Configure RADIUS Server on WLC

Here is the new posts about RADIUS configuration on WLC , The WLC needs to be configured in order to forward the user credentials to an external RADIUS server. The external RADIUS server then validates the user credentials and provides access to the wireless clients.

RADIUS server can provide the central Authentication. In WLC, RADIUS server can handle two functions, namely Authentication & Accounting. And TACACS can handle all 3 methods (Authentication, Accounting and Authorization)

Here is the procedure to configure RADIUS in WLC:

Authentication

Step1: Via GUI

From the WLC GUI, click Security. From the menu on the left, click RADIUS > Authentication. The RADIUS Authentication servers page appears. Add  a new RADIUS Server, click New.

RADIUS New

In the RADIUS Authentication Servers > New page, enter the parameters specific to the RADIUS server.

*** Check the Management box , if you want to allow the RADIUS Server to authenticate users who login to the WLC.(I don’t want to authenticate the WLC users via RADIUS)

RADIUS Edit

Make sure that the shared secret configured on this page matches with the shared secret configured on the RADIUS server. Only then the WLC can communicate with the RADIUS server.

Same procedure to add another redundant RADIUS server 🙂

Both Radius

Step2: Configure Authentication Via CLI

(WLAN1) >config radius ?
acct           Configures a RADIUS Accounting Server.
aggressive-failover Enables/Disables Aggressive Failover
auth           Configures a RADIUS Authentication Server.
backward       Configures RADIUS Vendor Id backward compatibility
callStationIdCase Configures Call Station Id case in RADIUS messages.
callStationIdType Configures Call Station Id information sent in radius messages
fallback-test  Configures server fallback test.
(WLAN1) >config radius auth ?
add            Configures a RADIUS Authentication Server.
delete         Deletes a RADIUS Server.
disable        Disables a RADIUS Server.
enable         Enables a RADIUS Server.
ipsec          Enables or disables IPSEC support for an authentication server
keywrap        Configures RADIUS keywrap
mac-delimiter  Configures MAC delimiter for caller-station-ID and calling-station-ID
management     Configures a RADIUS Server for management users.
network        Configures a default RADIUS server for network users.
retransmit-timeout Changes the default retransmission timeout for the server
rfc3576        Enables or disables RFC-3576 support for an authentication server

(WLAN1) >config radius callStationIdType ipaddr
(WLAN1) >config radius auth mac-delimiter {colon|hyphen|none|single-hypen}
(WLAN1) >config radius auth add 1 192.xx.xx.14 1812 ascii cisco -> Secret
(WLAN1) >config radius auth retransmit-timeout 1 2  -> Default 2 sec
(WLAN1) >config radius auth network 1 {enable|disable}
(WLAN1) >config radius auth {enable|disable} 1 -> by default enable

If you are not authenticating management user via RADIUS then you must disable it:

(WLAN1) >config radius auth management 1 {enable|disable} -> Enable by default

Follow Same procedure to add  2nd Authentication server.

Accounting:

Step1: Via GUI

Configure RADIUS Accounting

Go to Security -> RADIUS -> Accounting

RADIUS Acct

Follow same step to add 2nd Accounting server.

Here is the screenshot of both the Accounting server in WLC:

RADIUS Both Acct

Step2: Via CLI

Here is the basic CLI configuration for a RADIUS Accounting on a WLC.

(WLAN1) >config radius callStationIdType ipaddr
(WLAN1) >config radius acct mac-delimiter {colon|hyphen|none|single-hypen}
(WLAN1) >config radius acct add 1 192.xx.xx.15 1813 ascii cisco ->secret (WLAN1) >config radius acct retransmit-timeout 1 5 -> default is 2s
(WLAN1) >config radius acct network 1 {enable|disable}
(WLAN1) >config radius acct {enable|disable} 1 -> by default enable

Do the same for 2nd accounting server via CLI.

So till now we added both the server for Authentication and accounting.

Now time to verify it.

