it does not have integrated WLC functionality. Make sure your 5760 has basic configurations (Refer Getting Started with 5760 for detail)

Here is the AP configuration. Let’s delete its NVRAM to forget about previously known WLCs (in this way it will not try to register for previously known WLCs). Then once it boots up, it will get DHCP IP & try to find a WLC. In this example we will configure the WLC IP statically on AP.LAP#debug capwap  con

LAP#debug capwap  console cli
This command is meant only for debugging/troubleshooting 
Any configuration change may result in different
behavior from centralized configuration. 

CAPWAP console CLI allow/disallow debugging is on
LAP#erase /all nvram: 
Erasing the nvram filesystem will remove all files! Continue? [confirm]
[OK]
Erase of nvram: complete
L3502-2#reload
*Dec 16 01:58:14.647: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Proceed with reload? [confirm]
Writing out the event log to flash:/event.log .
.
.
*Dec 16 01:58:50.640: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Dec 16 01:58:51.474: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.161.32.11, mask 255.255.254.0, hostname APccef.4872.0fc3
*Dec 16 01:58:51.735: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 16 01:58:52.735: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Dec 16 01:58:52.829: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 16 01:58:53.830: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Translating "CISCO-CAPWAP-CONTROLLER.ltu.edu.au"...domain server (x.x.2.2)
*Dec 16 01:59:01.461: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Dec 16 01:59:01.464: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.ltu.edu.au

Once you configure the 5760 as primary controller for this AP it will successfully register to it.

APccef.4872.0fc3#capwap ap primary-base 5760-1 10.160 

*Dec 16 02:04:08.490: %CAPWAP-3-ERRORLOG: Selected MWAR '5760-1'(index 0).
*Dec 16 02:04:08.490: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
*Dec 16 02:01:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.160.49.1 peer_port: 5246
*Dec 16 02:01:55.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.160.49.1 peer_port: 5246
*Dec 16 02:01:55.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.160.49.1
*Dec 16 02:01:55.440: capwap-config-view: Not present
*Dec 16 02:01:55.522: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 16 02:01:55.528: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 16 02:01:55.537: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller 5760-1
*Dec 16 02:01:55.588: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 16 02:01:56.522: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Dec 16 02:01:56.553: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Dec 16 02:01:56.560: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Dec 16 02:01:56.588: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Dec 16 02:01:57.548: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Dec 16 02:01:57.579: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 16 02:01:57.585: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 16 02:01:57.592: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 16 02:01:58.579: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Dec 16 02:01:58.586: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Dec 16 02:01:58.611: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 16 02:01:59.073: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Dec 16 02:01:59.611: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

Now if you look at 5760 end you can see the successful AP registration. We will change the AP name to L3502-2 using “ap name <old_name> name <new_name>” CLI command.

5760-1#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
APccef.4872.0fc3                  3502I     ccef.4872.0fc3  2c3f.382b.5260  Registered 

5760-1#ap name APccef.4872.0fc3 name L3502-2
5760-1#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
L3502-2                           3502I     ccef.4872.0fc3  2c3f.382b.5260  Registered

Let’s create a WLAN called “LTUWireless” with open authentication. (In a later post we will change it to dot1x with AAA override). Since I am creating it as open, I do not want to many users connect to it. So I disabled the “broadcast SSID” feature.

5760-1(config)#wlan LTUWireless 21 LTUWireless 
5760-1(config-wlan)#no broadcast-ssid 
5760-1(config-wlan)#client vlan 1420
5760-1(config-wlan)#no security wpa 

Let’s create the dynamic interface for clients on vlan 1420

5760-1(config-if)#do sh vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
.
.
1410 WLN-STD-6                        active    
1420 WLN-STF-1                        active    
1600 NET-MGT-1                        active 

5760-1(config)#interface vlan 1420
5760-1(config-if)#ip address 10.142.39.253 255.255.248.0
5760-1(config-if)#ip helper-address x.x.x.100 
5760-1(config-if)#ip helper-address x.x.x.200

Now let’s create a AP group called “LTU-CUWN” & put this WLAN onto it. Then you need to add L3502-2 AP onto the group we created.(Note that AP will reboot & register again to 5760)

5760-1(config)#ap group LTU-CUWN 
5760-1(config-apgroup)#wlan LTUWireless
5760-1(config-wlan-apgroup)#?
  default       Set a command to its defaults
  exit          Exit sub-mode
  no            Negate a command or set its defaults
  radio-policy  Configures Radio Policy on given AP-Group
  vlan          Configures the WLANs vlan
5760-1(config-wlan-apgroup)#vlan ?   
  WORD  Specify the vlan name or vlan id
5760-1(config-wlan-apgroup)#vlan 1420

5760-1#ap name L3502-2 ap-groupname LTU-CUWN 
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n)[y]: y

Here is WLAN summary information.

