In a Cisco switch or Router (running on IOS) taking a configuration backup & restore is very easy task. you can simply backup your router/switch configuration in to flash disk by “copy run flash” CLI command. Below shows CLI command to backup a device config to a file named as “backup-2013-01-25″ & store it in flash disk.

#copy running-config flash:backup-2013-01-25

In a situation where you have corrupted configs or due to any other reason if you want to restore a backup config  you can do it very easily. Once you console into the device you can erase start-up config  by “erase startup-config” CLI command & then reload the device. Once it boots up with zero config you can simply upload the backup config by “copy flash:backup-2013-01-25 running-config” & then save the config.

For my CCIEW lab studies I have to load initial configuration into WLC very frequently. In WLC you have to use TFTP or FTP method to upload or download configuration file “From” or “To” WLC. Even though it is not that simple as in IOS devices, process is not that complex as well. But you have to practice it multiple times to remember the CLI commands involved.(you can do this via WLC GUI as well)

Let’s say you have to replace your WLC with a new one (same hardware model) due to some issue. First you need to upload the existing WLC configuration on to a TFTP/FTP running on your laptop. To do this you can simply connect your PC into WLC’s service port & assign a IP to your PC in the same subnet  of the WLC’s service port. Below shows the 5508 controller ports & number 2 is the service port where you need to connect your PC.

If WLC’s service port is not configured then you can simply assign a IP to that port  via console CLI.(I preferred CLI method as it is much faster than loading GUI for me). You can do this with following CLI command assuming your PC is having 192.168.1.x/24 address.

<WLC> config interface address service-port 192.168.1.200 255.255.255.0

Then open up your TFTP or FTP application on your PC. I have used TFTP method in this example as show in the below screenshot.

Now you are ready to upload WLC config on to your TFTP server from WLC CLI console. Follow the below screenshot & you can see the CLI commands required.

(WLC1) >transfer upload mode tftp
(WLC1) >transfer upload datatype config
(WLC1) >transfer upload filename wlc-backup-2013-01-25
(WLC1) >transfer upload path .
(WLC1) >transfer upload serverip 192.168.1.3
(WLC1) >transfer upload start

Mode............................................. TFTP  
TFTP Server IP................................... 192.168.1.3
TFTP Path........................................ ./
TFTP Filename.................................... wlc-backup-2013-01-25
Data Type........................................ Config File 
Encryption....................................... Disabled
**************************************************
***  WARNING: Config File Encryption Disabled  ***
**************************************************
Are you sure you want to start? (y/N) y
TFTP Config transfer starting.
########
File transfer operation completed successfully.

Transfer upload datatype can be any of the following, but of the configuration backup you need to select “config” option. transfer upload path given as “.” implies path location is root folder where you select on your TFTP server application.

(WLC1) >transfer upload datatype ?

ap-crash-data  Upload the ap-crash files.
config         Upload the system's configuration file.
crashfile      Upload the system's crash file.
debug-file     Upload the system's debug log file.
errorlog       Upload the system's error log.
invalid-config Upload the system's invalid-config file.
pac            Upload a PAC (Protected Access Credential).
panic-crash-file Upload the Kernel Panic Information file.
radio-core-dump Upload the ap-radio core dump files.
signature      Upload the system's signature files.
systemtrace    Upload the system's trace file.
traplog        Upload the system's trap log.
watchdog-crash-file Upload the Watchdog Information file.

Now you have to download this config on to your new controller which is having zero config. Through configuration wizard you can configure the initial parameters required. Remember to configure service port in the same subnet where your TFTP/FTP PC is in.

Would you like to terminate autoinstall? [yes]: yes

System Name [Cisco_43:d8:63] (31 characters max): WLC1
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): ***********
Re-enter Administrative Password                 : ***********
Service Interface IP Address Configuration [static][DHCP]: static
Service Interface IP Address: 192.168.1.200
Service Interface Netmask: 255.255.255.0
Enable Link Aggregation (LAG) [yes][NO]: no
Management Interface IP Address: 10.10.111.10
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.10.111.1
Management Interface VLAN Identifier (0 = untagged): 111
Management Interface Port Num [1 to 2]: 1
Management Interface DHCP Server IP Address: 192.168.200.1
AP Manager Interface IP Address: 10.10.111.11
AP-Manager is on Management subnet, using same values
AP Manager Interface DHCP Server (192.168.200.1): 
Virtual Gateway IP Address: 1.1.1.1
Mobility/RF Group Name: mrn-cciew
Network Name (SSID): MRN-VOIP
Configure DHCP Bridging Mode [yes][NO]: no
Allow Static IP Addresses [YES][no]: no
Configure a RADIUS Server now? [YES][no]: no
Enter Country Code list (enter 'help' for a list of countries) [US]: AU
Enable 802.11b Network [YES][no]: no
Enable 802.11a Network [YES][no]: no
Enable Auto-RF [YES][no]: yes
Configure a NTP server now? [YES][no]: no
Configure the system time now? [YES][no]: no

