2. Computers & electronics
  3. Networking
  4. Cisco
  5. Embedded Wireless Controller on Catalyst Access Points

Cisco Embedded Wireless Controller on Catalyst Access Points, Embedded Wireless Controller on Catalyst 9115AX Access Points , Embedded Wireless Controller on Catalyst 9117AX Access Points , Embedded Wireless Controller on Catalyst 9120AX Access Points , Embedded Wireless Controller on Catalyst 9130AX Access Points Configuration Guide

  • Hello! I am an AI chatbot trained to assist you with the Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Cisco Embedded Wireless Controller on Catalyst Access Points
Configuration Guide, IOS XE Amsterdam 17.3.x
First Published: 2020-08-03
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright ©1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
©2020 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface xxxvii
PREFACE
Document Conventions xxxvii
Related Documentation xxxix
Obtaining Documentation and Submitting a Service Request xxxix
Overview of Cisco Embedded Wireless Controller on Catalyst Access Points 1
CHAPTER 1
Elements of the New Configuration Model 1
Configuration Workflow 2
Initial Setup 3
System Configuration 5
PART I
System Configuration 7
CHAPTER 2
Information About New Configuration Model 7
Configuring a Wireless Profile Policy (GUI) 9
Configuring a Wireless Profile Policy (CLI) 10
Configuring a Flex Profile 11
Configuring an AP Profile (GUI) 12
Configuring an AP Profile (CLI) 14
Configuring an RF Profile (GUI) 15
Configuring an RF Profile (CLI) 16
Configuring Policy Tag (GUI) 17
Configuring a Policy Tag (CLI) 17
Configuring Wireless RF Tag (GUI) 18
Configuring Wireless RF Tag (CLI) 19
Attaching a Policy Tag and Site Tag to an AP (GUI) 20
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
iii
Attaching Policy Tag and Site Tag to an AP (CLI) 20
AP Filter 21
Introduction to AP Filter 21
Set Tag Priority (GUI) 22
Set Tag Priority 22
Create an AP Filter (GUI) 23
Create an AP Filter (CLI) 23
Set Up and Update Filter Priority (GUI) 24
Set Up and Update Filter Priority 24
Verify AP Filter Configuration 24
Configuring Access Point for Location Configuration 25
Information About Location Configuration 25
Prerequisite for Location Configuration 26
Configuring a Location for an Access Point (GUI) 26
Configuring a Location for an Access Point (CLI) 26
Adding an Access Point to the Location (GUI) 27
Adding an Access Point to the Location (CLI) 28
Configuring SNMP in Location Configuration 28
SNMP MIB 28
Verifying Location Configuration 29
Verifying Location Statistics 29
Smart Licensing 31
CHAPTER 3
Information About Cisco Smart Licensing 31
Creating a Smart Account 33
Using Smart Licensing 34
Using Specified License Reservation (SLR) 34
Enabling Specified License Reservation in CSSM 35
Enabling Smart Software Licensing 36
Registering for Smart License (Connected Mode) 37
Enabling Smart License Reservation 38
Enabling Smart Call Home Reporting 38
Configuring AIR License Level (GUI) 39
Configuring AIR License Level (CLI) 39
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
iv
Contents
Configuring AIR Network Essentials License Level 40
Configuring AIR Network Advantage License Level 40
Verifying Smart Licensing Configurations 41
Smart Licensing Using Policy 43
CHAPTER 4
Introduction to Smart Licensing Using Policy 43
Information About Smart Licensing Using Policy 44
Overview 44
Architecture 44
Product Instance 44
CSLU 45
CSSM 45
Controller 46
SSM On-Prem 47
Concepts 47
License Enforcement Types 47
License Duration 48
Authorization Code 48
Policy 49
RUM Report and Report Acknowledgement 50
Trust Code 50
Supported Topologies 50
