Part1: WLC CLI Commands with GUI Part1
Here is the 2nd part: This is not compeletely cover the all commands but soon(After my CCIE Written paper) will prepare all commands with WLC GUI.
Wireless > 802.11a
Wireless>Timers
Wireless>QoS Profiles
Wireless> Security
Wireless>Management
In this post we will see the the CLI commands for Wireless Lan controller with WLC GUI.
This is not done by me, I just added few commands, rest i copied or downloaded the excel file from Rasika Post.
I am sharing this, may be it will fruitful for the aspirants of CCIEs or Wireless Engineers to troubleshoot or use.
So lets have a look 🙂
Controller > General
Controller > Multicast
Controller > Mobility Anchor
Controller > CDP
Controller > Advanced
WLAN > Advanced
Wireless > Access Point > General
Wireless > Access Point > Advanced
Wireless > Radios> 802.11a/n
Wireless > AP Configuration
Continue part 2………
Today I booked the slot for CCIE Wireless written exam. I dont know how i will pass this exam but from last 3-4 months I am reading books and technotes…but still I am not confident to pass the exam.
I am going through these books:
CCNA (640-722-IUWNE) Quick Reference by Jerome Henry (http://www.ciscopress.com/bookstore/product.asp?isbn=1587143089)
CCNP (642-732 -CUWSS) Quick Reference ,2nd Edition by Jerome Henry (http://www.ciscopress.com/bookstore/product.asp?isbn=1587143100)
CCNP Wireless (642-737 IAUWS) Quick Reference by Jerome Henry (http://www.ciscopress.com/bookstore/product.asp?isbn=1587143127)
CCNP Wireless (642-747 IUWMS) Quick Reference, 2nd Edition by Jerome Henry (http://www.ciscopress.com/bookstore/product.asp?isbn=1587143097)
CCNP Wireless (642-742 IUWVN) Quick Reference by Jerome Henry (http://www.ciscopress.com/bookstore/product.asp?isbn=1587143119)
CCIE Wireless Exam (350-050) Quick Reference (http://www.ciscopress.com/bookstore/product.asp?isbn=0132168170)
I will add more things which I will go through before exam so that other guys , who are going with same can get some help.
still anyone have anything to share about the Wireless written exam strategy , then please share here or just send a mail so that it can be beneficial for me as well as for others.
I don’t know, if 28th march will be my half best day or half worst day but i will not loose my hope and will continuously try to read as much as possible to crack this so called CCIE Wireless :).
So lets wait till 28th March 🙂 I will update here soon.
In this post I will try to cover as many as possible problems due to AP can not join to WLC.
First of all we should know that there are two types of Access Points (I am only talking about Cisco products):
Autonomous AP doesn’t need WLC to connect and it can be used in small office / Home office scenarios. (I will not go into detail, may in later post we will see that, how it works and configuration).
Lightweight AP: This type of AP can only be used with Wireless LAN Controllers. These can be used in medium to large deployments.
How to verify if it’s an autonomous AP or Lightweight?
Here are the two ways:
Now we know that only LAP have to join WLC, without WLC this these kinds of AP will not work.
Before starting to find out the cause why AP not joining, first we must understand the behind the scene.
In order for the WLC to be able to manage the LAP, the LAP should discover the controller and register with the WLC. There are different methods that an LAP uses in order to discover the WLC.
There are for main events occurs:
Refer to: LAP Registration to WLC
So now we assume that AP got the IP address, either statically or via DHCP.
Without IP AP will not do anything, so first we need to assign a IP to AP then only it can send discovery request.
Basic things to check:
Till now if everything is ok then we can start with some command issues due to which LAP not join to WLC.
I have seen this errors many times:
We must enable debug capwap <events/error> enable or debug lwapp <events/error> enable
Sample Error Logs:
802.a or 80211bg Regulatory Domain (-E) does not match with country(AU ) AP RegDomain check for the country AU failed Regulatory Domain check Completely FAILED The AP will not be allowed to join
These errors clearly show that there is a mismatch in the regulatory domain of the LAP and the WLC. To resolve this issue, add the country for which the AP was built to the list of countries supported on the controller from Wireless > Country. We have to disable all 802.11b/g and 802.11a radios to change the controller country codes list.