Configuration correct? If yes, system will save it and reset. [yes][NO]:

Once controller boots up with basic config, you can download your original controller backup configuration via TFTP server. See the below screenshot.

(Cisco Controller) >transfer download mode tftp
(Cisco Controller) >transfer download datatype config
(Cisco Controller) >transfer download filename wlc-backup-2013-01-25
(Cisco Controller) >transfer download path .
(Cisco Controller) >transfer download serverip 192.168.1.3
(Cisco Controller) >transfer download start

Mode............................................. TFTP  
Data Type........................................ Config        
TFTP Server IP................................... 192.168.1.3
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... backup-2013-01-25
Encrypt/Decrypt Flag............................. Disabled

Warning: Downloading configuration will cause the controller to reset...

This may take some time.
Are you sure you want to start? (y/N) y

TFTP Config transfer starting.
TFTP receive complete... updating configuration.
Warning! No AP will come up unless the time is set.
 Please see documentation for more details.

TFTP receive complete... storing in flash.
System being reset.
Resetting system ...

In download scenario following options available & we selected “config” option as we are downloading configuration file onto WLC. If it is controller software upgrade you need to select “code” keyword.

(WLC1) >transfer download datatype ?

code           Download an executable image to the system.
config         Download Configuration File.
eapcacert      Download a eap ca certificate to the system.
eapdevcert     Download a eap dev certificate to the system.
icon           Download an executable image to the system.
image          Download a web page logo to the system.
login-banner   Download controller login banner. (Only Text file supported: Max 1500 bytes & 18 lines, Non printable characters not supported) 
signature      Download a signature file to the system.
webadmincert   Download a certificate for web administration to the system.
webauthbundle  Download a custom webauth bundle to the system.
webauthcert    Download a web certificate for web portal to the system.

WLC configuration guide”Chapter 10 – Managing Controller Software & Configurations” explain this topic in detail. Please refer this for more detail.

Here are few syslog messages in a cisco switch.Each syslog message has common parameters like Facility, Severity & Mnemomics.

%SYS-5-CONFIG_I: Configured from console by consol
%STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
%SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan

You can send these syslog messages to a Console, buffer, monitor, host depend on your requirement. Most common is sending to a remote host (or syslog server). For troubleshooting you can configure a device to send it to console or monitor (if you remotely log in) or buffer.  Following example shows syslog configuration done on a cisco IOS device.

logging 192.168.100.10
logging facility local5
logging buffered 100000 notification
logging trap notifications
logging source-interface Loopback0

There are 8 severity levels in Syslog messages. Once you configured a severity level all syslog messages from that level & below (numerical value) messages are sent to syslog server.

0- Emergency
1 – Alert
2 – Critical
3 – Error
4 – Warning
5 – Notification
6 – Informational
7 – Debugging
I remember this using “Every Airplane comes with Critical Errors & Warning Notification Information Display”.

To configure syslog in cisco WLC you have to go “Management > Logs > Config” section. Syslog level show in the drop-down box is not in to severity order you have to know severity number against each classification. e.g if they ask to configure severity level 3 & above, you have to select ” Error” here. Syslog facility level can be used to differentiate syslog messages coming from a certain devices. e.g. you can configure all routers syslog to certain facility level & all switches syslog in another facility level.

Also you can configure message logs to store local to the controller in the same section. You can configure buffer & console log levels. By using CLI as well you can configure those. Following shows the available options for configuration.

(WLC1) >config logging ?        

buffered       Set buffered logging parameters.
console        Set console logging parameters.
debug          Set debug message logging parameters.
exception      Limit size of exception flush output.
fileinfo       Set source file information logging parameters.
syslog         Configure parameters for outgoing syslog mesages.
traceinfo      Set traceback information logging parameters.