Connected to CSSM Through CSLU 51
Connected Directly to CSSM 52
CSLU Disconnected from CSSM 53
Connected to CSSM Through a Controller 54
No Connectivity to CSSM and No CSLU 55
Supported Products 56
Interactions with Other Features 57
High Availability 57
Upgrades 58
Downgrades 59
How to Configure Smart Licensing Using Policy: Workflows by Topology 62
Workflow for Topology: Connected to CSSM Through CSLU 62
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
v
Contents
Workflow for Topology: Connected Directly to CSSM 65
Workflow for Topology: CSLU Disconnected from CSSM 66
Workflow for Topology: Connected to CSSM Through a Controller 69
Workflow for Topology: No Connectivity to CSSM and No CSLU 70
Migrating to Smart Licensing Using Policy 70
Example: Smart Licensing to Smart Licensing Using Policy 71
Example: SLR to Smart Licensing Using Policy 78
Example: Evaluation or Expired to Smart Licensing Using Policy 86
Task Library for Smart Licensing Using Policy 89
Logging into Cisco (CSLU Interface) 89
Configuring a Smart Account and a Virtual Account (CSLU Interface) 89
Adding a Product-Initiated Product Instance in CSLU (CSLU Interface) 90
Ensuring Network Reachability for Product Instance-Initiated Communication 90
Adding a CSLU-Initiated Product Instance in CSLU (CSLU Interface) 92
Collecting Usage Reports: CSLU Initiated (CSLU Interface) 92
Download All For Cisco (CSLU Interface) 93
Upload From Cisco (CSLU Interface) 94
Ensuring Network Reachability for CSLU-Initiated Communication 94
Setting Up a Connection to CSSM 98
Configuring Smart Transport Through an HTTPs Proxy 100
Configuring the Call Home Service for Direct Cloud Access 101
Configuring the Call Home Service for Direct Cloud Access through an HTTPs Proxy Server 104
Removing and Returning an Authorization Code 105
Removing the Product Instance from CSSM 107
Generating a New Token for a Trust Code from CSSM 108
Installing a Trust Code 108
Downloading a Policy File from CSSM 110
Uploading Usage Data to CSSM and Downloading an ACK 110
Installing a File on the Product Instance 111
Setting the Transport Type, URL, and Reporting Interval 112
Configuring an AIR License 114
Sample Resource Utilization Measurement Report 116
Troubleshooting Smart Licensing Using Policy 116
System Message Overview 116
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
vi
Contents
System Messages 118
Additional References for Smart Licensing Using Policy 125
Feature History for Smart Licensing Using Policy 126
Conversion and Migration 127
CHAPTER 5
Conversion and Migration in Embedded Wireless Controller Capable APs 127
Types of Conversion 127
Access Point Conversion 128
Converting a CAPWAP AP to an Embedded Wireless Controller Capable AP 128
Converting an Embedded Wireless Controller Capable AP to a CAPWAP AP 128
Converting a Single AP to CAPWAP or Embedded Wireless Controller Capable AP (CLI) 128
AP Conversion Deployment Scenarios 129
Network Conversion 131
Converting the Network (CLI) 131
Network Conversion Deployment Scenarios 132
SKU Conversion Scenarios 133
Converting AireOS Mobility Express Network to Embedded Wireless Controller Network 134
Best Practices 135
CHAPTER 6
Introduction 135
Lightweight Access Points 137
PART II
Country Codes 139
CHAPTER 7
Information About Country Codes 139
Prerequisites for Configuring Country Codes 139
Configuring Country Codes (GUI) 140
How to Configure Country Codes 140
Configuration Examples for Configuring Country Codes 142
Viewing Channel List for Country Codes 142
AP Priority 143
CHAPTER 8
Failover Priority for Access Points 143
Setting AP Priority (GUI) 143
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
vii
Contents
