Cisco Embedded Wireless Controller on Catalyst Access Points, Embedded Wireless Controller on Catalyst 9115AX Access Points , Embedded Wireless Controller on Catalyst 9117AX Access Points , Embedded Wireless Controller on Catalyst 9120AX Access Points , Embedded Wireless Controller on Catalyst 9130AX Access Points Configuration Guide

  • Hello! I am an AI chatbot trained to assist you with the Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Cisco Embedded Wireless Controller on Catalyst Access Points
Configuration Guide, IOS XE Bengaluru 17.4.x
First Published: 2020-11-30
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright ©1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
©2020 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface xxxvii
PREFACE
Document Conventions xxxvii
Related Documentation xxxix
Obtaining Documentation and Submitting a Service Request xxxix
Overview of Cisco Embedded Wireless Controller on Catalyst Access Points 1
CHAPTER 1
Elements of the New Configuration Model 1
Configuration Workflow 2
Initial Setup 3
Resetting Cisco Embedded Wireless Controller on Catalyst Access Points 4
Password Recovery 5
System Configuration 7
PART I
System Configuration 9
CHAPTER 2
Information About New Configuration Model 9
Configuring a Wireless Profile Policy (GUI) 11
Configuring a Wireless Profile Policy (CLI) 12
Configuring a Flex Profile 13
Configuring an AP Profile (GUI) 14
Configuring an AP Profile (CLI) 16
Configuring an RF Profile (GUI) 17
Configuring an RF Profile (CLI) 18
Configuring Policy Tag (GUI) 19
Configuring a Policy Tag (CLI) 19
Configuring Wireless RF Tag (GUI) 20
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
iii
Configuring Wireless RF Tag (CLI) 21
Attaching a Policy Tag and Site Tag to an AP (GUI) 22
Attaching Policy Tag and Site Tag to an AP (CLI) 22
AP Filter 23
Introduction to AP Filter 23
Set Tag Priority (GUI) 24
Set Tag Priority 24
Create an AP Filter (GUI) 25
Create an AP Filter (CLI) 25
Set Up and Update Filter Priority (GUI) 26
Set Up and Update Filter Priority 26
Verify AP Filter Configuration 26
Configuring Access Point for Location Configuration 27
Information About Location Configuration 27
Prerequisite for Location Configuration 28
Configuring a Location for an Access Point (GUI) 28
Configuring a Location for an Access Point (CLI) 28
Adding an Access Point to the Location (GUI) 29
Adding an Access Point to the Location (CLI) 30
Configuring SNMP in Location Configuration 30
SNMP MIB 30
Verifying Location Configuration 31
Verifying Location Statistics 31
Smart Licensing Using Policy 33
CHAPTER 3
Introduction to Smart Licensing Using Policy 33
Information About Smart Licensing Using Policy 34
Overview 34
Architecture 34
Product Instance 34
CSLU 35
CSSM 35
Controller 36
SSM On-Prem 37
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
iv
Contents
Concepts 37
License Enforcement Types 37
License Duration 38
Authorization Code 38
Policy 39
RUM Report and Report Acknowledgement 40
Trust Code 40
Supported Topologies 40
Connected to CSSM Through CSLU 41
Connected Directly to CSSM 42
CSLU Disconnected from CSSM 43
Connected to CSSM Through a Controller 44
No Connectivity to CSSM and No CSLU 45
Supported Products 46
Interactions with Other Features 47
High Availability 47
Upgrades 48
Downgrades 49
How to Configure Smart Licensing Using Policy: Workflows by Topology 52
Workflow for Topology: Connected to CSSM Through CSLU 52
Workflow for Topology: Connected Directly to CSSM 55
Workflow for Topology: CSLU Disconnected from CSSM 56
Workflow for Topology: Connected to CSSM Through a Controller 59
Workflow for Topology: No Connectivity to CSSM and No CSLU 60