5760-1#show wlan summary 
Number of WLANs: 1
WLAN Profile Name                     SSID                           VLAN Status 
--------------------------------------------------------------------------------
21   LTUWireless                      LTUWireless                    1420 UP

5760-1#show wlan id 21
WLAN Profile Name     : LTUWireless
================================================
Identifier                                     : 21
Network Name (SSID)                            : LTUWireless
Status                                         : Enabled
Broadcast SSID                                 : Disabled
Max Associated Clients per WLAN                : 0
Max Associated Clients per AP per WLAN         : 0
Max Associated Clients per AP Radio per WLAN   : 0
AAA Policy Override                            : Disabled
Network Admission Control
  NAC-State                                    : Disabled
Number of Active Clients                       : 1
Exclusionlist Timeout                          : 60
Session Timeout                                : Infinity
CHD per WLAN                                   : Enabled
Webauth DHCP exclusion                         : Disabled
Interface                                      : 1420
Interface Status                               : Up
Multicast Interface                            : Unconfigured
WLAN IPv4 ACL                                  : 
WLAN IPv6 ACL                                  : unconfigured
DHCP Server                                    : Default
DHCP Address Assignment Required               : Disabled
DHCP Option 82                                 : Disabled
DHCP Option 82 Format                          : ap-mac
DHCP Option 82 Ascii Mode                      : Disabled
DHCP Option 82 Rid Mode                        : Disabled
QoS Service Policy - Input
  Policy Name                                  : unknown
  Policy State                                 : None
QoS Service Policy - Output
  Policy Name                                  : unknown
  Policy State                                 : None
QoS Client Service Policy
  Input  Policy Name                           : unknown
  Output Policy Name                           : unknown
WMM                                            : Allowed
WifiDirect                                     : Disabled
Channel Scan Defer Priority:
  Priority (default)                           : 4
  Priority (default)                           : 5
  Priority (default)                           : 6
Scan Defer Time (msecs)                        : 100
Media Stream Multicast-direct                  : Disabled
CCX - AironetIe Support                        : Enabled
CCX - Gratuitous ProbeResponse (GPR)           : Disabled
CCX - Diagnostics Channel Capability           : Disabled
Dot11-Phone Mode (7920)                        : Invalid
Wired Protocol                                 : None
Peer-to-Peer Blocking Action                   : Disabled
Radio Policy                                   : All
DTIM period for 802.11a radio                  : 1
DTIM period for 802.11b radio                  : 1
Local EAP Authentication                       : Disabled
Mac Filter Authorization list name             : Disabled
Accounting list name                           : Disabled
802.1x authentication list name                : Disabled
Security
    802.11 Authentication                      : Open System
    Static WEP Keys                            : Disabled
    802.1X                                     : Disabled
    Wi-Fi Protected Access (WPA/WPA2)          : Disabled
    FT Support                                 : Disabled
        FT Reassociation Timeout               : 20
        FT Over-The-DS mode                    : Enabled
    PMF Support                                : Disabled
        PMF Association Comeback Timeout       : 1
        PMF SA Query Time                      : 200
    CKIP                                       : Disabled
    IP Security                                : Disabled
    L2TP                                       : Disabled
    Web Based Authentication                   : Disabled
    Conditional Web Redirect                   : Disabled
    Splash-Page Web Redirect                   : Disabled
    Auto Anchor                                : Disabled
    Sticky Anchoring                           : Enabled
    Cranite Passthru                           : Disabled
    Fortress Passthru                          : Disabled
    PPTP                                       : Disabled
    Infrastructure MFP protection              : Enabled
    Client MFP                                 : Optional but inactive (WPA2 not configured)
    Webauth On-mac-filter Failure              : Disabled
    Webauth Authentication List Name           : Disabled
    Webauth Parameter Map                      : Disabled
    Tkip MIC Countermeasure Hold-down Timer    : 60
Call Snooping                                  : Disabled
Passive Client                                 : Disabled
Non Cisco WGB                                  : Disabled
Band Select                                    : Disabled
Load Balancing                                 : Disabled
IP Source Guard                                : Disabled
Assisted-Roaming
    Neighbor List                              : Enabled
    Prediction List                            : Disabled
    Dual Band Support                          : Enabled
AVC Visibility                                : Disabled