By using the WLC CLI you can configure advanced options for Syslog. Below shows advanced config options available for a particular frequency band (in this case 802.11a or  5GHz)

(WLC1) >show advanced 802.11a logging 
RF Event and Performance Logging
  Channel Update Logging......................... Off
  Coverage Profile Logging....................... Off
  Foreign Profile Logging........................ Off
  Load Profile Logging........................... Off
  Noise Profile Logging.......................... Off
  Performance Profile Logging.................... Off
  TxPower Update Logging......................... Off

You can configure any of these by “config advanced <802.11a|802.11b> logging < > <on|off> “command. As you can see above all are off by default.

(WLC1) >config advanced 802.11a logging ?        
channel        802.11a channel change logging mode.
coverage       802.11a coverage profile logging mode.
foreign        802.11a foreign interference profile logging mode.
load           802.11a load profile logging mode.
noise          802.11a noise profile logging mode.
performance    802.11a performance profile logging mode.
txpower        802.11a transmit power change logging mode.

(WLC1) >config advanced 802.11a logging channel ?              
on             Turns on 802.11a channel logging
off            Turns off 802.11a channel logging

Access Points related syslog messages can be configured only using CLI mode. You can configure getting syslog from all ap (global) or from specific ap (specific) by using “config ap syslog host ” command.

(WLC1) >config ap syslog host ?
global         Configures the global system logging host for all Cisco AP
specific       Configures the system logging host for a specific Cisco AP.
!
(WLC1) >config ap syslog host specific HQ-AP1 192.168.100.10

You can go through “Cisco Wireless LAN Controller Command Reference, Release 7.0” for all commands available in 7.0 release which is tested at CCIEW 2.0 lab exam.

Here is the way you set up login banner for WLC. First of all you have to create your banner in notepad and save it as a .txt file. Then you have to download this onto WLC using a TFTP server. You can use WCS (as it has TFTP server running on it) or you can use a different TFTP server as well. I have created a txt file called “WLC-banner.txt” for this.

Then you have to go “Commands > Download File” section & select File Type as “Login Banner” & transfer mode as “TFTP”. Fill the rest of detail as required & then initiate the download.

You can do the same via CLI as well. Here is the config commands to download this banner onto WLC via CLI.

(WLC1) >transfer download datatype login-banner
(WLC1) >transfer download mode tftp 
(WLC1) >transfer download filename WLC-banner.txt
(WLC1) >transfer download serverip 192.168.1.9
(WLC1) >transfer download path .
(WLC1) >transfer download start 

Mode............................................. TFTP  
Data Type........................................ Login Banner
TFTP Server IP................................... 192.168.1.9
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... WLC-banner.txt

This may take some time.
Are you sure you want to start? (y/N) y
TFTP Login Banner transfer starting.
TFTP receive complete... checking login banner.
Successfully installed new login banner file.

Once download process is complete you can verify this by log out & login to the controller (either CLI or GUI). Here is my login screen afterwords.

Here you will see it once log in via CLI

***** Hey Rasika !!! You have less than 90 days left... 
Study hard to become a CCIE Wireless *****
(WLC1) 
User: admin
Password:***********
(WLC1) >

You can clear the login banner via “Commands > Login Banner > Clear” as shown in the below.

In CLI, you can use “clear login-banner” command to do this.

You can configure SNMP on a Cisco WLC via  CLI or GUI. In GUI you have to go to “Management > SNMP” section. Below screenshot show the General tab under SNMP section where you can enable/disable SNMP & configure syscontact/location information.

You can do this via CLI by using below commands

config
snmp version v2c enable
snmp syslocation HeadQuarters-WLC1
snmp syscontact 0394444444

Then if you go to “Communities” section under SNMP you can configure the snmp community values you required. Access mode can be either “read-only” or “read-write”. You have to make status “Enable”. Since you can add single IP range that should cover all your snmp servers (if you have multiple), keep in mind WCS IP should be part of this range. Therefore if you have your snmp servers & WCS server in two discrete subnets (like 192.168.x.x & 10.x.x.x) then it is very difficult to combine these into single one & have to use default address & mask of 0.0.0.0 0.0.0.0.