Migrating to Smart Licensing Using Policy 60
Example: Smart Licensing to Smart Licensing Using Policy 61
Example: SLR to Smart Licensing Using Policy 68
Example: Evaluation or Expired to Smart Licensing Using Policy 76
Task Library for Smart Licensing Using Policy 79
Logging into Cisco (CSLU Interface) 79
Configuring a Smart Account and a Virtual Account (CSLU Interface) 79
Adding a Product-Initiated Product Instance in CSLU (CSLU Interface) 80
Ensuring Network Reachability for Product Instance-Initiated Communication 80
Adding a CSLU-Initiated Product Instance in CSLU (CSLU Interface) 82
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
v
Contents
Collecting Usage Reports: CSLU Initiated (CSLU Interface) 82
Download All For Cisco (CSLU Interface) 83
Upload From Cisco (CSLU Interface) 84
Ensuring Network Reachability for CSLU-Initiated Communication 84
Setting Up a Connection to CSSM 88
Configuring Smart Transport Through an HTTPs Proxy 90
Configuring the Call Home Service for Direct Cloud Access 91
Configuring the Call Home Service for Direct Cloud Access through an HTTPs Proxy Server 94
Removing and Returning an Authorization Code 95
Removing the Product Instance from CSSM 97
Generating a New Token for a Trust Code from CSSM 98
Installing a Trust Code 98
Downloading a Policy File from CSSM 100
Uploading Usage Data to CSSM and Downloading an ACK 100
Installing a File on the Product Instance 101
Setting the Transport Type, URL, and Reporting Interval 102
Configuring an AIR License 104
Sample Resource Utilization Measurement Report 107
Troubleshooting Smart Licensing Using Policy 107
System Message Overview 108
System Messages 109
Additional References for Smart Licensing Using Policy 116
Feature History for Smart Licensing Using Policy 117
Conversion and Migration 119
CHAPTER 4
Conversion and Migration in Embedded Wireless Controller Capable APs 119
Types of Conversion 119
Access Point Conversion 120
Converting a CAPWAP AP to an Embedded Wireless Controller Capable AP 120
Converting an Embedded Wireless Controller Capable AP to a CAPWAP AP 120
Converting a Single AP to CAPWAP or Embedded Wireless Controller Capable AP (CLI) 120
AP Conversion Deployment Scenarios 121
Network Conversion 123
Converting the Network (CLI) 123
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
vi
Contents
Network Conversion Deployment Scenarios 124
SKU Conversion Scenarios 125
Converting AireOS Mobility Express Network to Embedded Wireless Controller Network 126
Best Practices 127
CHAPTER 5
Introduction 127
Lightweight Access Points 129
PART II
Country Codes 131
CHAPTER 6
Information About Country Codes 131
Prerequisites for Configuring Country Codes 131
Configuring Country Codes (GUI) 132
How to Configure Country Codes 132
Configuration Examples for Configuring Country Codes 134
Viewing Channel List for Country Codes 134
AP Priority 135
CHAPTER 7
Failover Priority for Access Points 135
Setting AP Priority (GUI) 135
Setting AP Priority 136
802.11 Parameters for Cisco Access Points 137
CHAPTER 8
2.4-GHz Radio Support 137
Configuring 2.4-GHz Radio Support for the Specified Slot Number 137
5-GHz Radio Support 139
Configuring 5-GHz Radio Support for the Specified Slot Number 139
Information About Dual-Band Radio Support 141
Configuring Default XOR Radio Support 141
Configuring XOR Radio Support for the Specified Slot Number (GUI) 144
Configuring XOR Radio Support for the Specified Slot Number 144
Receiver Only Dual-Band Radio Support 146
Information About Receiver Only Dual-Band Radio Support 146
Configuring Receiver Only Dual-Band Parameters for Access Points 146
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
vii