Now you can test your client connectivity.As you can see my AnyConnect client get connect to this SSID.

You can verify clients detail on 5760 CLI as well.

5760-1#sh wireless client summary 
Number of Local Clients : 1
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
a088.b435.c2f0 L3502-2                          21   UP                 11n(5)  

5760-1#show wireless client mac-address a088.b435.c2f0 detail 
Client MAC Address : a088.b435.c2f0
Client Username: N/A
AP MAC Address : 2c3f.382b.5260
AP Name: L3502-2
AP slot : 1
Client State : Associated
Wireless LAN Id : 21
Wireless LAN Name: LTUWireless
BSSID : 2c3f.382b.526f
Connected For : 536 secs 
Protocol : 802.11n - 5 GHz
Channel : 161
Client IIF-ID : 0x5b3c8000000013
ASIC : 0
IPv4 Address : 10.142.35.243
IPv6 Address : Unknown
Association Id : 1
Authentication Algorithm : Open System
Status Code : 0
Session Timeout : 0
Client CCX version : 4
Client E2E version : 1
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : 0
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : OFF
Current Rate : m15
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : DHCP_REQD
Client Entry Create Time : 430790 seconds
Policy Type : N/A
Encryption Cipher : None
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
Interface : WLN-STF-1
VLAN : 1420
Quarantine VLAN : 0
Access VLAN : 1420
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Not implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 90
  Fast BSS Transition : Not implemented
Fast BSS Transition Details :
Client Statistics:
  Number of Bytes Received : 152628
  Number of Bytes Sent : 13707
  Number of Packets Received : 1158
  Number of Packets Sent : 182
  Number of EAP Id Request Msg Timeouts : 0
  Number of EAP Request Msg Timeouts : 0
  Number of EAP Key Msg Timeouts : 0
  Number of Data Retries : 0
  Number of RTS Retries : 0
  Number of Duplicate Received Packets : 1
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -52 dBm
  Signal to Noise Ratio : 41 dB
Assisted-Roaming  Prediction List:
Nearby AP Statistics:
  L3502-2(slot1)
    antenna0: 29 seconds ago -53 dBm
    antenna1: 29 seconds ago -50 dBm
  L3502-2(slot0)
    antenna0: 29 seconds ago -50 dBm
    antenna1: 29 seconds ago -43 dB

In next post we will see configuring RADIUS on 5760 & make the WLAN is dot1x.

Related Posts

1. Getting Started with 3850
2. Getting Started with 5760
3. WLAN configs with 3850 – Part 1
4. WLAN configs with 3850 – Part 2
5. 3850(MA) with 5760(MC)
6. 5760 with 802.1x WLAN
7. 5760 AVC Configuration

In this post we will see how to configure RADIUS server & then use it for changing previously created “LTUWireless” WLAN authentication from “Open” to “802.1x”. Since we used CLI method for similar config in 3850, in this case we will use the GUI method & then derive the equivalent CLI config at the end.

We will use the same topology used for the previous post.As you remember these are the 3 basic steps of configuring RADIUS on a IOS device.

1. Define RADIUS server or servers.
2. Define a RADIUS group or groups (listing number of RADIUS server within that).
3. Define a method list that points to one of the group defined.

If you go to 5760 GUI (Configuration -> Wireless -> Security -> AAA) section you should be able to configure those 3 thing.

Here is the server detail I have entered.Next we will configure the RADIUS server group. You have to go to Server Groups -> RADIUS section under AAA. Here is the default-settings.

Here is once you configured RADIUS server group.