In my example, I only configured DE, this Country supports -E- regulatory domain on AP:
The WLC can supports multiple regulatory domains but each regulatory domain must be selected before an LAP can join from that domain. When you purchase APs and WLCs, ensure that they share the same regulatory domain. Only then can the LAPs register with the WLC.
Here you can check the Wireless Compliance Status, specific country with specific Regulatory domain for Access Points.
AP and controller needs to exchange certificate to create a secure tunnel for communication. These Certificates have creation and expiry date. If the time and date on WLC are wrong, the AP certificate will be refused because if it is not valid yet or not valid anymore.
We must run these debug commands to find out the exact error:
debug capwap errors enable and debug pm pki enable
Sample Error logs:
Does not include valid certificate in CERTIFICATE_PAYLOAD from AP MACADDRESS. Unable to free public key.
Current time outside AP cert validity interval: make sure the controller time is set.
To resolve this kind of issue, set the controller time and date to a present value from GUI: Command > Set Time or config time command from CLI
We can also receive this kind of message if AP certificate is not valid anymore or corrupted: In this case we must return this AP to our supplier and take a new one.
We can check the AP certificate validity by this command: show crypto ca certificates
When APs and controllers are in different subnets, make sure that routing and firewall filters allow traffic both ways.
Enable these UDP ports for LWAPP traffic:
UDP ports 12222 and 12223 must be open in both directions.
Enable these UDP ports for CAPWAP traffic:
UDP ports 5246 and 5247 must be open in both directions.
If the AP cannot access the controller on UDP port 5246 (CAPWAP Control), the discovery and join requests never reach the controller. The result is that the AP is not seen on the controller, and the debug capwap event enable command on the controller does not display any message about the AP.
If the controller cannot access the AP UDP port 5246 (CAPWAP Control), the discovery and join requests never reach the AP. The result is that the controller receives discovery requests, answers with discovery responses, but the AP does not get these responses and never moves to the join phase.
With new Access Points or even with the old AP, we can get some compatibility issues with WLC version.
Example: The 1600 and 3600 APs are new models, and require new controller codes. The 1600 AP requires controller code release 7.4.100.0 or later, and the 3600 AP requires controller code 7.2 or later. The same issue affects 802.11n APs and older controller codes. If the controller code is too old, the AP model is not recognized.
We must run these debug commands to find out the exact error:
debug capwap errors enable
Sample Error Logs
AP Associated. Base Radio MAC: MAC ADDRESS
AP Disassociated. Base Radio MAC: MAC ADDRESS
AP with MAC MAC ADDRESS is unknown.
To resolve this issue, we have to upgrade the controller code or have the AP discover a controller running the appropriate code version.
Check here the Cisco Software Compatibility Matrix
Find out the version on WLC here by GUI: Go to Monitor and check the Controller Summary
Via CLI:
(WLAN1) >show sysinfo Manufacturer's Name.............................. Cisco Systems Inc. Product Name..................................... Cisco Controller Product Version.................................. 7.0.240.0 RTOS Version..................................... 7.0.240.0 Bootloader Version............................... 4.0.191.0 Emergency Image Version.......................... N/A Build Type....................................... DATA + WPS System Name...................................... WLAN1 System Location.................................. Test Lab System Contact................................... Sandeep System ObjectID.................................. 1.3.6.1.4.1.9.1.828 IP Address....................................... 10.99.80.1 System Up Time................................... 3 days 23 hrs 12 mins 31 secs System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna Configured Country............................... DE - Germany Operating Environment............................ Commercial (0 to 40 C) Internal Temp Alarm Limits....................... 0 to 65 C Internal Temperature............................. +42 C
Part 2 coming soon……. 🙂
Here is the way to create a login banner on WLC by GUI or CLI. Normally its supported from software release 6.0 or later releases. The login banner is the text that appears on the page before user authentication when we access the controller GUI or CLI using Telnet, SSH, or a console port connection.
***We save the login banner information as a text (*.txt) file. The text file cannot be larger than 1500 bytes and cannot have more than 18 lines of text.
*** We can only have one login banner on WLC. If we download the 2nd Loogin banner on WLC then it will remove the first means overwrite the 1st one.
Here is the example of my banner:
Hey Sandeep, Please study hard and read as much cisco technote to crack CCIE wireless.
Only few days Left!
First we will use the GUI and CLI method to download login Banner on WLC.