Contents
Enabling CleanAir with Receiver Only Dual-Band Radio on a Cisco Access Point (GUI) 146
Enabling CleanAir with Receiver Only Dual-Band Radio on a Cisco Access Point 146
Disabling Receiver Only Dual-Band Radio on a Cisco Access Point (GUI) 147
Disabling Receiver Only Dual-Band Radio on a Cisco Access Point 147
Configuring Client Steering (CLI) 147
Verifying Cisco Access Points with Dual-Band Radios 149
802.1x Support 151
CHAPTER 9
Introduction to the 802.1x Authentication 151
EAP-FAST Protocol 151
EAP-TLS/EAP-PEAP Protocol 152
Limitations of the 802.1x Authentication 152
Topology - Overview 152
Configuring 802.1x Authentication Type and LSC AP Authentication Type (GUI) 153
Configuring 802.1x Authentication Type and LSC AP Authentication Type 153
Configuring the 802.1x Username and Password (GUI) 154
Configuring the 802.1x Username and Password (CLI) 155
Enabling 802.1x on the Switch Port 156
Verifying 802.1x on the Switch Port 157
Verifying the Authentication Type 158
Radio Resource Management 159
PART III
Radio Resource Management 161
CHAPTER 10
Information About Radio Resource Management 161
Radio Resource Monitoring 162
Transmit Power Control 162
Overriding the TPC Algorithm with Minimum and Maximum Transmit Power Settings 162
Dynamic Channel Assignment 163
Coverage Hole Detection and Correction 165
Restrictions for Radio Resource Management 165
How to Configure RRM 165
Configuring Neighbor Discovery Type (CLI) 165
Configuring Transmit Power Control 166
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
viii
Contents
Configuring the Tx-Power Control Threshold (CLI) 166
Configuring the Tx-Power Level (CLI) 166
Configuring 802.11 RRM Parameters 167
Configuring Advanced 802.11 Channel Assignment Parameters (CLI) 167
Configuring 802.11 Coverage Hole Detection (CLI) 169
Configuring 802.11 Event Logging (CLI) 170
Configuring 802.11 Statistics Monitoring (CLI) 171
Configuring the 802.11 Performance Profile (CLI) 172
Configuring Advanced 802.11 RRM 173
Enabling Channel Assignment (CLI) 173
Restarting DCA Operation 174
Updating Power Assignment Parameters (CLI) 174
Configuring Rogue Access Point Detection in RF Groups 174
Configuring Rogue Access Point Detection in RF Groups (CLI) 174
Monitoring RRM Parameters and RF Group Status 176
Monitoring RRM Parameters 176
Verifying RF Group Status (CLI) 177
Examples: RF Group Configuration 177
Information About ED-RRM 177
Configuring ED-RRM on the Cisco Wireless LAN Controller (CLI) 178
Coverage Hole Detection 179
CHAPTER 11
Coverage Hole Detection and Correction 179
Configuring Coverage Hole Detection (GUI) 179
Configuring Coverage Hole Detection (CLI) 180
Configuring CHD for RF Tag Profile (GUI) 181
Configuring CHD for RF Tag Profile (CLI) 182
Cisco Flexible Radio Assignment 183
CHAPTER 12
Information About Flexible Radio Assignment 183
Benefits of the FRA Feature 184
Configuring an FRA Radio (CLI) 184
Configuring an FRA Radio (GUI) 186
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
ix
Contents
XOR Radio Support 187
CHAPTER 13
Information About Dual-Band Radio Support 187
Configuring Default XOR Radio Support 188
Configuring XOR Radio Support for the Specified Slot Number (GUI) 190
Configuring XOR Radio Support for the Specified Slot Number 190
Cisco Receiver Start of Packet 193
CHAPTER 14
Information About Receiver Start of Packet Detection Threshold 193
Restrictions for Rx SOP 193
Configuring Rx SOP (CLI) 194
Customizing RF Profile (CLI) 194
Client Limit 197
CHAPTER 15
Information About Client Limit 197
Configuring Client Limit (GUI) 197
Configuring Client Limit (CLI) 197
IP Theft 199
CHAPTER 16
Introduction to IP Theft 199
Configuring IP Theft (GUI) 200