Setting AP Priority 144
802.11 Parameters for Cisco Access Points 145
CHAPTER 9
2.4-GHz Radio Support 145
Configuring 2.4-GHz Radio Support for the Specified Slot Number 145
5-GHz Radio Support 147
Configuring 5-GHz Radio Support for the Specified Slot Number 147
Information About Dual-Band Radio Support 149
Configuring Default XOR Radio Support 149
Configuring XOR Radio Support for the Specified Slot Number (GUI) 152
Configuring XOR Radio Support for the Specified Slot Number 152
Receiver Only Dual-Band Radio Support 154
Information About Receiver Only Dual-Band Radio Support 154
Configuring Receiver Only Dual-Band Parameters for Access Points 154
Enabling CleanAir with Receiver Only Dual-Band Radio on a Cisco Access Point (GUI) 154
Enabling CleanAir with Receiver Only Dual-Band Radio on a Cisco Access Point 154
Disabling Receiver Only Dual-Band Radio on a Cisco Access Point (GUI) 155
Disabling Receiver Only Dual-Band Radio on a Cisco Access Point 155
Configuring Client Steering (CLI) 155
Verifying Cisco Access Points with Dual-Band Radios 157
802.1x Support 159
CHAPTER 10
Introduction to the 802.1x Authentication 159
EAP-FAST Protocol 159
EAP-TLS/EAP-PEAP Protocol 160
Limitations of the 802.1x Authentication 160
Topology - Overview 160
Configuring 802.1x Authentication Type and LSC AP Authentication Type (GUI) 161
Configuring 802.1x Authentication Type and LSC AP Authentication Type 161
Configuring the 802.1x Username and Password (GUI) 162
Configuring the 802.1x Username and Password (CLI) 163
Enabling 802.1x on the Switch Port 164
Verifying 802.1x on the Switch Port 165
Verifying the Authentication Type 166
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
viii
Contents
Radio Resource Management 167
PART III
Radio Resource Management 169
CHAPTER 11
Information About Radio Resource Management 169
Radio Resource Monitoring 170
Transmit Power Control 170
Overriding the TPC Algorithm with Minimum and Maximum Transmit Power Settings 170
Dynamic Channel Assignment 171
Coverage Hole Detection and Correction 173
Restrictions for Radio Resource Management 173
How to Configure RRM 173
Configuring Neighbor Discovery Type (CLI) 173
Configuring Transmit Power Control 174
Configuring the Tx-Power Control Threshold (CLI) 174
Configuring the Tx-Power Level (CLI) 174
Configuring 802.11 RRM Parameters 175
Configuring Advanced 802.11 Channel Assignment Parameters (CLI) 175
Configuring 802.11 Coverage Hole Detection (CLI) 177
Configuring 802.11 Event Logging (CLI) 178
Configuring 802.11 Statistics Monitoring (CLI) 179
Configuring the 802.11 Performance Profile (CLI) 180
Configuring Advanced 802.11 RRM 181
Enabling Channel Assignment (CLI) 181
Restarting DCA Operation 182
Updating Power Assignment Parameters (CLI) 182
Configuring Rogue Access Point Detection in RF Groups 182
Configuring Rogue Access Point Detection in RF Groups (CLI) 182
Monitoring RRM Parameters and RF Group Status 184
Monitoring RRM Parameters 184
Verifying RF Group Status (CLI) 185
Examples: RF Group Configuration 185
Information About ED-RRM 185
Configuring ED-RRM on the Cisco Wireless LAN Controller (CLI) 186
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
ix
Contents
Coverage Hole Detection 187
CHAPTER 12
Coverage Hole Detection and Correction 187
Configuring Coverage Hole Detection (GUI) 187
Configuring Coverage Hole Detection (CLI) 188
Configuring CHD for RF Tag Profile (GUI) 189
Configuring CHD for RF Tag Profile (CLI) 190
Cisco Flexible Radio Assignment 191
CHAPTER 13
Information About Flexible Radio Assignment 191
Benefits of the FRA Feature 192
Configuring an FRA Radio (CLI) 192
Configuring an FRA Radio (GUI) 194