Via GUI:
Step1: We must have a TFTP/FTP server running.(Note down the IP address of the server).
Step2: Put the login banner text file in TFTP/FTP server default directory.
Step3: Login to WLC.
Step4: Go to Commands > Download file
Step5: Enter these details:
File Type: Login Banner
Transfer Mode: TFTP / FTP
IP Address of Server (TFTP/FTP): 10.xx.xx.7
Maximum Retries: 10 (Default is 10)
Timeout (Seconds): 6 (Default is 6)
File Path: (we can enter the file path here from TFTP/FTP directory or leave empty)
File Name: Loginbanner.txt
***If we use FTP then we must enter username and password.
Service Port Number: Enter the port number on the FTP server through which the download occurs. The default value is 21.
Here is the screenshot:
Step 6 Click Download
We must reboot the WLC with save and reboot button.
Here is the output:
Via CLI:
Here is the command line way to configure login banner on WLC.
Log into the controller via CLI.
Specify the transfer mode
transfer download mode {tftp | ftp}
Download the controller login banner by entering this command:
transfer download datatype login-banner
Specify the IP address of the TFTP or FTP server
transfer download serverip server-ip-address
Specify the name of the config file to be downloaded command:
transfer download path server-path-to-file
Specify the directory path of the config file
transfer download filename filename.txt
If we are using a TFTP server
transfer download tftpMaxRetries retries transfer download tftpPktTimeout timeout
If you are using an FTP server, enter these commands:
transfer download username username transfer download password password transfer download port port
To start this download:
transfer download start
Here is the live action from WLC:
(WLAN1) >transfer download mode ? tftp Enter mode: tftp. ftp Enter mode: ftp. (WLAN1) >transfer download mode ftp (WLAN1) >transfer download datatype ? code Download an executable image to the system. config Download Configuration File. eapcacert Download a eap ca certificate to the system. eapdevcert Download a eap dev certificate to the system. icon Download an executable image to the system. image Download a web page logo to the system. login-banner Download controller login banner. (Only Text file supported: Max 1500 bytes & 18 lines, Non printable characters not supported) signature Download a signature file to the system. webadmincert Download a certificate for web administration to the system. webauthbundle Download a custom webauth bundle to the system. webauthcert Download a web certificate for web portal to the system. (WLAN1) >transfer download datatype login-banner (WLAN1) >transfer download serverip 10.xx.xx.7 (WLAN1) >transfer download filename Loginbanner.txt (WLAN1) >transfer download tftpMaxRetries 10 (WLAN1) >transfer download tftpPktTimeout 6 (WLAN1) >transfer download username anonymous (WLAN1) >transfer download password anonymous (WLAN1) >transfer download port 21 (WLAN1) >transfer download start Mode............................................. FTP Data Type........................................ Login Banner FTP Server IP.................................... 10.xx.xx.7 FTP Server Port.................................. 21 FTP Path......................................... FTP Filename..................................... Loginbanner.txt FTP Username..................................... anonymous FTP Password..................................... ********* This may take some time. Are you sure you want to start? (y/N) y FTP Login Banner transfer starting. FTP receive complete... checking login banner. Successfully installed new login banner file. (WLAN1) >
To clear this login banner we have two ways GUI and CLI.
Via GUI:
Go to Commands > Login banner
Then click on Clear, when prompted then click ok.
Via CLI:
To clear the login banner via CLI just use this command:
(WLAN1) >clear login-banner
That’s it for today. Wait for next post.
Controllers and access points are designed for use in many countries with varying regulatory requirements. The radios within the access points are assigned to a specific regulatory domain at the factory (such as –E for Europe), but the country code enables you to specify a particular country of operation (such as FR for France or DE for Germany). Configuring a country code ensures that each radio’s broadcast frequency bands, interfaces, channels, and transmit power levels are compliant with country-specific regulations.
Generally, we configure one country code per controller, the one matching the physical location of the controller and its access points. However, controller software release 4.1 or later releases allows us to configure up to 20 country codes per controller. This multiple-country support enables us to manage access points in various countries from a single controller. This rule is not application for MESH Access Points.
*** Note: Mesh AP doesn’t support Multi country code on WLC.
*** We can not change the country’s regulatory domain on Access Points, If by chance you bought the AP with wrong Regulatory domain then you must change or replace this Access Point.