Here is the commands to define this via CLI. I have created two snmp-communities called “mrn-ro” & “mrn-rw” with read-only & read-write capability.

snmp community create mrn-ro
snmp community mode enable mrn-ro
snmp community ipaddr 192.168.100.0 255.255.255.0 mrn-ro
snmp community accessmode ro mrn-ro

!
snmp community create mrn-rw
snmp community mode enable mrn-rw
snmp community ipaddr 192.168.100.0 255.255.255.0 mrn-rw
snmp community accessmode rw mrn-rw

Also you can configure SNMP trap receiver where WLC can send its snmp trap messages.  Community Name means SNMP trap receiver name & that does not have any significance like snmp community value.

Here is the CLI commands to achieve that.

snmp trapreceiver create WCS 192.168.100.3
snmp trapreceiver mode enable WCS

You can control which snmp traps you want to send to this trap receiver via Trap Control section under SNMP. Below shows screenshot of few control options available.

To configure SNMPv3 using GUI you can go to “SNMP v3 Users ” section under SNMP. You have to give a user profile name (similar to community value in snmp v2) & access mode. Also you need to specify authentication protocol, password & Privacy protocol, password to complete this.

By using CLI you can configure this using “config snmp v3user create” command.

config snmp v3user create mrncciew-snmpv3 rw hmacsha aescfb128 rasikanayanajith rasikanayanajith

You can use “config snmp v3user delete” command to delete existing snmpv3 user in WLC. Below shows the CLI command to deleted “default” user comes with WLC factory-default config.

config snmp v3user delete default

*** In SNMPv3 document says Reboot the controllers so that the snmpv3 user that you added takes effect. So it is good practice to reboot controller once you create snmpv3 user ***

Once you configure the SNMP on your wireless controllers then you can add them onto WCS by using them using “Configure > Controllers > Add Controllers “. Below shows adding a WLC onto my WCS using the snmpv3 user-created on WLC.

Once successfully added to WLC you will see a similar screen like below.

As an additional side note, here is the CLI commands require to configure snmp on ACS server. It is identical to how we configure snmp on normal IOS router/switch.
acs01/admin(config)# snmp-server host 192.168.100.10 version 2c mrn-ro
acs01/admin(config)# snmp-server community mrn-ro

Update as of 20th May 2013.
Once I raised the question in Cisco support forum regarding requirement of reload after configuring SNMPv3, they have confirmed it was a document error & no reboot is required for any 7.x version of WLC code after configuring SNMPv3.(refer CSCua09707 or below Cisco Support forum post )

Does WLC require reboot after configuring SNMPv3 ?

Normally downgrading WLC software code is not recommended. Specially from one major version to another as feature set may not compatible & downgrade process may not happen smoothly.

But in certain cases you have to downgrade the software code of your WLC. In my case I got 4402 with 7.0.230.0 code & I had to downgrade it to 7.0.116.0 for my lab studies.

(4402-a) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.230.0
RTOS Version..................................... 7.0.230.0
Bootloader Version............................... 7.0.230.0
Emergency Image Version.......................... 7.0.230.0
Build Type....................................... DATA + WPS
System Name...................................... 4402-a
System Location.................................. 
System Contact................................... 
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 10.10.20.100

Once you download the correct software image from cisco.com you can start the process of downloading image to WLC. (if you are working with a WLC in production, always advised to take a configuration backup prior to this). Once downloaded it will automatically extracting the files & downgrade the image. once everything finished it will prompt to reload the WLC

(4402-a) >transfer download mode tftp
(4402-a) >transfer download datatype code
(4402-a) >transfer download serverip 192.168.20.107
(4402-a) >transfer download path .
(4402-a) >transfer download filename AIR-WLC4400-K9-7-0-116-0.aes
(4402-a) >transfer download start 

Mode............................................. TFTP  
Data Type........................................ Code          
TFTP Server IP................................... 192.168.20.107
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... AIR-WLC4400-K9-7-0-116-0.aes

This may take some time.
Are you sure you want to start? (y/N) y

TFTP Code transfer starting.
TFTP receive complete... extracting components.
Executing backup script.
Writing new RTOS to flash disk.
Writing new Code to flash disk.
Writing new APIB to flash disk.
Executing install_apib script.
Executing fini script.
TFTP File transfer is successful.
  Reboot the controller for update to complete.
  Optionally, pre-download the image to APs before rebooting to reduce network downtime.

(4402-a) >reset system 
The system has unsaved changes.
Would you like to save them now? (y/N) y
Configuration Saved!
System will now restart!

Once reloaded you can verify the software version by “show sysinfo” CLI command.