Configuring IP Theft 200
Configuring the IP Theft Exclusion Timer 200
Verifying IP Theft Configuration 201
Unscheduled Automatic Power Save Delivery 203
CHAPTER 17
Information About Unscheduled Automatic Power Save Delivery 203
Viewing Unscheduled Automatic Power Save Delivery (CLI) 203
Enabling USB Port on Access Points 205
CHAPTER 18
USB Port as Power Source for Access Points 205
Configuring an AP Profile (CLI) 206
Configuring USB Settings for an Access Point (CLI) 206
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
x
Contents
Monitoring USB Configurations for Access Points (CLI) 207
Network Management 209
PART IV
DHCP Option82 211
CHAPTER 19
Information About DHCP Option 82 211
Configuring DHCP Option 82 Global Interface 212
Configuring DHCP Option 82 Globally Through Server Override (CLI) 212
Configuring DHCP Option 82 Globally Through Different SVIs (GUI) 213
Configuring DHCP Option 82 Globally Through Different SVIs (CLI) 213
Configuring DHCP Option 82 Format 214
Configuring DHCP Option82 Through a VLAN Interface 215
Configuring DHCP Option 82 Through Option-Insert Command (CLI) 215
Configuring DHCP Option 82 Through the server-ID-override Command (CLI) 216
Configuring DHCP Option 82 Through a Subscriber-ID (CLI) 217
Configuring DHCP Option 82 Through server-ID-override and subscriber-ID Commands (CLI)
218
Configuring DHCP Option 82 Through Different SVIs (CLI) 219
RADIUS Realm 221
CHAPTER 20
Information About RADIUS Realm 221
Enabling RADIUS Realm 222
Configuring Realm to Match the RADIUS Server for Authentication and Accounting 222
Configuring the AAA Policy for a WLAN 223
Verifying the RADIUS-Realm Configuration 225
Persistent SSID Broadcast 227
CHAPTER 21
Persistent SSID Broadcast 227
Configuring Persistent SSID Broadcast 227
Verifying Persistent SSID Broadcast 228
Network Monitoring 229
CHAPTER 22
Network Monitoring 229
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
xi
Contents
System Management 231
PART V
Network Mobility Services Protocol 233
CHAPTER 23
Information About Network Mobility Services Protocol 233
Enabling NMSP On-Premises Services 234
Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues 234
Modifying the NMSP Notification Threshold for Clients, and Tags 235
Configuring NMSP Strong Cipher 235
Verifying NMSP Settings 236
Examples: NMSP Settings Configuration 238
Probe RSSI Location 238
Configuring Probe RSSI 239
Verifying Probe RSSI 240
RFID Tag Support 240
Configuring RFID Tag Support 241
Verifying RFID Tag Support 241
Application Visibility and Control 245
CHAPTER 24
Information About Application Visibility and Control 245
Prerequisites for Application Visibility and Control 246
Restrictions for Application Visibility and Control 246
AVC Configuration Overview 247
Create a Flow Monitor 247
Create a Flow Exporter 248
Verify the Flow Exporter 248
Configure a WLAN for AVC 249
Configuring a Policy Tag 250
Attaching a Policy Profile to a WLAN Interface (GUI) 250
Attaching a Policy Profile to a WLAN Interface (CLI) 250
Attaching a Policy Profile to an AP 252
Verify the AVC Configuration 252
AVC-Based Selective Reanchoring 253
Restrictions for AVC-Based Selective Reanchoring 253
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
xii
Contents
Configuring the Flow Exporter 253
Configuring the Flow Monitor 254
Configuring the AVC Reanchoring Profile 255
Configuring the Wireless WLAN Profile Policy 255
Verifying AVC Reanchoring 256
Flexible NetFlow Exporter on Embedded Wireless Controller 261
CHAPTER 25
Flexible NetFlow Exporter on Embedded Wireless Controller 261
AVC Configuration Limitations on EWC 261
Create a Flow Exporter 262
Create a Flow Monitor 262