XOR Radio Support 195
CHAPTER 14
Information About Dual-Band Radio Support 195
Configuring Default XOR Radio Support 196
Configuring XOR Radio Support for the Specified Slot Number (GUI) 198
Configuring XOR Radio Support for the Specified Slot Number 198
Cisco Receiver Start of Packet 201
CHAPTER 15
Information About Receiver Start of Packet Detection Threshold 201
Restrictions for Rx SOP 201
Configuring Rx SOP (CLI) 202
Customizing RF Profile (CLI) 202
Client Limit 205
CHAPTER 16
Information About Client Limit 205
Configuring Client Limit (GUI) 205
Configuring Client Limit (CLI) 205
IP Theft 207
CHAPTER 17
Introduction to IP Theft 207
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
x
Contents
Configuring IP Theft (GUI) 208
Configuring IP Theft 208
Configuring the IP Theft Exclusion Timer 208
Verifying IP Theft Configuration 209
Unscheduled Automatic Power Save Delivery 211
CHAPTER 18
Information About Unscheduled Automatic Power Save Delivery 211
Viewing Unscheduled Automatic Power Save Delivery (CLI) 211
Enabling USB Port on Access Points 213
CHAPTER 19
USB Port as Power Source for Access Points 213
Configuring an AP Profile (CLI) 214
Configuring USB Settings for an Access Point (CLI) 214
Monitoring USB Configurations for Access Points (CLI) 215
Network Management 217
PART IV
DHCP Option82 219
CHAPTER 20
Information About DHCP Option 82 219
Configuring DHCP Option 82 Global Interface 220
Configuring DHCP Option 82 Globally Through Server Override (CLI) 220
Configuring DHCP Option 82 Globally Through Different SVIs (GUI) 221
Configuring DHCP Option 82 Globally Through Different SVIs (CLI) 221
Configuring DHCP Option 82 Format 222
Configuring DHCP Option82 Through a VLAN Interface 223
Configuring DHCP Option 82 Through Option-Insert Command (CLI) 223
Configuring DHCP Option 82 Through the server-ID-override Command (CLI) 224
Configuring DHCP Option 82 Through a Subscriber-ID (CLI) 225
Configuring DHCP Option 82 Through server-ID-override and subscriber-ID Commands (CLI)
226
Configuring DHCP Option 82 Through Different SVIs (CLI) 227
RADIUS Realm 229
CHAPTER 21
Information About RADIUS Realm 229
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
xi
Contents
Enabling RADIUS Realm 230
Configuring Realm to Match the RADIUS Server for Authentication and Accounting 230
Configuring the AAA Policy for a WLAN 231
Verifying the RADIUS-Realm Configuration 233
Persistent SSID Broadcast 235
CHAPTER 22
Persistent SSID Broadcast 235
Configuring Persistent SSID Broadcast 235
Verifying Persistent SSID Broadcast 236
Network Monitoring 237
CHAPTER 23
Network Monitoring 237
System Management 239
PART V
Network Mobility Services Protocol 241
CHAPTER 24
Information About Network Mobility Services Protocol 241
Enabling NMSP On-Premises Services 242
Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues 242
Modifying the NMSP Notification Threshold for Clients, and Tags 243
Configuring NMSP Strong Cipher 243
Verifying NMSP Settings 244
Examples: NMSP Settings Configuration 246
Probe RSSI Location 246
Configuring Probe RSSI 247
Verifying Probe RSSI 248
RFID Tag Support 248
Configuring RFID Tag Support 249
Verifying RFID Tag Support 249
Application Visibility and Control 253
CHAPTER 25
Information About Application Visibility and Control 253
Prerequisites for Application Visibility and Control 254
Restrictions for Application Visibility and Control 254
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
xii
Contents
AVC Configuration Overview 255
Create a Flow Monitor 255
Create a Flow Exporter 256
Verify the Flow Exporter 256
Configure a WLAN for AVC 257
Configuring a Policy Tag 258
Attaching a Policy Profile to a WLAN Interface (GUI) 258