(4402-a) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.116.0
RTOS Version..................................... 7.0.116.0
Bootloader Version............................... 7.0.230.0
Emergency Image Version.......................... 7.0.230.0
Build Type....................................... DATA + WPS
System Name...................................... 4402-a
System Location.................................. 
System Contact................................... 
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 10.10.20.100

As you can see bootloader version is still 7.0.230.0. So it is advisable to downgrade bootloader version as well. You can download boot load file “AIR-WLC4400-K9-7-0-116-0-ER.aes” & download it to WLC in same manner.

(4402-a) >transfer download mode tftp 
(4402-a) >transfer download datatype co
(4402-a) >transfer download datatype code
(4402-a) >transfer download path .
(4402-a) >transfer download filename AIR-WLC4400-K9-7-0-116-0-ER.aes
(4402-a) >transfer download serverip 192.168.20.107
(4402-a) >transfer download start 

Mode............................................. TFTP  
Data Type........................................ Code          
TFTP Server IP................................... 192.168.20.107
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... AIR-WLC4400-K9-7-0-116-0-ER.aes

This may take some time.
Are you sure you want to start? (y/N) y
TFTP Code transfer starting.
TFTP receive complete... extracting components.
Writing new bootloader to flash.
Writing new Emergency Bootloader to flash disk.
Writing new Emergency Bootloader RTOS to flash disk.
TFTP File transfer is successful.
  Reboot the controller for update to complete.
  Optionally, pre-download the image to APs before rebooting to reduce network downtime.

(4402-a) >reset system

Once reloaded you can verify both bootloader & boot image are in the required version.

(4402-a) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.116.0
RTOS Version..................................... 7.0.116.0
Bootloader Version............................... 7.0.116.0
Emergency Image Version.......................... 7.0.116.0
Build Type....................................... DATA + WPS
System Name...................................... 4402-a
System Location.................................. 
System Contact................................... 
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 10.10.20.100

“show boot” command verify the primary & backup image available. In this case it is looks odd that latest image shown as backup (it is normal as we downgraded the code)

(4402-a) >show boot 
Primary Boot Image............................... Code 7.0.116.0 (default) (active)
Backup Boot Image................................ Code 7.0.230.0

Now WLC is ready for my lab set up.

In this post we will see how to control access to WLC for different type of users using TACACS (ACS 5.2).

I will create 3 different user type (Admin, User, Guest) where “Admin” user have full access to WLC (modify, add, delete, etc), “User” having access to “WLAN” & “WIRELESS” section of the WLC to modify. All other area only read only view. For Guest users only have access to “Monitor” section of WLC.

First make sure your WLC is configured with ACS for AAA (Authentication/Accounting/Authorization). Here is the screenshot of WLC configured ACS for Authentication. You have to do this for Accounting & Authorization as well.

Then change the Priority order for management user ( in Security -> Priority Order -> Management User Section). Ensure that TACACS+ is check first & then local.

In ACS first you have to add your WLC ( in Network Resources -> Network Devices & AAA Clients section as shown below. You can create Location Group & Device Type group if you require more granular conditions in later on. I have created “HQ” location group & “WLC ” Device type group for this. Used the same shared secret key used for WLC.

Then we will create Identity Groups for those 3 different type of users

Then create 3 different users each in the 3 separate groups created.

Then go to Policy Element to define 3 different policy for this. Here is how you create it ( Policy Elements -> Authorization & Permissions -> Device Administration -> Shell Profile” . Once you give a Name & Description under the General tab, you have to go to Custom Attributes to specify the roles.

For Admin user “role1″ should be “ALL” (unfortunately these are case sensitive & ensure no spaces, etc). I tried with Role1 & did not work. Therefore ALL, WLAN, MONITOR, SECURITY should be as it is.

Remember to click Add buttone before hit submit button.

Here is the setting for Non-Admin User ( Access to WLAN & WIRELESS sections of WLC)

Here is the Guest user policy only permitting “MONITOR” section of WLC.

In the same section (Device Administration -> Command Set) you have to create a commnad sets. But in here we allow all TACACS commands since shell profile we created limited the user scope.

Now you can define rule set for each type of users request. For WLCAdmin rule, you can match TACACS request coming from “WLC” device group where users belong to “Admin-Group”. Once this condition match it will select “WLCAdmin” shell profile you created in the early step.

So here is the rules for WLCUser.

Here is the rule created for WLCGuest.