Configuring the Wireless WLAN Profile Policy 263
Verifying Flow Exporter in Embedded Wireless Controller 264
Cisco Connected Mobile Experiences Cloud 265
CHAPTER 26
Configuring Cisco CMX Cloud 265
Verifying Cisco CMX Cloud Configuration 266
EDCA Parameters 269
CHAPTER 27
Enhanced Distributed Channel Access Parameters 269
Configuring EDCA Parameters (GUI) 269
Configuring EDCA Parameters (CLI) 270
802.11 parameters and Band Selection 273
CHAPTER 28
Information About Configuring Band Selection, 802.11 Bands, and Parameters 273
Band Select 273
802.11 Bands 274
802.11n Parameters 274
802.11h Parameters 274
Restrictions for Band Selection, 802.11 Bands, and Parameters 274
How to Configure 802.11 Bands and Parameters 275
Configuring Band Selection (GUI) 275
Configuring Band Selection (CLI) 276
Configuring the 802.11 Bands (GUI) 277
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
xiii
Contents
Configuring the 802.11 Bands (CLI) 278
Configuring a Band-Select RF Profile (GUI) 280
Configuring 802.11n Parameters (GUI) 280
Configuring 802.11n Parameters (CLI) 281
Configuring 802.11h Parameters (CLI) 283
Monitoring Configuration Settings for Band Selection, 802.11 Bands, and Parameters 284
Verifying Configuration Settings Using Band Selection and 802.11 Bands Commands 284
Example: Viewing the Configuration Settings for the 5-GHz Band 284
Example: Viewing the Configuration Settings for the 2.4-GHz Band 286
Example: Viewing the status of 802.11h Parameters 288
Example: Verifying the Band-Selection Settings 288
Configuration Examples for Band Selection, 802.11 Bands, and Parameters 288
Examples: Band Selection Configuration 288
Examples: 802.11 Bands Configuration 289
Examples: 802.11n Configuration 289
Examples: 802.11h Configuration 290
Image Download 291
CHAPTER 29
Information About Image Download 291
Updates to the AP Image Predownload Status (GUI) 291
Image Download Scenarios 292
Image Download During AP Join 292
Network Software Upgrade (Pre-Download) 293
Methods Supported for Image Download 293
TFTP Image Download Method 294
SFTP Image Download Method 294
Desktop (HTTP) Image Download Method 294
Prerequisites for Image Download 294
Configuring Image Download Profile 295
Configuring TFTP Image Download (GUI) 295
Configuring TFTP Image Download (CLI) 296
Configuring SFTP Image Download (GUI) 297
Configuring SFTP Image Download (CLI) 297
Configuring Desktop (HTTP) Image Download (GUI) 298
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
xiv
Contents
Initiating Pre-Download (CLI) 299
Verifying Image Download 301
Conditional Debug and Radioactive Tracing 303
CHAPTER 30
Introduction to Conditional Debugging 303
Introduction to Radioactive Tracing 303
Conditional Debugging and Radioactive Tracing 304
Location of Tracefiles 304
Configuring Conditional Debugging (GUI) 305
Configuring Conditional Debugging 305
Recommended Workflow for Trace files 306
Copying Tracefiles Off the Box 307
Configuration Examples for Conditional Debugging 308
Verifying Conditional Debugging 308
Example: Verifying Radioactive Tracing Log for SISF 308
Aggressive Client Load Balancing 311
CHAPTER 31
Information About Aggressive Client Load Balancing 311
Enabling Aggressive Client Load Balancing (GUI) 312
Configuring Aggressive Client Load Balancing (GUI) 312
Configuring Aggressive Client Load Balancing (CLI) 313
Accounting Identity List 315
CHAPTER 32
Configuring Accounting Identity List (GUI) 315
Configuring Accounting Identity List (CLI) 315
Configuring Client Accounting (GUI) 316
Configuring Client Accounting (CLI) 316
Volume Metering 319
CHAPTER 33
Configuring Volume Metering 319
Enabling Syslog Messages in Access Points and Controller for Syslog Server 321