Attaching a Policy Profile to a WLAN Interface (CLI) 258
Attaching a Policy Profile to an AP 260
Verify the AVC Configuration 260
AVC-Based Selective Reanchoring 261
Restrictions for AVC-Based Selective Reanchoring 261
Configuring the Flow Exporter 261
Configuring the Flow Monitor 262
Configuring the AVC Reanchoring Profile 263
Configuring the Wireless WLAN Profile Policy 263
Verifying AVC Reanchoring 264
Flexible NetFlow Exporter on Embedded Wireless Controller 269
CHAPTER 26
Flexible NetFlow Exporter on Embedded Wireless Controller 269
AVC Configuration Limitations on EWC 269
Create a Flow Exporter 270
Create a Flow Monitor 270
Configuring the Wireless WLAN Profile Policy 271
Verifying Flow Exporter in Embedded Wireless Controller 272
Cisco Connected Mobile Experiences Cloud 273
CHAPTER 27
Configuring Cisco CMX Cloud 273
Verifying Cisco CMX Cloud Configuration 274
EDCA Parameters 277
CHAPTER 28
Enhanced Distributed Channel Access Parameters 277
Configuring EDCA Parameters (GUI) 277
Configuring EDCA Parameters (CLI) 278
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
xiii
Contents
802.11 parameters and Band Selection 281
CHAPTER 29
Information About Configuring Band Selection, 802.11 Bands, and Parameters 281
Band Select 281
802.11 Bands 282
802.11n Parameters 282
802.11h Parameters 282
Restrictions for Band Selection, 802.11 Bands, and Parameters 282
How to Configure 802.11 Bands and Parameters 283
Configuring Band Selection (GUI) 283
Configuring Band Selection (CLI) 284
Configuring the 802.11 Bands (GUI) 285
Configuring the 802.11 Bands (CLI) 286
Configuring a Band-Select RF Profile (GUI) 288
Configuring 802.11n Parameters (GUI) 288
Configuring 802.11n Parameters (CLI) 289
Configuring 802.11h Parameters (CLI) 291
Monitoring Configuration Settings for Band Selection, 802.11 Bands, and Parameters 292
Verifying Configuration Settings Using Band Selection and 802.11 Bands Commands 292
Example: Viewing the Configuration Settings for the 5-GHz Band 292
Example: Viewing the Configuration Settings for the 2.4-GHz Band 294
Example: Viewing the status of 802.11h Parameters 296
Example: Verifying the Band-Selection Settings 296
Configuration Examples for Band Selection, 802.11 Bands, and Parameters 296
Examples: Band Selection Configuration 296
Examples: 802.11 Bands Configuration 297
Examples: 802.11n Configuration 297
Examples: 802.11h Configuration 298
Image Download 299
CHAPTER 30
Information About Image Download 299
Updates to the AP Image Predownload Status (GUI) 299
Image Download Scenarios 300
Image Download During AP Join 300
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
xiv
Contents
Network Software Upgrade (Pre-Download) 301
Methods Supported for Image Download 301
TFTP Image Download Method 302
SFTP Image Download Method 302
Desktop (HTTP) Image Download Method 302
Prerequisites for Image Download 302
Configuring Image Download Profile 303
Configuring TFTP Image Download (GUI) 303
Configuring TFTP Image Download (CLI) 304
Configuring SFTP Image Download (GUI) 305
Configuring SFTP Image Download (CLI) 305
Configuring Desktop (HTTP) Image Download (GUI) 306
Initiating Pre-Download (CLI) 307
Verifying Image Download 309
Conditional Debug and Radioactive Tracing 311
CHAPTER 31
Introduction to Conditional Debugging 311
Introduction to Radioactive Tracing 311
Conditional Debugging and Radioactive Tracing 312
Location of Tracefiles 312
Configuring Conditional Debugging (GUI) 313
Configuring Conditional Debugging 313
Recommended Workflow for Trace files 314
Copying Tracefiles Off the Box 315
Configuration Examples for Conditional Debugging 316
Verifying Conditional Debugging 316