(WLAN1) >show radius summary
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1    N     192.xx.xx.14       1812    Enabled   2     Enabled   Disabled - none/unknown/group-0/0 none/none
2    N     192.xx.xx.15       1812    Enabled   2     Enabled   Disabled - none/unknown/group-0/0 none/none
Accounting Servers
--More-- or (q)uit
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1      N     192.xx.xx.15       1813    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/none
2      N     192.xx.xx.14       1813    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/none
(WLA1) >show radius auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 192.xx.xx.14
Msg Round Trip Time.............................. 47 (msec)
First Requests................................... 27328
Retry Requests................................... 123
Accept Responses................................. 2439
Reject Responses................................. 140
Challenge Responses.............................. 24736
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 147
Unknowntype Msgs................................. 0
Other Drops...................................... 1
Server Index..................................... 2
Server Address................................... 192.xx.xx.15
Msg Round Trip Time.............................. 29 (msec)
First Requests................................... 14345
--More-- or (q)uit
Retry Requests................................... 98
Accept Responses................................. 1264
Reject Responses................................. 52
Challenge Responses.............................. 13026
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 114
Unknowntype Msgs................................. 0
Other Drops...................................... 0

Now we will add the WLC to Radius Server and don’t forget the shared secret because shared secret must match between WLC and RADIUS (ISE) server:

Login to ISE, go to Administration > Network Resources > Network Devices > add

 

Untitled

That’s it for today 🙂 Enjoyyyyy

Configure Local EAP on WLC

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the external authentication server goes down. When we enable local EAP, the controller serves as the authentication server and the local user database, which removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.

If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then re-authenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP. If we never want the controller to try to authenticate clients using an external RADIUS server,  then use this CLI commands in this order: config wlan radius_server auth disable wlan_id

 Note: Local EAP profiles are not supported on Office Extend 600 AP

EAP Topology

 

We can create network users on WLC either via GUI or CLI. Via CLI method we can define two type of users (Permenant & Guest). If we specify the WLAN ID as “0″ than users will allow to any WLAN. For a guest user you can specify the lifetime. (2 hrs in my example)

But I my example we will use a separate WLAN for test purpose and it is “Test” with WLAN id:8

How to create Local network users on WLC:

Via GUI:

Login to WLC, go to Security > AAA > Local Net Users and on right side click on New to add.

Local user wlc

In my example, I will create a 2 permanent type user and one guest type user.

Local user edit

Here are the all 3 local users in my WLC:

2 Permanent User
1 Guest User

List local user

Via CLI:

Here is the procedure to create netuser with CLI.

(WLAN1) >config netuser ?
add            Creates a local network user.
delete         Delete an existing network user.
description    Sets the description for a network user.
lifetime       Configures the lifetime for a Guest Network User. Valid range is 60 to 31536000 seconds.
maxUserLogin   Configures the maximum number of login sessions allowed for a network user
password       Configures a password for a network user.
wlan-id        Configures a Wireless LAN Id for a network user.
(WLAN1) >config netuser add ?
<username>     Enter name up to 50 alphanumeric characters.
(WLAN1) >config netuser add sandeep ?
<password>     Enter password up to 24 alphanumeric characters.
(WLAN1) >config netuser add sandeep cisco ?
wlan           Enter a Wireless LAN Identifier to associate with or zero for any.
(WLAN1) >config netuser add sandeep cisco wlan ?
<WLAN id>      Enter a Wireless LAN Identifier to associate with or zero for any.
(WLAN1) >config netuser add sandeep cisco wlan 8 ?
userType       Enter the keyword 'userType'.
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent ?
description    Enter the keyword 'description'.
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent description testlab ?
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent description testlab
(WLAN1) >config  netuser add sandeep1 cisco wlan 8 userType permanent description testlab
(WLAN1) >config  netuser add sandeep2 cisco wlan 8 userType guest  lifetime 7200 description testlab

If our WLN don’t have  web-auth security then it will not add a guets user.

WLAN does not have Web-Auth security configured. Guest user not added.

Create local EAP settings on WLC:

Step1: Configure General setting for local EAP (Specify EAP Timers).