Then you can configure a method-list to be used with defined RADIUS server group. In here you have to enable 802.1x sys-auth under general section. Here is the default settings looks like.Here is the settings once I configured.Now if you look at the configuration in CLI & compare it with the prior configuration you can derive the config differences.

5760-1#sh archive config differences nvram:startup-config system:running-config
!Contextual Config Diffs:
+aaa new-model
+aaa group server radius RAD-GRP
 +server name ISE-DEV
 +deadtime 1
 +mac-delimiter colon
+aaa authentication dot1x LTU-DOT1X group RAD-GRP local
+aaa accounting dot1x LTU-DOT1X start-stop group RAD-GRP
+aaa server radius dynamic-author
 +client 10.129.0.5 server-key Cisco123
 +auth-type any
+aaa session-id common
+dot1x system-auth-control
+radius server ISE-DEV
 +address ipv4 10.129.0.5 auth-port 1812 acct-port 1813
 +key Cisco123
-no aaa new-model
line vty 0 4
 -no login
line vty 5 15
 -no login

As shown below when we were configuring 3850 with 802.1x WLAN, we have already configured ISE Default Device (so you do not require to add 5760 separately)

Also we had a simple policy just to permit access rule for 802.1x wireless connection requests. Also we created user on ISE (user1/Cisco123) for testing. If you need more detail on how we configured that please see WLAN configs with 3850 – Part 2 post.

Now we changed the SSID authentication from Open to dot1x. You can do this via GUI in Configure -> Wireless -> WLAN -> Security section. Here is the settings with “Open Authentication”.Now will change it to dot1x & use the RADIUS server configured. Since I am planning to use this to test 7925G as well, I have configured it as dot1x+CCKM.

Here are the CLI config differences caused by the above WLAN modifications. You can see with + all the additions & – sing with all the lines removed from the previosly saved configuration.

5760-1#sh archive config differences nvram:startup-config system:running-config
wlan LTUWireless 21 LTUWireless
 +accounting-list LTU-DOT1X
 +security wpa akm cckm
 +security dot1x authentication-list LTU-DOT1X
 +session-timeout 1800

wlan LTUWireless 21 LTUWireless
 -no security wpa
 -no security wpa akm dot1x
 -no security wpa wpa2
 -no security wpa wpa2 ciphers aes

Now, we can try with Anyconnect client. As you can see client is successfully connected using PEAP authentication.You can view the client detail on the WLC as well. You can see 7925G phone also associated to this with EAP-FAST.

5760-1#show wireless client summary 
Number of Local Clients : 2
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
2c54.2dea.f4ea L3502-2                          21   UP                 11a      
a088.b435.c2f0 L3502-2                          21   UP                 11n(5)   

5760-1#show wireless client mac-address 2c54.2dea.f4ea detail 
Client MAC Address : 2c54.2dea.f4ea
Client Username : user1
AP MAC Address : 2c3f.382b.5260
AP Name: L3502-2
AP slot : 1
Client State : Associated
Wireless LAN Id : 21
Wireless LAN Name: LTUWireless
BSSID : 2c3f.382b.526f
Connected For : 81 secs 
Protocol : 802.11a
Channel : 161
Client IIF-ID : 0x42e80000000016
ASIC : 1
IPv4 Address : 10.142.39.229
IPv6 Address : Unknown
Association Id : 2
Authentication Algorithm : Open System
Status Code : 0
Client CCX version : 4
Client E2E version : No E2E support
Re-authentication Timeout : 1720 (1801)
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : 0
WMM Support : Disabled
Power Save : OFF
Current Rate : 54.0
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : L2AUTHCOMPLETE
Client Entry Create Time : 441535 seconds
Policy Type : WPA2
Authentication Key Management : CCKM
Encryption Cipher : CCMP (AES)
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : EAP-FAST
Interface : WLN-STF-1
VLAN : 1420
Quarantine VLAN : 0
Access VLAN : 1420
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 3
  Fast BSS Transition : Not implemented
Fast BSS Transition Details :
Client Statistics:
  Number of Bytes Received : 15213
  Number of Bytes Sent : 16522
  Number of Packets Received : 139
  Number of Packets Sent : 111
  Number of EAP Id Request Msg Timeouts : 0
  Number of EAP Request Msg Timeouts : 0
  Number of EAP Key Msg Timeouts : 0
  Number of Data Retries : 1
  Number of RTS Retries : 0
  Number of Duplicate Received Packets : 3
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -48 dBm
  Signal to Noise Ratio : 43 dB
Assisted-Roaming  Prediction List:
Nearby AP Statistics:
  L3502-2(slot1)
    antenna0: 49 seconds ago -43 dBm
    antenna1: 49 seconds ago -42 dBm
  L3502-2(slot0)
    antenna0: 111 seconds ago -44 dBm
    antenna1: 111 seconds ago -42 dBm

Next post we will see how to configure AVC on this WLAN & get visibility of the traffic on this WLAN.