*** Here is the Wireless LAN Compliance Status
There are some Limitations for Multiple Country code configuration:
Procedure to add Country Code on WLC:
Via GUI:
Before Configuring / Changing the Country code on WLC, we must disable the both networks
Steps to disable the 802.11a and 802.11b/g networks:
Step1: Choose Wireless> 802.11a/n > Network.
Unselect the 802.11a Network Status check box.
Click Apply to commit your changes.
Step2: Choose Wireless > 802.11b/g/n > Network.
Unselect the 802.11b/g Network Status check box.
Click Apply to commit your changes.
Step3: Choose Wireless > Country, Select the check box for country where our access points are installed. If we selected more than one check box, a message appears indicating that RRM channels and power levels are limited to common channels and power levels.
Click ok
Here my all Access Points are in Europe domain and I am sitting in Germany so Choose DE(Germany).
Step4: If we would have configured multiple country code on WLC then we could choose per AP for their country:
Here we chose only one Country so there is no other option for this AP.
Step5: Re-Enable the 802.11a and 802.11b/g networks (As we did in Step1 and Step2)
Step6: Click Save Configuration to save settings.
Via CLI:
Step1: Disable the 802.11a and 802.11b/g networks:
(WLAN1) >config 802.11a disable network (WLAN1) >config 802.11b disable network
Step2: Configure the country codes for the countries where our access points are installed:
(WLAN1) >config country DE
*** If we choose multiple Country code on WLC then this will appear:
(WLAN1) >config country DE,US,MX
Changing country code could reset channel & RRM grouping configuration.
If running in RRM One-Time mode, reassign channels after this command.
Check customized APs for valid channel values after this command.
Are you sure you want to continue? (y/n) y
Configured Country............................. Multiple Countries:DE,MX,US
KEY: * = Channel is legal in this country and may be configured manually.
A = Channel is the Auto-RF default in this country.
. = Channel is not legal in this country.
C = Channel has been configured for use by Auto-RF.
x = Channel is available to be configured for use by Auto-RF.
(-,-) = (indoor, outdoor) regulatory doamin allowed by this country.
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11bg :
Channels : 1 1 1 1 1
: 1 2 3 4 5 6 7 8 9 0 1 2 3 4
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
DE (-E ,-E ): A * * * * A * * * * A * * .
MX (-A ,-NA ): A * * * * A * * * * A . . .
US (-A ,-AB ): A * * * * A * * * * A . . .
Auto-RF : C x x x x C x x x x C x x .
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11a : 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Channels : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6
: 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 9 3 7 1 5
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
--More-- or (q)uit
DE (-E ,-E ): . A . A . A . A A A A A * * * * * * * * * * * . . . . .
MX (-AN ,-NA ): . A . A . A . A A A A A * * * * * . . . * * * A A A A *
US (-A ,-AB ): . A . A . A . A A A A A * * * * * . . . * * * A A A A *
Auto-RF : . C . C . C . C C C C C x x x x x x x x x x x C C C C x
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
4.9GHz 802.11a :
Channels : 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2
: 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
DE (-E ,-E ): . . . . . . . . . . . . . . . . . . . . . . . . . .
MX (-AN ,-NA ): * * * * * * * * * * * * * * * * * * * A * * * * * A
US (-A ,-AB ): * * * * * * * * * * * * * * * * * * * A * * * * * A
Auto-RF : . C . C . C . C C C C C x x x x x x x x x x x C C C C x
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Step3: We can choose country per AP (If we configured multiple country cod eon WLC). In my example I configured only DE, so No need to assign to specific AP.
Choose Country for AP:
(WLAN1) >config ap country DE AP001
Step4: Re-Enable the 802.11a and 802.11b/g networks
(WLAN1) >config 802.11a enable network (WLAN1) >config 802.11b enable network
Step5: Save settings:
(WLAN1) >save config
Step6: See the country code configured on WLC:
(WLAN1) >show country Configured Country............................. DE - Germany Configured Country Codes DE - Germany................................... 802.11a Indoor,Outdoor / 802.11b / 802.11g
Sharing my journey of life
If you're not making mistakes, then you're not doing anything.
Path to CCIE
Path to CCIE
Path to CCIE
Path to CCIE
My CCIE Wireless Journey & More.....
Path to CCIE
Another Wireless Blog 