Via GUI:

Go to Security > Local EAP > General

EAP general

Specify values for the local EAP timers

Via CLI:

These are the commands through which we can configure these EAP timers

(WLAN1) >config locaL-AUth Active-timeout ?
<1 to 3600>    Enter the timeout period for the Local EAP to remain active, in seconds.
(WLAN1) >config locaL-AUth Active-timeout 300
(WLAN1) >config advanced eap identity-request-timeout?
<seconds>      Enter the number of seconds between 1 and 120
(WLAN1) >config advanced eap identity-request-timeout 30
(WLAN1) >config advanced eap identity-request-retries ?
<retries>      Enter the number of retries between 1 and 20
(WLAN1) >config advanced eap identity-request-retries 2
(WLAN1) >config advanced eap key-index ?
<key-index>    Enter the key index value, 0 or 3.
(WLAN1) >config advanced eap key-index 0
(WLAN1) >config advanced eap request-timeout ?
<seconds>      Enter the number of seconds between 1 and 120
(WLAN1) >config advanced eap request-timeout 30
(WLAN1) >config advanced eap request-retries ?
<retries>      Enter the number of retries between 0 and 20
(WLAN1) >config advanced eap request-retries 2
(WLAN1) >config advanced eap max-login-ignore-identity-response ?
enable         ignore the same username reaching max in the EAP identity response
disable        check the same username reaching max in the EAP identity response
(WLAN1) >config advanced eap max-login-ignore-identity-response enable
(WLAN1) >config advanced eap eapol-key-timeout ?
<milliseconds> Enter the number of milliseconds between 200 and 5000
(WLAN1) >config advanced eap eapol-key-timeout 1000
(WLAN1) >config advanced eap eapol-key-retries ?
<retries>      Enter the number of retries between 0 and 4
(WLAN1) >config advanced eap eapol-key-retries 2

Step2: We have to create a local EAP profile, which specifies the EAP authentication types that are supported on the wireless clients. I have created a profile named “Test-Local-EAP” and enable EAP-FAST, EAP-TLS & PEAP as allowed protocol.

Via GUI:

EAP profile

Choose Security > Local EAP > Profiles to open the Local EAP Profiles page, We can create up to 16 local EAP profiles. Click New to open the Local EAP Profiles > New page. In the Profile Name text box, enter a name for our new profile(Test-Local-EAP) and then click Apply.

When the Local EAP Profiles page reappears, click the name of our new profile (Test-Local-EAP). The Local EAP Profiles > Edit page appears. Select the EAP-FAST, EAP-TLS, and/or PEAP check boxes to specify the EAP type that can be used for local authentication and then click on Apply.

*** If we chose EAP-FAST and want the device certificate on the controller to be used for authentication, select the Local Certificate Required check box. If we want to use EAP-FAST with PACs instead of certificates, leave this check box unselected, which is the default setting.

EAP profile edit

EAP-FAST parameters can be changed via “Security -> Local EAP -> EAP-FAST Parameters” section as shown below.

EAP Fast

Step3: Now enable local EAP on a WLAN.

Choose WLANs to open the WLANs page.

Untitled

 

Click the ID number of the Test WLAN.

Untitled

 

When the WLANs > Edit page appears, choose the Security > AAA Servers tabs to open the WLANs > Edit (Security > AAA Servers) page.  Select the Local EAP Authentication check box to enable local EAP for this WLAN. From the EAP Profile Name drop-down list, choose the EAP profile that you want to use for this WLAN.

*** We must disable the Radius server authentication means don’t check that box

EAPonwlan3

Click Apply to save.

Via CLI:

Create a local EAP profile

(WLAN1) >config local-auth eap-profile add ?
<profile-name> Enter the profile name, up to 63 alphanumeric characters.
(WLAN1) >config local-auth eap-profile add Test-Local-EAP
Add an EAP method to a local EAP profile by entering this command:
(WLAN1) >config local-auth eap-profile method ?
add            Adds a method to a Local EAP Profile.
delete         Deletes a method from a Local EAP Profile.
fast           Configure EAP-FAST parameters.
(WLAN1) >config local-auth eap-profile method add ?
<EAP-profile-method> Method for an EAP Profile.
(WLAN1) >config local-auth eap-profile method add fast Test-Local-EAP
(WLAN1) >config local-auth eap-profile method add tls Test-Local-EAP
(WLAN1) >config local-auth eap-profile method add peap Test-Local-EAP
Configure EAP-FAST parameters if you created an EAP-FAST profile by entering this command:
(WLAN1) >config local-auth method fast ?
anon-prov      Configures whether anonymous provision is allowed.
authority-id   Set the authority identifier.
pac-ttl        Set Time to Live for the PAC (Protected Access Credentials).
server-key     Set the server key to encrypt/decrypt PACs.
Enable local EAP and attach an EAP profile to a WLAN by entering this command:
(WLAN1) >config wlan local-auth enable Test-Local-EAP ?
<wlanid>       Enables the EAP profile on this WLAN.
(WLAN1) >config wlan local-auth enable Test-Local-EAP 8

