WLC CLI Commands with GUI Part1

In this post we will see the the CLI commands for Wireless Lan controller with WLC GUI.

This is not done by me, I just added few commands, rest i copied or downloaded the excel file from Rasika Post.

I am sharing this, may be it will fruitful for the aspirants of CCIEs or Wireless Engineers to troubleshoot or use.

So lets have a look 🙂

Controller > General

Controller > Multicast


Controller > Mobility Anchor
Controller-Mobility Anchor

Controller > CDP

Controller > Advanced

WLAN > Advanced

Wireless > Access Point > General
Wireless-Access Point-General1

Wireless > Access Point > Advanced
Wireless-Access Point-General2

Wireless > Radios> 802.11a/n
Wireless-Access Point-General3

Wireless-Access Point-General4

Wireless > AP Configuration
Wireless-Access Point-General5

Continue part 2………

CCIE Wireless Written, Can I make IT ???

Today I booked the slot for CCIE Wireless written exam. I dont know how i will pass this exam but from last 3-4 months I am reading books and technotes…but still I am not confident to pass the exam.

I am going through these books:

CCNA (640-722-IUWNE) Quick Reference by Jerome Henry  (http://www.ciscopress.com/bookstore/product.asp?isbn=1587143089)

CCNP (642-732 -CUWSS) Quick Reference ,2nd Edition by Jerome Henry (http://www.ciscopress.com/bookstore/product.asp?isbn=1587143100)

CCNP Wireless (642-737 IAUWS) Quick Reference by Jerome Henry (http://www.ciscopress.com/bookstore/product.asp?isbn=1587143127)

CCNP Wireless (642-747 IUWMS) Quick Reference, 2nd Edition by Jerome Henry (http://www.ciscopress.com/bookstore/product.asp?isbn=1587143097)

CCNP Wireless (642-742 IUWVN) Quick Reference by Jerome Henry (http://www.ciscopress.com/bookstore/product.asp?isbn=1587143119)

CCIE Wireless Exam (350-050) Quick Reference (http://www.ciscopress.com/bookstore/product.asp?isbn=0132168170)

I will add more things which I will go through before exam so that other guys , who are going with same can get some help.

still anyone have anything to share about the Wireless written exam strategy , then please share here or just send a mail so that it can be beneficial for me as well as for others.

I don’t know, if 28th march will be my half best day or half worst day but i will not loose my hope and will continuously try to read as much as possible to crack this so called CCIE Wireless :).

So lets wait till 28th March 🙂 I will update here soon.

Lightweight Access Point joining issues to WLC Part 1

In this post I will try to cover as many as possible problems due to AP can not join to WLC.

First of all we should know that there are two types of Access Points (I am only talking about Cisco products):

  1. Autonomous AP or Standalone AP
  2. Lightweight AP

Autonomous AP doesn’t need WLC to connect and it can be used in small office / Home office scenarios. (I will not go into detail, may in later post we will see that, how it works and configuration).

Lightweight AP: This type of AP can only be used with Wireless LAN Controllers. These can be used in medium to large deployments.

How to verify if it’s an autonomous AP or Lightweight?

Here are the two ways:

  • Connect to the AP using a console cable, and login to the AP (if you need to enter credentials, default username pass are Cisco, default enable password is Cisco). As a side note, the autonomous AP code prompts by default ap> and only requires you to enter an enable passowrd. The lightweight code asks you for username and password by default, and display by default the AP MAC address as a prompt. So this might be a first indication, but all this can be changed through configuration, so this is just a note, not an exact way yet.
  • On the AP console, type show version. If the AP runs an autonomous code, the version will show the string k9w7. If the AP runs a lightweight code, the version will show k9w8.
  • Want to know more about AP versions, Go here:  Understand AP IOS Images

Now we know that only LAP have to join WLC, without WLC this these kinds of AP will not work.

Before starting to find out the cause why AP not joining, first we must understand the behind the scene.

In order for the WLC to be able to manage the LAP, the LAP should discover the controller and register with the WLC. There are different methods that an LAP uses in order to discover the WLC.

There are for main events occurs:

  1. Discovery Requests
  2. Discovery Response
  3. Join Request
  4. Join Response

Refer to: LAP Registration to WLC

So now we assume that AP got the IP address, either statically or via DHCP.

Without IP AP will not do anything, so first we need to assign a IP to AP then only it can send discovery request.

Basic things to check:

  1. Is AP got IP via DHCP?
  2. Can you ping AP from WLC or vice versa.
  3. Is this specific VLAN (in which AP got the IP) blocked by anything on switch like STP?
  4. Check the logs on AP: it must start the discovery request for WLCs.

Till now if everything is ok then we can start with some command issues due to which LAP not join to WLC.