Once you do this your rule set should appear like this. you can change the order by hitting UP or Down Arrow button as shown.(to ensure more specific rules are first)

Now it is time to test. First with WLCGuest user called “mrnguest”. If you try to modify any settings & try to apply you will get an error message like this.

But if you log in as WLCUser called “mrnuser” you can modify any settings under WLAN & WIRELESS tab of WLC. But if you try to modify any setting otherthan these two you will get the similar error message.

For WLCAdmin user called “mrnadmin” you will see he can do any thing and no error messages.

If you go to ACS you can verify successful login of these 3 different users.

Related Posts

1. Configuring Local EAP on WLC
2. Configuring EAP-TLC on WLC
3. Configuring EAP-TLS on ACS
4. Configuring RADIUS on WLC
5. Configuring TACACS on WLC
6. WLC Admin Access via RADIUS

In this post we will see how to control access to a WLC using a RADIUS server. I have used Cisco ISE (Identity Service Engine)a s RADIUS server in this post.

I have created 3 user group (WLC-RW,WLC-RO & WLC-LobbyAdmin) and created 3 users (wlcrw,wlcro & user1). Each user assign for respective User Group as shown below.

Below shows the 3 users with their respective Group.

Now you can create 3 different “Authorization Profiles” under “Policy->Policy Elements -> Results” section with different RADIUS attribute values. For full administrative access you have to choose”Service-Type” Radius Attribute setting to “Administrative“. For the Read-Only user this setting should be set to “NAS-prompt” where as for Lobby Ambassador it should be set to “Callback Administrative “

Below shows the created “WLC-Admin-RW” profile with “Service-Type” RADIUS setting to “Administrative”

Here is the Authorization profile created for Read-Only user.

Here is the Authorization profile created for Lobby Ambassador user.

Let’s add a 5508 controller onto ISE as managed network device. I have created a WLC “Device Type” group to better control similar type of devices.

You have to use same “Shared Secret” when configuring RADIUS server on WLC as well.

Here is the WLC RADIUS Server configuration Settings, You have to remember to tick “Management User” option here.

Then I have create a simple “Authentication Policy” to use “Internal User”. Since default policy also to point to “Internal Users” this step may be optional.

Finally you need to create a “Authorization Policy” for each type of use case selecting the different “Authorization Profiles” you created.

Now it is ready to test. If you access the WLC via “https://wlc-mgt-ip” URL & when prompt, if you enter user1 (WLC Lobby Admin user) credential you will see something like this.

If you use “wlcro” Read-Only user credentials you will see a output like below. It is very similar to full WLC access view, but if you try to modify some changes using this credential it should prompt user does not have sufficient privileges.

Here is the output when I try to disable a SSID using this login.

If you use “wlcrw” credential you will have the full administrative access of the WLC.

Remember that this will applicable for any AireOS WLC (5508, 2504, WiSM2,etc) & not applicable for Next Gen IOS based WLC (5760,3850,3650). For those IOS based controllers you can restrict device CLI access (Privilege level 15 for full access, Privilege Level 1 for minimum access) via RADIUS. I do not see a way of controlling WLC access (https://device-mgt-ip/wireless) via RADIUS.

PS: Thanks to Gaith Alrawi (CCIE#23006 Sec, Wireless) for helping me on this topic.

Related Posts

1. WLC access via TACACS
2. WLC access via RADIUS (ACS 5.2)

In this  post we will see how to control WLC access via RADIUS, where ACS 5.2 used as the RADIUS server.

First you need to add WLC in to your ACS as an AAA device. Ensure shared secret configured for RADIUS option & if you have created a Device Type group or Location Group select those as well.

I have created two user group in ACS ( Users and Identity Store ->Identity Group section as shown below)

Then create the two users and assign them to the groups created above. You can do this via “Users & Identity Stores -> Internal Identity Stores -> User ” section as shown below

Since RADIUS only support Authentication/Accounting you have to use  Network Access Authorization Profiles to do this. (In TACACS you have seperate Device Admin section to control this)

So we will create a policy element called “WLCUser”  in Policy Elements -> Authorization & Permissions -> Network Access -> Authorization Profiles section as shown below. RADIUS attribute needs to select is “Service-Type  or ID=6)

Then attribute value needs to be selected. Since this is Read-Only user attribute value should be NAS Prompt. For full admin user this value should be “Administrative” & Lobby Ambassador it should be “Callback Administrative”

It is important to hit “Add^” button to ensure selected values properly configured. If you hit submit button without this step settings will not saved.