Save your changes by entering this command:

(WLAN1) >save config

Lets test EAP Fast and PEAP (EAP-TLS need certificate on client and server side and it is not possible because right now for me to install certificate now, we will do in future post)

Let check first for PEAP client association:

PEAP client asso

Now we will check for EAP-FAST client association:

EAP Fast client asso

If any one found any error in this post then please let me know or just comment here 🙂

Configure Dynamic Interface on WLC

A dynamic interface is simply an interface that maps a WLAN to a wired vlan or subnet.

Dynamic interfaces to be used to control and secure the traffic on the WLAN just like we would use vlans and subnets on the LAN for that purpose.

Maximum number of VLANs supported on Cisco Wireless Controllers

Wireless LAN Controllers

Max. VLAN Supported

Virtual WLC

512

WLC Module for ISR G2

16

WLC 2500 Series

16

WLC 5500 Series

512

WLC 6500 Series WISM2

512

WLC Flex 7500 Series

4096

WLC 8500 Series

4096

  • We must use tagged VLAN for Dynamic Interfaces

Configure Dynamic Interface is a very easy task either via GUI or CLI, here is the procedure:

Via GUI

GUI is the easiest way to configure multiple Dynamic interfaces on Cisco Wireless Controller. Here are the screenshots:

Choose Controller > Interfaces > New to open the Interfaces page.

New Interface

Click Apply, after this Interface > Edit page will appear, Enter the details

Untitled

 

After entering all the detail, click on Apply, That’s it.

Via CLI

Here are the basic commands to create a dynamic interface via CLI on Cisco wireless LAN Controller:

(WLAN1)  >config interface create testinterface 84
(WLAN1)  >config interface address dynamic-interface testinterface 192.168.84.1 255.255.255.0 192.168.84.254
(WLAN1)  >config interface port testinterface 1
(WLAN1)  >config interface dhcp dynamic-interface testinterface primary 192.168.99.1 secondary 192.168.99.3

Same like above I created one more dynamic interface “bde

(WLAN1)  >config interface create bde 85
(WLAN1)  >config interface address dynamic-interface bde 192.168.85.1 255.255.255.0 192.168.85.254
(WLAN1)  >config interface port bde 1
(WLAN1)  >config interface dhcp dynamic-interface bde primary 192.168.99.1 secondary 192.168.99.3


Both the ways are very easy and not so much time consuming. Its all depends on you to configure from which method.

For me:

By GUI method it takes 2-3 minutes. By CLI method it takes 3-4 minutes (Can’t remember all commands that’s the reason its taking long time).

Remembering Points to create Dynamic Interface:

  • Create a Dynamic interface and define a name and ssid.
  • Assign IP address, Subnet mask and Gateway
  • Assign a physical port number
  • And last is to config DHCP servers(Primary or secondary: atleast one is necessary)

Configure Interface Groups on Cisco WLC

Now In this post we will learn about, how to create a interface group and assign many interface to this group.

Interface groups are logical groups of interfaces. An interface can be part of multiple interface groups.  For this, first we have to create an interface group and then we can assign dynamic interfaces to it.

When many APs support the same WLAN, all users of that WLAN, on all APs connected to the same controller, are sent to the same dynamic interface. To reduce this broadcast domain. One way to achieve this reduction is to break up the WLAN into multiple segments. You can do so by associating the WLAN to an interface group rather than a single dynamic interface. This is achieved by creating a new interface group, and by choosing the already created dynamic interfaces that the group should contain. Then, map WLANs to the group.

Via GUI:

Choose Controller > Interface Groups, on main page right side click on add group

Interface Group

*Here I created interface group as ”test-bde”

Click on add.

Interface Group des

Click on the interface group “test-bde”.

Int Grp add Int

Here you can click on Add Interface and assign to Interface Group.

Via CLI:

By command line we can use these commands to configure Interface group and assign interface to this group.