Scenario 1: Mismatch in Regulatory Domain

I have seen this errors many times:

We must enable debug capwap <events/error> enable or debug lwapp <events/error> enable

Sample Error Logs:

802.a or 80211bg Regulatory Domain (-E) does not match with country(AU )
AP RegDomain check for the country AU failed
Regulatory Domain check Completely FAILED The AP will not be allowed to join

These errors clearly show that there is a mismatch in the regulatory domain of the LAP and the WLC. To resolve this issue, add the country for which the AP was built to the list of countries supported on the controller from Wireless > Country. We have to disable all 802.11b/g and 802.11a radios to change the controller country codes list.


In my example, I only configured DE, this Country supports -E-   regulatory domain on AP:

The WLC can supports multiple regulatory domains but each regulatory domain must be selected before an LAP can join from that domain. When you purchase APs and WLCs, ensure that they share the same regulatory domain. Only then can the LAPs register with the WLC.

Here you can check the Wireless Compliance Status, specific country with specific Regulatory domain for Access Points.

Scenario 2: Certificate and Time

AP and controller needs to exchange certificate to create a secure tunnel for communication. These Certificates have creation and expiry date. If the time and date on WLC are wrong, the AP certificate will be refused because if it is not valid yet or not valid anymore.

We must run these debug commands to find out the exact error:

debug capwap errors enable and debug pm pki enable

Sample Error logs:

Does not include valid certificate in CERTIFICATE_PAYLOAD from AP MACADDRESS. Unable to free public key.
Current time outside AP cert validity interval: make sure the controller time is set.

To resolve this kind of issue, set the controller time and date to a present value from GUI: Command > Set Time or config time command from CLI


We can also receive this kind of message if AP certificate is not valid anymore or corrupted: In this case we must return this AP to our supplier and take a new one.

We can check the AP certificate validity by this command: show crypto ca certificates

 Scenario 3: Firewall Blocking Necessary Ports

When APs and controllers are in different subnets, make sure that routing and firewall filters allow traffic both ways.

Enable these UDP ports for LWAPP traffic:

UDP ports 12222 and 12223 must be open in both directions.

Enable these UDP ports for CAPWAP traffic:

UDP ports 5246 and 5247 must be open in both directions.

If the AP cannot access the controller on UDP port 5246 (CAPWAP Control), the discovery and join requests never reach the controller. The result is that the AP is not seen on the controller, and the debug capwap event enable command on the controller does not display any message about the AP.

If the controller cannot access the AP UDP port 5246 (CAPWAP Control), the discovery and join requests never reach the AP. The result is that the controller receives discovery requests, answers with discovery responses, but the AP does not get these responses and never moves to the join phase.

Scenario 4: Brand New Access Points

With new Access Points or even with the old AP, we can get some compatibility issues with WLC version.

Example: The 1600 and 3600 APs are new models, and require new controller codes. The 1600 AP requires controller code release or later, and the 3600 AP requires controller code 7.2 or later. The same issue affects 802.11n APs and older controller codes. If the controller code is too old, the AP model is not recognized.

We must run these debug commands to find out the exact error:

debug capwap errors enable

Sample Error Logs

AP Associated. Base Radio MAC: MAC ADDRESS
AP Disassociated. Base Radio MAC: MAC ADDRESS
AP with MAC MAC ADDRESS is unknown.

To resolve this issue, we have to upgrade the controller code or have the AP discover a controller running the appropriate code version.

Check here the Cisco Software Compatibility Matrix

Find out the version on WLC here by GUI: Go to Monitor and check the Controller Summary



Via CLI:

(WLAN1) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version..................................
RTOS Version.....................................
Bootloader Version...............................
Emergency Image Version.......................... N/A
Build Type....................................... DATA + WPS
System Name...................................... WLAN1
System Location.................................. Test Lab
System Contact................................... Sandeep
System ObjectID..................................
IP Address.......................................
System Up Time................................... 3 days 23 hrs 12 mins 31 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna
Configured Country............................... DE  - Germany
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +42 C


Part 2 coming soon……. 🙂

Country Code on WLC

Controllers and access points are designed for use in many countries with varying regulatory requirements. The radios within the access points are assigned to a specific regulatory domain at the factory (such as –E for Europe), but the country code enables you to specify a particular country of operation (such as FR for France or DE for Germany). Configuring a country code ensures that each radio’s broadcast frequency bands, interfaces, channels, and transmit power levels are compliant with country-specific regulations.

Generally, we configure one country code per controller, the one matching the physical location of the controller and its access points. However, controller software release 4.1 or later releases allows us to configure up to 20 country codes per controller. This multiple-country support enables us to manage access points in various countries from a single controller. This rule is not application for MESH Access Points.

*** Note: Mesh AP doesn’t support Multi country code on WLC.

*** We can not change the country’s regulatory domain on Access Points, If by chance you bought the AP with wrong Regulatory domain then you must change or replace this Access Point.