Example: Verifying Radioactive Tracing Log for SISF 316
Aggressive Client Load Balancing 319
CHAPTER 32
Information About Aggressive Client Load Balancing 319
Enabling Aggressive Client Load Balancing (GUI) 320
Configuring Aggressive Client Load Balancing (GUI) 320
Configuring Aggressive Client Load Balancing (CLI) 321
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
xv
Contents
Accounting Identity List 323
CHAPTER 33
Configuring Accounting Identity List (GUI) 323
Configuring Accounting Identity List (CLI) 323
Configuring Client Accounting (GUI) 324
Configuring Client Accounting (CLI) 324
Volume Metering 327
CHAPTER 34
Configuring Volume Metering 327
Enabling Syslog Messages in Access Points and Controller for Syslog Server 329
CHAPTER 35
Information About Enabling Syslog Messages in Access Points and Embedded Wireless Controller for
Syslog Server 329
Configuring Syslog Server for an AP Profile 330
Configuring Syslog Server for the Controller (GUI) 332
Configuring Syslog Server for the Embedded Wireless Controller 333
Verifying Syslog Server Configurations 334
Introduction to Software Maintenance Upgrade 339
CHAPTER 36
Overview of Controller SMUs 340
Managing Controller Hot or Cold SMU Package 341
Creating SMU Files (GUI) 342
Configuration Examples for SMU 343
Rolling AP Upgrade 345
Rolling AP Upgrade Process 345
Verifying AP Upgrade on the Controller 346
AP Device Pack (APDP) and AP Service Pack (APSP) 347
APSP and APDP 347
Managing APSP and APDP 348
Configuring the APSP and APDP Files (GUI) 348
Configuring the TFTP Server Directory 348
Configuring the SFTP Server Directory 349
Positive Workflow - APSP and APDP 351
Rollback and Cancel 352
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
xvi
Contents
Verifying APDP on the Embedded Wireless Controller 353
Security 355
PART VI
IPv4 ACLs 357
CHAPTER 37
Information about Network Security with ACLs 357
ACL Overview 357
Access Control Entries 357
ACL Supported Types 358
Supported ACLs 358
ACL Precedence 358
Port ACLs 358
Router ACLs 359
VLAN Maps 360
ACEs and Fragmented and Unfragmented Traffic 360
ACEs and Fragmented and Unfragmented Traffic Examples 361
Standard and Extended IPv4 ACLs 361
IPv4 ACL Switch Unsupported Features 362
Access List Numbers 362
Numbered Standard IPv4 ACLs 363
Numbered Extended IPv4 ACLs 363
Named IPv4 ACLs 364
ACL Logging 364
Hardware and Software Treatment of IP ACLs 365
IPv4 ACL Interface Considerations 365
Restrictions for Configuring IPv4 Access Control Lists 365
How to Configure ACLs 366
Configuring IPv4 ACLs (GUI) 366
Configuring IPv4 ACLs 367
Creating a Numbered Standard ACL (GUI) 367
Creating a Numbered Standard ACL (CLI) 367
Creating a Numbered Extended ACL (GUI) 369
Creating a Numbered Extended ACL (CLI) 369
Creating Named Standard ACLs (GUI) 373
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
xvii
Contents
Creating Named Standard ACLs 373
Creating Extended Named ACLs (GUI) 375
Creating Extended Named ACLs 375
Applying an IPv4 ACL to an Interface (GUI) 377
Applying an IPv4 ACL to an Interface (CLI) 377
Monitoring IPv4 ACLs 378
Configuration Examples for ACLs 379
Examples: Including Comments in ACLs 379
IPv4 ACL Configuration Examples 380
ACLs in a Small Networked Office 380
Examples: ACLs in a Small Networked Office 380
Example: Numbered ACLs 381
Examples: Extended ACLs 381
Examples: Named ACLs 382
DNS-Based Access Control Lists 383
CHAPTER 38
Information About DNS-Based Access Control Lists 383
FlexConnect in Embedded Wireless Controller 384
Roaming 384
Restrictions on DNS-Based Access Control Lists 384
Flex Mode 385
Configuring the URL Filter List (CLI) 385
Configuring the URL Filter List (GUI) 385