(WLAN1)  >config interface group create test-bde
(WLAN1)  >config interface group description test-bde "Just for learning"
(WLAN1)  >config interface group interface add test-bde testinterface
(WLAN1)  >config interface group interface add test-bde bde

Assign Interface Group to a WLAN

After creating Dynamic interface/ interface group now we have to assign these interfaces / Interface groups to WLAN.

First of all create a WLAN and then map these interface to it:

Here is the procedure:

Via GUI:

Step1: create a WLAN

Login GUI of WLC then click on WLAN, click on Go (select Create new)

Create WLAN

Step2: Enter the details as shown in screenshot

WLAN ssid profile

Step3: Click on Apply, WLAN > Edittest-bdepage will appear.

Enable WLAN, Select Interface or Interface Group and Select Broadcast SSID (If you want to)

WLAN Status

Step4: Click on Apply

Via CLI:

By command line it’s very easy but it needs more and more practice to remember these commands:

In this example:

Mapped “bde to WLAN:

(WLAN1)  >config wlan create 7 testbde testbde
(WLAN1)  >config wlan interface 7 bde
(WLAN1)  >config wlan broadcast-ssid enable 7
(WLAN1)  >config wlan enable 7

or we can Map interface group “test-bde” to WLAN:

(WLAN1)  >config wlan create 7 testbde testbde
(WLAN1)  >config wlan interface 7 test-bde
(WLAN1)  >config wlan broadcast-ssid enable 7
(WLAN1)  >config wlan enable 7

Configure AP Groups on WLC

In Typical deployment, all users on a WLAN are mapped to a single interface on the controller. With the help of AP groups we can specify that which SSID will be shown by which Access Point. However, we can choose to distribute the load among several interfaces or to a group of users based on specific criteria such as individual departments (Near to meeting rooms-Only broadcast Guest WLAN) and Corporate WLAN can be broadcasted in whole building means on each and every AP.

Each access point advertises only the enabled WLANs that belong to its access point group.

We can create access point groups (AP Groups) and assign up to 16 WLANs to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point does not advertise disabled WLANs in its access point group or WLANs that belong to another group.

AP Groups Supported on Controller Platforms

Controller Platform

AP Groups Supported

Cisco 2500 Series Wireless Controller

50

Cisco 5500 Series Wireless Controller

500

Cisco Virtual Wireless Controller

200

Cisco 7500 Series Wireless Controller

6000

Cisco 8500 Series Wireless Controller

6000

Cisco Wireless Services Module 2

1000

There is already an AP group is there called “default-group” means all WLAN IDs 1 to16 mapped to this group by default.

All the access points connected to WLC automatically map to this group. Mean any WLAN (ID 1-16) will be available in any of the APs belong default group. If our WLAN ID is greater than 16, then we have to create an separate AP group to advertise that WLAN. Also if we want to advertise certain WLANs on particular APs, we must have to create an AP group for this.

Note: If we clear the configuration on the controller, all of the access point groups disappear except for the default access point group “default-group,” which is created automatically.

Topology:

AP Group Topology

 

I have already created WLAN and dynamic interfaces for specific WLANs. I will just create AP groups and assign the specific AP to these Groups.

Ensure that we have DHCP pool for APs to get IP dynamically

Core Switch Config for Acess Point to get IP from DHCP pool:

SWITCH001:
ip dhcp excluded-address 10.25.80.1 10.25.80.50
ip dhcp excluded-address 10.25.80.85 10.25.80.254
!
ip dhcp pool WLAN
   network 10.25.80.0 255.255.255.0
   default-router 10.25.80.254
   option 43 ip 10.25.80.1
   lease 3

As per this Pool, we will get the IP in VLAN 80 for Access Points.

Creating AP Groups:

Via GUI:

Step1: Login to WLC, Go to WLAN > Advanced > AP Group click on Add Group

 Add AP Group

Step2: Enter the AP Group name:

IN my example it is as APG1, APG2 and APG3

 AP Groups

Step3: Click on APG1 and choose which Access Point should be in this group.

In the Green box: we will see the All Access Points connected to WLC

From the tab “Add APs” we can add specific AP to our group APG1:

In my example, I choose AP09, 19, 14,02,04,03

Note: In latest codes of WLC software, via AP Group we can control RF profiles as well. Therefore we can have different RF characteristics to certain APs in our network. Also it supports 802.11u settings via AP Group. WLC code used in this post is 7.3.112.0.