*** Here is the Wireless LAN Compliance Status

There are some Limitations for Multiple Country code configuration:

  • When the multiple-country feature is being used, all controllers that are going to join the same RF group must be configured with the same set of countries, configured in the same order.
  • When multiple countries are configured and the RRM auto-RF feature is enabled, the RRM assigns the channels that are derived by performing a union of the allowed channels per the AP country code. The APs are assigned channels by the RRM based on their PID country code. APs are only allowed to use legal frequencies that match their PID country code. Ensure that your AP’s country code is legal in the country that it is deployed.
  • The access point can only operate on the channels for the countries that they are designed for.
  • The country list configured on the RF group leader determines what channels the members would operate on. This list is independent of what countries have been configured on the RF group members.

Procedure to add Country Code on WLC:

 Via GUI:

Before Configuring / Changing the Country code on WLC, we must disable the both networks

Steps to disable the 802.11a and 802.11b/g networks:

Step1: Choose Wireless> 802.11a/n > Network.

Unselect the 802.11a Network Status check box.


Click Apply to commit your changes.

Step2: Choose Wireless > 802.11b/g/n > Network.

Unselect the 802.11b/g Network Status check box.


Click Apply to commit your changes.

Step3: Choose Wireless > Country, Select the check box for country where our access points are installed. If we selected more than one check box, a message appears indicating that RRM channels and power levels are limited to common channels and power levels.

Click ok

Here my all Access Points are in Europe domain and I am sitting in Germany so Choose DE(Germany).


Step4: If we would have configured multiple country code on WLC then we could choose per AP for their country:

Here we chose only one Country so there is no other option for this AP.


Step5: Re-Enable the 802.11a and 802.11b/g networks (As we did in Step1 and Step2)

Step6: Click Save Configuration to save settings.

Via CLI:

Step1: Disable the 802.11a and 802.11b/g networks:

(WLAN1) >config 802.11a disable network
(WLAN1) >config 802.11b disable network

Step2: Configure the country codes for the countries where our access points are installed:

(WLAN1) >config country DE

*** If we choose multiple Country code on WLC then this will appear:

(WLAN1) >config country DE,US,MX
Changing country code could reset channel & RRM grouping configuration.
If running in RRM One-Time mode, reassign channels after this command.
Check customized APs for valid channel values after this command.
Are you sure you want to continue? (y/n) y
Configured Country............................. Multiple Countries:DE,MX,US
KEY: * = Channel is legal in this country and may be configured manually.
A = Channel is the Auto-RF default in this country.
. = Channel is not legal in this country.
C = Channel has been configured for use by Auto-RF.
x = Channel is available to be configured for use by Auto-RF.
(-,-) = (indoor, outdoor) regulatory doamin allowed by this country.
802.11bg     :
Channels     :                   1 1 1 1 1
: 1 2 3 4 5 6 7 8 9 0 1 2 3 4
DE (-E   ,-E   ): A * * * * A * * * * A * * .
MX (-A   ,-NA  ): A * * * * A * * * * A . . .
US (-A   ,-AB  ): A * * * * A * * * * A . . .
Auto-RF         : C x x x x C x x x x C x x .
802.11a      :                         1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Channels     : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6
: 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 9 3 7 1 5
--More-- or (q)uit
DE (-E   ,-E   ): . A . A . A . A A A A A * * * * * * * * * * * . . . . .
MX (-AN  ,-NA  ): . A . A . A . A A A A A * * * * * . . . * * * A A A A *
US (-A   ,-AB  ): . A . A . A . A A A A A * * * * * . . . * * * A A A A *
Auto-RF         : . C . C . C . C C C C C x x x x x x x x x x x C C C C x
4.9GHz 802.11a  :
Channels     :                   1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2
: 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
DE (-E   ,-E   ): . . . . . . . . . . . . . . . . . . . . . . . . . .
MX (-AN  ,-NA  ): * * * * * * * * * * * * * * * * * * * A * * * * * A
US (-A   ,-AB  ): * * * * * * * * * * * * * * * * * * * A * * * * * A
Auto-RF         : . C . C . C . C C C C C x x x x x x x x x x x C C C C x

Step3: We can choose country per AP (If we configured multiple country cod eon WLC). In my example I configured only DE, so No need to assign to specific AP.

Choose Country for AP:

(WLAN1) >config ap country DE AP001

Step4: Re-Enable the 802.11a and 802.11b/g networks

(WLAN1) >config 802.11a enable network
(WLAN1) >config 802.11b enable network

Step5: Save settings:

(WLAN1) >save config

Step6: See the country code configured on WLC:

(WLAN1) >show country
Configured Country............................. DE  - Germany
Configured Country Codes
DE  - Germany................................... 802.11a Indoor,Outdoor / 802.11b / 802.11g