Related Posts

1. Getting Started with 3850
2. Getting Started with 5760
3. WLAN configs with 3850 – Part 1
4. WLAN configs with 3850 – Part 2
5. 3850(MA) with 5760(MC)
6. 5760 in CA & CUWN
7. 5760 AVC Configuration

In a previous post we saw how to configure Flexible Netflow on a 3850 stack acting as MC/MA. In this post we will see how to configure this feature (also known as Application Visibility) on a 5760.

If you already familiar with AVC on Aironet WLCs (5508,2504, WiSM-2,etc) it has the feature of controlling traffic (re-marking, drop) at the WLC both upstream/ downstream. In current IOS-XE 3.3.0 this controlling part is not available & only Application Visibility can be implemented.(Controlling feature expect to be there in a future release)

Here are the IOS-XE 3.3.0 supported features on this. Note that only Gen2 APs (1600,2600,3600,3700) supported.

• Application Visibility – No Control
• Supported on IOS XE 3.3 platforms: 5760/3850/3650
• Use NBAR2 Protocol pack 5.1
• Seamless roaming
• More than 1000 applications
• Gen2 APs (AP1600, 2600, 3600, and 3700)
• Wireless clients only
• Centralized and Converged Access
• Flexible Netflow v9 Export to PI (PAM) and external collectors (Plixir and ActionPacked)
• Multicast/IPv6 classification is not supported.

Let’s see how to configure this using our standard topology for CA post as shown below.We will configure this using GUI & then derive the CLI equivalent commands to do the same. Here is the default AVC settings under WLAN -> AVC section.You can enable this feature & select default profiles configured on 5760.If you look at the CLI config differences, you will see the CLI config lines added by the above modification.

5760-1#sh archive config differences nvram:startup-config system:running-config
+flow monitor wireless-avc-basic
 +record wireless avc basic
wlan LTUWireless 21 LTUWireless
 +ip flow monitor wireless-avc-basic input
 +ip flow monitor wireless-avc-basic output

Now if you go to Monitor -> Controller -> AVC -> WLAN (& select the WLAN configured for AVC) you should be able to see the traffic statistics. But why it is blank ?This is because I am using 3502 AP model & it is not supported in this CA AVC deployment.No CLI output for the “show avc x” commands.

5760-1#sh wireless client summary 
Number of Local Clients : 2
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
2c54.2dea.f4ea L3502-2                          21   UP                 11a      
a088.b435.c2f0 L3502-2                          21   UP                 11n(5) 

5760-1#show avc ?
  client  avc client
  wlan    wlan

5760-1#show avc wlan ?
  WORD  Enter wlan name

5760-1#show avc wlan LTUWireless ?
  top  top 

5760-1#show avc wlan LTUWireless top ?
  <1-30>  Enter a number

5760-1#show avc wlan LTUWireless top 5 ?
  application  Display top applications

5760-1#show avc wlan LTUWireless top 5 application ?
  aggregate   Display aggregate stats for top n applications
  downstream  Display downstream stats for top n applications
  upstream    Display upstream stats for top n applications

5760-1#show avc wlan LTUWireless top 5 application aggregate  
**** NO OUTPUT ******
5760-1#show avc client 2c54.2dea.f4ea top 5 application aggregate 
***** NO OUTPUT ******

Let’s get L3602-1 AP register to this 5760 & assign it to the LTU-CUWN AP group which was crated as part of a previous post. Then disable the L3502-2 AP in order clients to move to 3602. As you can see clients moved to L3602-1 AP.