AP in AP Group

 

 

Step4: Now we can add WLANs/Interface mapping to our AP Group: Only These WLANs will be shown by above selected Access points (In red box).

WLAN in AP Group

Step5: Same procedure we can do for Group APG2 and APG3.

Via CLI:

Step 1: Create an access point group:

(WLAN1) >config  wlan  apgroup ?
 
add            Creates a new AP Group.
delete         Deletes a existing ap group.
description    Configures a description for an AP group.
hotspot        Configures Hotspot config on the AP Group
interface-mapping Adds or deletes a new apgroup/WLAN/interface mapping.
nac-snmp       Configures NAC SNMP functionality on given AP-Group.
profile-mapping Adds or deletes a new apgroup/RF Profile mapping.
wlan-radio-policy Configures WLAN Radio Policy on given AP-Group.
(WLAN1) >config wlan apgroup add ?
<apgroup name> Specify the name of the apgroup to configure.
(WLAN1) >config wlan apgroup add APG1
(WLAN1) >config wlan apgroup add APG2
(WLAN1) >config wlan apgroup add APG3

Step 2: Add a description to an access point group:

(WLAN1) >config wlan apgroup description APG1 ?
<description>  Specify the description for the AP group.
(WLAN1) >config wlan apgroup description APG1 Guest, User
(WLAN1) >config wlan apgroup description APG2 Barcoding, User
(WLAN1) >config wlan apgroup description APG3 Only User

Step3: Assign a WLAN to an access point group:

(WLAN1) >config  wlan  apgroup interface-mapping  ?
add            Adds a new apgroup/WLAN/interface mapping.
delete         Adds a new apgroup/WLAN/interface mapping.
(WLAN1) >config  wlan  apgroup interface-mapping  add ?
<apgroup name> Specify the name of the apgroup to configure.
(WLAN1) >config  wlan  apgroup interface-mapping  add APG1 2 guest
(WLAN1) >config  wlan  apgroup interface-mapping  add APG1 3 user

Step 4: Assign an access point to an access point group:

First check all Aps on WLC:

(WLAN1) >show ap summary
Number of APs.................................... 21
AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
AP020             2     AIR-CAP2602I-E-K9     4c:00:82:cb:cf:65  1       Hall          1        DE
AP009             2     AIR-CAP2602I-E-K9     4c:00:82:cb:ce:cb  1. OG / House         1        DE       1
AP011             2     AIR-CAP2602I-E-K9     f8:72:ea:d7:32:cd  1. OG / Personal      1        DE       1
AP010             2     AIR-CAP2602I-E-K9     4c:00:82:b3:fb:c6  1. OG / Buchhalt      1        DE       1
.
.
.
.

(There are total 21 APs)

(WLAN1) >config ap group-name  ?
<groupname>    Enter the group name of Cisco APs as String
(WLAN1) >config ap group-name APG1 ?
<Cisco AP>     Enter the name of the Cisco AP.
(WLAN1) >config ap group-name APG1 AP009
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y
(WLAN1) >config ap group-name APG1 AP019
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y
(WLAN1) >config ap group-name APG1 AP014
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y
(WLAN1) >config ap group-name APG1 AP002
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y
(WLAN1) >config ap group-name APG1 AP004
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y
(WLAN1) >config ap group-name APG1 AP003
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y
(WLAN1) >show client summary
 
Number of Clients................................ 5
 
MAC Address       AP Name           Status        WLAN/RLAN      Auth Protocol         Port Wired PMIPV6
----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- ------
 
74:e2:f5:ca:bc:95    AP014          Associated    3              Yes  802.11n(5 GHz)   1    N/A   No
78:e4:00:62:a7:95    AP009          Associated    3              Yes  802.11g          1    N/A   No
94:39:e5:68:69:3f    AP014          Associated    2              No   802.11n(2.4 GHz) 1    N/A   No
a0:f4:50:e8:8d:a0    AP009          Associated    2              No   802.11n(2.4 GHz) 1    N/A   No
e4:8b:7f:d3:a4:d5    AP009          Associated    3              Yes  802.11n(5 GHz)   1    N/A   No