Once you hit the “Add” button then you can click submit button as shown below.

You have to follow the similar steps for WLCAdmin profile created for Admin users. As described earlier attribute value should be “Administrative”. Here is the attribute value setting for WLCAdmin profile.

Then in the Access Policies section you have to create a Rule for Admin users & Non-Admin users as shown below. I have selected device type & Identity Group for the conditions.

You can select the previously defined rule & by clicking “Duplicate” button you can easily recreate a rule & modify it to suit the Non-Admin user.

Once you created the Rules you should have something similar to this.

That’s finish the ACS configuration. You have to add ACS as RADIUS server on your WLC and select the correct priority order for Management User of WLC. Below Screen shows how to do this. You have to go to “Security -> AAA -> RADIUS -> Authentication” section to do this.

You have to select priority order ” Local” & then ” RADIUS” to ensure that you will not be lock yourself out in case of wrong configuration with radius. Unless RADIUS server is unreachable you cannot fall-back to local.

Now you can check the WLC access to those two different user. With a “Non Admin-Group” user you should be able to view any WLC config settings, but should not able to modify any configurations. With a “Admin-Group” user credential you would have full administrative access to the WLC.

Related Posts

1. WLC Access via TACACS
2. WLC Access via RADIUS (ISE1.2)

How do you proactively (prior to user complaints) identify wireless related issues in your environment  ?  Almost every one of us uses a WNMS (Wireless Network Management System) to monitor wireless environment (WLC/AP) & notify if there is something abnormal. These NMS use protocols like SNMP, Syslog, Netflow  collect information from WLC/AP etc.

In this post we will see how we can use splunk to analyze syslog messages generating by WLC/AP & give us meaningful reports to identify an underlying problem quicker.

You can get  free Splunk Enterprise 60-day trial ( limited to 500MB per day) from here. I have installed (windows version) spunk in my home lab  to monitor the syslog coming from below devices.

Once you installed it you can set up syslog as one of Data Inputs. I have set it up with standard UDP 514 & custom UDP 50001 (for the devices I can customize syslog port).

Once you set up your Splunk server to receive syslog messages you have to configure your WLC/AP devices to send syslog messages to your  Splunk Server. Here you configure in on 3850 (any Cisco IOS/IOS-XE running device). You can use custom UDP port for syslog in those devices.

logging buffered 100000 informational
logging facility local3
logging source-interface Vlan20
logging host 192.168.200.2 transport udp port 50001

If you really want to see syslog coming from your APs as well you can set it. Here is how you can set it for APs managed by this 3850. Note that for AP syslog you cannot customised the UDP port number & default to UDP 514.

3850-1(config)#ap syslog level information  
3850-1(config)#ap syslog facility local7   
3850-1(config)#ap syslog host 192.168.200.2

Here is how you can configure Syslog in AireOS WLC. In my case I have configured it on my 4402.

(4402-3) >config logging syslog host 192.168.200.2
System logs will be sent to 192.168.200.2 from now on
(4402-3) >config logging syslog facility local3
(4402-3) >config logging syslog level informational

Here is how you configure syslog for APs managed by AireOS  WLC.

(4402-3) >config ap logging syslog facility local7 all
(4402-3) >config ap logging syslog level informational all
(4402-3) >config ap syslog host global 192.168.200.2
Setting the AP Global Syslog host will overwrite all AP Specific Syslog host configurations!
Are you sure you would like to set the AP Global Syslog host? (y/n) y
AP Global Syslog host has been set.

Now if you go & check your Splunk server you should be able to see all those syslog messages comes to your server. You can extract certain field of these messages  where you can use later on for your analysis. I have created a field called “syslog-msg” to extract the mnemonics of syslog message (eg %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: ) . You can go to “Settings -> Fields -> Field Extractions -> Add a new one”

(?i)^[^%]*%(?P<syslog_msg>[^:]+)

Now you can analyze these syslog messages by syslog message mnemonics. I have simply used host=* for all type of devices. But if you have properly named your devices, you can filter this based on WLC (eg host=*WC* if name contain WC) or based on AP.

host=* syslog_msg="*" |timechart span=5m count(syslog_msg) by syslog_msg

Here is the visualization of that stat.

Sometime all these syslog messages does not have same weight, so some messages are important than others. So it is important you to able to analyse these based on thier severity level. So you can create an another field extraction field for that. So I have created a field called “msg_severity” to extract Syslog Severity information.