5760-1#show ap summary 
Number of APs: 2
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
L3502-2                           3502I     ccef.4872.0fc3  2c3f.382b.5260  Registered    
L3602-1                           3602I     4c00.82df.a4c1  f84f.57e3.1460  Registered    

5760-1#ap name L3602-1 ap-groupname LTU-CUWN 
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n)[y]: y

5760-1#ap name L3502-2 shutdown

5760-1#show wireless client summary 
Number of Local Clients : 2
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
2c54.2dea.f4ea L3602-1                          21   UP                 11a      
a088.b435.c2f0 L3602-1                          21   UP                 11n(5)

Now you can see this AVC statistics for WLAN (Monitor -> Controller -> AVC -> WLAN)  or specific client (Monitor -> Client -> MAC address -> AVC statistics) as shown in the below two snapshots. You can monitor them in “Aggregate”, “Upstream” or “Downstream” fashion.

WLAN AVC statisticsA Clieent (Laptop) AVC statisticsNow this is real time data. What about if you want to monitor this for period of time & some time combine multiple controller AVC stats. That’s where Prime infrastructure comes into play. You should have Prime Assurance in order to get this netflow stats using prime. In my case I do not have Prime Assurance, but have 3rd party Netflow Collector.

Let’s configure a flow exporter & use it within the default flow monitor (wireless-avc-basic). If you need you can create you own flow-record, flow-exporter & flow-monitor as well. (Refer 3850-Flexible Netflow post for more detail)

5760-1(config-flow-record)#flow exporter FLK-1
5760-1(config-flow-exporter)# destination x.x.8.216
5760-1(config-flow-exporter)# source Vlan1600
5760-1(config-flow-exporter)# transport udp 9995
5760-1(config)#flow monitor wireless-avc-basic
5760-1(config-flow-monitor)#exporter ?
  FLK-1  User defined
5760-1(config-flow-monitor)#exporter FLK-1

Now if you look at your Netflow collector tool you should be able to see the traffic. Here are some screenshot of my Netflow Collector statistics with respect to this.
You can monitor real-time stats via 5760 CLI as well

5760-1#show avc wlan LTUWireless top 10 application upstream 
Cumulative Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       41554                 8310800               200          86      
2    unknown                           6191                  597761                96           6       
3    netbios-ns                        1883                  147738                78           2       
4    dns                               1321                  84277                 63           1       
5    http                              1313                  105422                80           1       
6    ssl                               1135                  209462                184          2       
7    exchange                          615                   150475                244          2       
8    skinny                            508                   31837                 62           0       
9    rtcp                              170                   19480                 114          0       
10   icmp                              108                   24752                 229          0       

Last Interval(90 seconds) Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       4179                  835800                200          99      
2    unknown                           88                    9164                  104          1       
3    rtcp                              17                    1972                  116          0       
4    skinny                            5                     296                   59           0       

5760-1#show avc wlan LTUWireless top 10 application downstream 
Cumulative Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       46427                 9285400               200          68      
2    http                              2392                  3242288               1355         23      
3    ssl                               1327                  1077406               811          8       
4    unknown                           602                   205696                341          1       
5    exchange                          584                   50010                 85           0       
6    skinny                            342                   29308                 85           0       
7    dns                               195                   37018                 189          0       
8    ping                              63                    3746                  59           0       
9    twitter                           41                    9206                  224          0       
10   ms-sms                            40                    27476                 686          0       

Last Interval(90 seconds) Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       4178                  835600                200          100     
2    skinny                            3                     180                   60           0       

5760-1#show avc client 2c54.2dea.f4ea top 10 application aggregate 
Cumulative Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       47544                 9508800               200          100     
2    skinny                            157                   13104                 83           0       
3    icmp                              107                   24396                 228          0       
4    rtcp                              85                    9860                  116          0       
5    unknown                           19                    1052                  55           0       
6    dhcp                              9                     3448                  383          0       
7    ping                              1                     48                    48           0       

Last Interval(90 seconds) Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       9000                  1800000               200          100     
2    rtcp                              17                    1972                  116          0       
3    skinny                            13                    772                   59           0

Here is the AVC deployment Guide for IOS-XE3.3 for your reference.

Related Posts

1. Getting Started with 3850
2. Getting Started with 5760
3. 3850(MA) with 5760(MC)
4. 5760 with 802.1x WLAN
5. 5760 in CA & CUWN solution
6. 3850- Flexible Netflow