Step 5: Check the AP is in right AP Group

(WLAN1) >show ap config general AP009
 
Cisco AP Identifier.............................. 1
Cisco AP Name.................................... AP009
Country code..................................... DE  - Germany
Regulatory Domain allowed by Country............. 802.11bg:-E     802.11a:-E
AP Country code.................................. DE  - Germany
AP Regulatory Domain............................. 802.11bg:-E    802.11a:-E
Switch Port Number .............................. 1
MAC Address...................................... 4c:00:82:cb:ce:cb
IP Address Configuration......................... Static IP assigned
IP Address....................................... 10.25.80.19
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. 10.25.80.254
Domain...........................................
Name Server......................................
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Enabled
Ssh State........................................ Disabled
Cisco AP Location................................ 1. OG / Vorstand
Cisco AP Group Name.............................. APG1
Primary Cisco Switch Name........................ WLAN1
 
--More-- or (q)uit
Primary Cisco Switch IP Address.................. 10.25.80.1
Secondary Cisco Switch Name...................... WLAN2
Secondary Cisco Switch IP Address................ 10.25.80.3
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured

Step 6: Save your changes by entering this command:

(WLAN1) >save config

It is important to configure AP groups in all primary, secondary & tertiary controllers in a similar manner if we want to advertise same set of WLANs, map to required dynamic interface.

 

Understand Access Point IOS Images

All Cisco Access Points and Bridges are normally shipped with IOS, except Office Extend AP602. Some of the old AP’s don’t run IOS (Example: Aironet 340, 1000 Series AP).

Normally Cisco AP IOS is distributed as .Tar file.

The nomenclature of the image follows as or The IOS image names include the following components:

platformfeatureset-tar.version.tar

Platform: The access point hardware model or family supported by the image

Example:

ap1g1 – 700 series
ap1g2 – 1600 series
ap1g3 – 1530 series
ap3g2 – 3700/3600/2600 series (3700 supported beginning with 15.2(4)JB)
ap3g1 – 3500/1260 series
ap802 – AP embedded in 819, 812, 886VA-W/887VA-W, C88x and C88x routers
ap801 – AP embedded in 861W, most 88xW, and 1911W routers
c1520 – 1550 and 1520 series mesh APs
c1410 – BR1410
c1310 – BR1310
c1250 – 1250 series APs
c1240 – 1240 series APs
c1200 – 1200 series (1200/1210/1220/1230)
c1140 – 1140 and 1040 series APs
c1130 – 1130 series APs
c1100 – 1100 series APs (i.e. the AP1121)
c520 – 521 AP
c350 – 350 series APs

Featureset: The set of software features supported by the image – one of:

k9w7 – autonomous (or “site survey”) IOS
k9w8 – full lightweight IOS (this is what is bundled in the WLC .aes image, and is factory installed on “mesh” APs)
rcvk9w8 – lightweight recovery image – this is factory installed on lightweight APs, unless a “mesh” image is specified; it lacks radio firmware

Version– the IOS version

There is a 1:1 mapping between the lightweight IOS software version (such as 12.4(23c)JA) and the CUWN version (such as 7.0.98.0).

See the Cisco Wireless Solution Software Compatibility Matrix

Example:

c1240k9w7-tar.124-25d.JA1.tar

  • Platform: c1240: 1240 series AP
  • Featureset: k9w7: autonomous IOS
  • Version: 124-25d.JA1: 12.4(25d)JA1

As AP IOS is always distributed as a tar file, the AP cannot directly execute such a file (thus, if you were to copy c1240k9w7-tar.124-25d.JA1.tar directly onto AP flash, and then try to boot it, this could not work.)  The tar file contains, in addition to the IOS image proper, the radio firmware files, the HTML GUI files (if present), and various other files.

The AP IOS tar file must be unbundled into AP flash using the archive exec command (this is done in an automated fashion when a lightweight AP is upgraded after joining a WLC.)

After unbundling, the IOS image itself be in a file called flash:/platformfeatureset-mx.version/platformfeatureset-mx.version for example, flash:/c1240k9w7-mx.124-25d.JA1/c1240k9w7-mx.124-25d.JA1.  The AP is configured to boot this image if the bootloader BOOT environmental variable is set accordingly.