CHAPTER 34
Information About Enabling Syslog Messages in Access Points and Embedded Wireless Controller for
Syslog Server 321
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
xv
Contents
Configuring Syslog Server for an AP Profile 322
Configuring Syslog Server for the Controller (GUI) 324
Configuring Syslog Server for the Embedded Wireless Controller 325
Verifying Syslog Server Configurations 326
Introduction to Software Maintenance Upgrade 331
CHAPTER 35
Overview of Controller SMUs 332
Managing Controller Hot or Cold SMU Package 333
Creating SMU Files (GUI) 334
Configuration Examples for SMU 335
Rolling AP Upgrade 337
Rolling AP Upgrade Process 337
Verifying AP Upgrade on the Controller 338
AP Device Pack (APDP) and AP Service Pack (APSP) 339
APSP and APDP 339
Managing APSP and APDP 340
Configuring the APSP and APDP Files (GUI) 340
Configuring the TFTP Server Directory 340
Configuring the SFTP Server Directory 341
Positive Workflow - APSP and APDP 343
Rollback and Cancel 344
Verifying APDP on the Embedded Wireless Controller 345
Security 347
PART VI
IPv4 ACLs 349
CHAPTER 36
Information about Network Security with ACLs 349
ACL Overview 349
Access Control Entries 349
ACL Supported Types 350
Supported ACLs 350
ACL Precedence 350
Port ACLs 350
Router ACLs 351
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
xvi
Contents
VLAN Maps 352
ACEs and Fragmented and Unfragmented Traffic 352
ACEs and Fragmented and Unfragmented Traffic Examples 353
Standard and Extended IPv4 ACLs 353
IPv4 ACL Switch Unsupported Features 354
Access List Numbers 354
Numbered Standard IPv4 ACLs 355
Numbered Extended IPv4 ACLs 355
Named IPv4 ACLs 356
ACL Logging 356
Hardware and Software Treatment of IP ACLs 357
IPv4 ACL Interface Considerations 357
Restrictions for Configuring IPv4 Access Control Lists 357
How to Configure ACLs 358
Configuring IPv4 ACLs (GUI) 358
Configuring IPv4 ACLs 359
Creating a Numbered Standard ACL (GUI) 359
Creating a Numbered Standard ACL (CLI) 359
Creating a Numbered Extended ACL (GUI) 361
Creating a Numbered Extended ACL (CLI) 361
Creating Named Standard ACLs (GUI) 365
Creating Named Standard ACLs 365
Creating Extended Named ACLs (GUI) 367
Creating Extended Named ACLs 367
Applying an IPv4 ACL to an Interface (GUI) 369
Applying an IPv4 ACL to an Interface (CLI) 369
Monitoring IPv4 ACLs 370
Configuration Examples for ACLs 371
Examples: Including Comments in ACLs 371
IPv4 ACL Configuration Examples 372
ACLs in a Small Networked Office 372
Examples: ACLs in a Small Networked Office 372
Example: Numbered ACLs 373
Examples: Extended ACLs 373
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
xvii
Contents
Examples: Named ACLs 374
DNS-Based Access Control Lists 375
CHAPTER 37
Information About DNS-Based Access Control Lists 375
FlexConnect in Embedded Wireless Controller 376
Roaming 376
Restrictions on DNS-Based Access Control Lists 376
Flex Mode 377
Configuring the URL Filter List (CLI) 377
Configuring the URL Filter List (GUI) 377
Applying Custom Pre-Auth DNS ACL on WLAN 378
Applying Custom Post-Auth DNS ACL on Policy Profile 378
Configuring ISE for Central Web Authentication (GUI) 379
Viewing DNS-Based Access Control Lists 379
Allowed List of Specific URLs 383
CHAPTER 38
Allowed List of Specific URLs 383
Adding URL to Allowed List 383
Verifying URLs on the Allowed List 384
Web-Based Authentication 387
CHAPTER 39
Authentication Overview 387
Device Roles 388
Authentication Process 389
Local Web Authentication Banner 389
Customized Local Web Authentication 392
Guidelines 392
Redirection URL for Successful Login Guidelines 393
How to Configure Local Web Authentication 393