Applying Custom Pre-Auth DNS ACL on WLAN 386
Applying Custom Post-Auth DNS ACL on Policy Profile 386
Configuring ISE for Central Web Authentication (GUI) 387
Viewing DNS-Based Access Control Lists 387
Allowed List of Specific URLs 391
CHAPTER 39
Allowed List of Specific URLs 391
Adding URL to Allowed List 391
Verifying URLs on the Allowed List 392
Web-Based Authentication 395
CHAPTER 40
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
xviii
Contents
Authentication Overview 395
Device Roles 396
Authentication Process 397
Local Web Authentication Banner 397
Customized Local Web Authentication 400
Guidelines 400
Redirection URL for Successful Login Guidelines 401
How to Configure Local Web Authentication 401
Configuring Default Local Web Authentication 401
Configuring AAA Authentication (GUI) 402
Configuring AAA Authentication (CLI) 402
Configuring the HTTP/HTTPS Server (GUI) 403
Configuring the HTTP Server (CLI) 404
Creating a Parameter Map (GUI) 405
Configuring the Maximum Web Authentication Request Retries 405
Configuring a Local Banner in Web Authentication Page (GUI) 406
Configuring a Local Banner in Web Authentication Page (CLI) 406
Information About Management over Wireless 406
Configuring Management over Wireless (GUI) 407
Configuring Management over Wireless (CLI) 407
Configuration Examples for Local Web Authentication 408
Example: Obtaining Web Authentication Certificate 408
Example: Displaying a Web Authentication Certificate 409
Example: Choosing the Default Web Authentication Login Page 410
Example: Choosing a Customized Web Authentication Login Page from an IPv4 External Web
Server 410
Example: Choosing a Customized Web Authentication Login Page from an IPv6 External Web
Server 411
Example: Assigning Login, Login Failure, and Logout Pages per WLAN 411
Example: Configuring Preauthentication ACL 411
Example: Configuring Webpassthrough 412
Central Web Authentication 413
CHAPTER 41
Information About Central Web Authentication 413
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
xix
Contents
Prerequisites for Central Web Authentication 413
How to Configure ISE 413
Creating an Authorization Profile 414
Creating an Authentication Rule 414
Creating an Authorization Rule 414
How to Configure Central Web Authentication on a Network Device 415
Configuring WLAN (GUI) 416
Configuring WLAN (CLI) 417
Configuring Policy Profile (CLI) 418
Configuring a Policy Profile (GUI) 419
Creating Redirect ACL 420
Configuring AAA for Central Web Authentication 421
Configuring Redirect ACL in Flex Profile (GUI) 421
Configuring Redirect ACL in Flex Profile (CLI) 422
Authentication for Sleeping Clients 423
Information About Authenticating Sleeping Clients 423
Restrictions on Authenticating Sleeping Clients 423
Configuring Authentication for Sleeping Clients (GUI) 424
Configuring Authentication for Sleeping Clients (CLI) 424
ISE Simplification and Enhancements 427
CHAPTER 42
Utilities for Configuring Security 427
Configuring Multiple Radius Servers 428
Verifying AAA and Radius Server Configurations 429
Configuring Captive Portal Bypassing for Local and Central Web Authentication 429
Information About Captive Bypassing 429
Configuring Captive Bypassing for WLAN in LWA and CWA (GUI) 430
Configuring Captive Bypassing for WLAN in LWA and CWA (CLI) 431
Sending DHCP Options 55 and 77 to ISE 432
Information about DHCP Option 55 and 77 432
Configuration to Send DHCP Options 55 and 77 to ISE (GUI) 432
Configuration to Send DHCP Options 55 and 77 to ISE (CLI) 432
Configuring EAP Request Timeout (GUI) 433
Configuring EAP Request Timeout 434
Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.3.x
xx
Contents
/