Configuring Default Local Web Authentication 393
Configuring AAA Authentication (GUI) 394
Configuring AAA Authentication (CLI) 394
Configuring the HTTP/HTTPS Server (GUI) 395
Configuring the HTTP Server (CLI) 396
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
xviii
Contents
Creating a Parameter Map (GUI) 397
Configuring the Maximum Web Authentication Request Retries 397
Configuring a Local Banner in Web Authentication Page (GUI) 398
Configuring a Local Banner in Web Authentication Page (CLI) 398
Information About Management over Wireless 398
Configuring Management over Wireless (GUI) 399
Configuring Management over Wireless (CLI) 399
Configuration Examples for Local Web Authentication 400
Example: Obtaining Web Authentication Certificate 400
Example: Displaying a Web Authentication Certificate 401
Example: Choosing the Default Web Authentication Login Page 402
Example: Choosing a Customized Web Authentication Login Page from an IPv4 External Web
Server 402
Example: Choosing a Customized Web Authentication Login Page from an IPv6 External Web
Server 403
Example: Assigning Login, Login Failure, and Logout Pages per WLAN 403
Example: Configuring Preauthentication ACL 403
Example: Configuring Webpassthrough 404
Central Web Authentication 405
CHAPTER 40
Information About Central Web Authentication 405
Prerequisites for Central Web Authentication 405
How to Configure ISE 405
Creating an Authorization Profile 406
Creating an Authentication Rule 406
Creating an Authorization Rule 406
How to Configure Central Web Authentication on a Network Device 407
Configuring WLAN (GUI) 408
Configuring WLAN (CLI) 409
Configuring Policy Profile (CLI) 410
Configuring a Policy Profile (GUI) 411
Creating Redirect ACL 412
Configuring AAA for Central Web Authentication 413
Configuring Redirect ACL in Flex Profile (GUI) 413
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
xix
Contents
Configuring Redirect ACL in Flex Profile (CLI) 414
Authentication for Sleeping Clients 415
Information About Authenticating Sleeping Clients 415
Restrictions on Authenticating Sleeping Clients 415
Configuring Authentication for Sleeping Clients (GUI) 416
Configuring Authentication for Sleeping Clients (CLI) 416
ISE Simplification and Enhancements 419
CHAPTER 41
Utilities for Configuring Security 419
Configuring Multiple Radius Servers 420
Verifying AAA and Radius Server Configurations 421
Configuring Captive Portal Bypassing for Local and Central Web Authentication 421
Information About Captive Bypassing 421
Configuring Captive Bypassing for WLAN in LWA and CWA (GUI) 422
Configuring Captive Bypassing for WLAN in LWA and CWA (CLI) 423
Sending DHCP Options 55 and 77 to ISE 424
Information about DHCP Option 55 and 77 424
Configuration to Send DHCP Options 55 and 77 to ISE (GUI) 424
Configuration to Send DHCP Options 55 and 77 to ISE (CLI) 424
Configuring EAP Request Timeout (GUI) 425
Configuring EAP Request Timeout 426
Configuring EAP Request Timeout in Wireless Security (CLI) 426
Captive Portal 427
Captive Portal Configuration 427
Configuring Captive Portal (GUI) 427
Configuring Captive Portal 428
Captive Portal Configuration - Example 430
Authentication and Authorization Between Multiple RADIUS Servers 433
CHAPTER 42
Information About Authentication and Authorization Between Multiple RADIUS Servers 433
Configuring 802.1X Security for WLAN with Split Authentication and Authorization Servers 434
Configuring Explicit Authentication and Authorization Server List (GUI) 434
Configuring Explicit Authentication Server List (GUI) 435
Configuring Explicit Authentication Server List (CLI) 435
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Bengaluru 17.4.x
xx
Contents
/