(?i)[#%].*?\-(?P<msg_severity>\d+)\-\w+

You can use below search string if you want to see the syslog messages based on its severity.

host=* msg_severity="*" |timechart span=5m count(msg_severity) by msg_severity

Here is the visual representation for each 5 min interval in last 60min. Now you can see easily any critical syslog messages at a glance.

If you want to map these severity levels to names (like 7-debug, 6-information, 0-Emergency) you can do that as well. I have created a “msg_severity_text” under “Settings -> Fields -> Calculated Fields->New” with below expression.

 case(msg_severity == 0, "Emergency", msg_severity == 1, "Alert", msg_severity == 2, "Critical", msg_severity == 3, "Error", msg_severity == 4, "Warning", msg_severity == 5, "Notice", msg_severity == 6, "Informational", msg_severity == 7, "Debug")

now graph looks like this if you use “msg_severity_text” instead of “msg_severity“.

Now if you see some higher severity “Emergency-0, Alert-1, Crtical-2” messages you can quickly identify what those are & can work on proactively with respective vendors. Here is how you can get particular severity (I have chosen error-3 as I do not see higher severity msg in my lab setup) using following search criteria.

host=* syslog_msg="*" msg_severity=3 |timechart span=15m count(syslog_msg) by syslog_msg

Here is the graphical view

Here is some examples of practical scenarios I used this method to quickly identify some issues of my  wireless network.

Example1: We upgraded our Anchor WLC to 8.0.100.0 on Friday 12th, as you can see below our baseline has been changed & influx of Emergency level messages are appearing since then.

Once you drill-down that syslog message category, you can see the particular WLC & what type of messages are they. (WIP with TAC & looks like it is CSCup66509 :) )

Example2: During a Converged Access deployment, we have enabled (on 20th Aug)”ARP-Inspection” for wireless user vlans for a given 3850 switch (as per Cisco’s recommended best practice). Since that time switch gave lots of ” DHCP_SNOOPING_DENY” & within 2 weeks it resulting memory exhaustion & excessive 802.1X failures. So we have removed this feature on 5th. As you can see below this is much clearer representation of what’s going on your network.

Now here is a gotcha  to remember if you are using Cisco WLC with latest software (7.4.x onwards). Due to some buggy behavior (CSCul11353) Cisco has changed starting string to # instead of %.

So your field extraction for “syslog_msg” field should consider both # & % as shown below.

(?i) .*?: [#%](?P<syslog_msg>\w+\-\d+\-\w+)(?=:)

Once you do that you can extract those messages from latest code running WLC. Here is an example.

Then recently I noticed in WLC 8.0 CLI below options & got excited that cisco enable sending syslogs comply with RFC-5424 in WLC 8.0 code. When trying to configure it failed. So reached out the TAC on this (CSCuq84698) &  found out (unfortunately :sad: ) it is  a config setting Cisco forgot to remove from this code. If you like to have this feature then you can make a new feature request through your Cisco AM/SE. I think you should do that as well if you see a value of it.(once it is accordance with standard you may not want to do these sort of tweaks to get what you want, there may be a standard syslog dashboard from Splunk itself)

(WLC) >config logging ?                     
buffered       Set buffered logging parameters.
cache          Set logging cache parameter
console        Set console logging parameters.
debug          Set debug message logging parameters.
exception      Limit size of exception flush output.
fileinfo       Set source file information logging parameters.
rfc-5424       Configure logging massage of RFC 5424.
stats-interval Configure stats interval.
syslog         Configure parameters for outgoing syslog mesages.
traceinfo      Set traceback information logging parameters.
upload-interval Configure upload interval for sending messages to remote server.
upload-threshold Configure real-time messages threshold.

(WLC) >config logging rfc-5424 enable 
Failed to enable RFC8424.

Again kudos to my colleague Gareth for helping me on these reg expression used in this post.

Related Posts

1. Syslog & Msg Log in WLC
2. Syslog Msg Suppression

Cisco has released Prime Infrastructure 2.2 today, a version long awaited by many of us. ISE 1.3, IOS-XE3.7, AeroOS-8.0 is supported in this PI2.2 version. Here is the release notes of this version & you need to go through it for greater details.

So what is the upgrade procedure for PI 2.2 ? You would think you can upgrade existing version to this like any other upgrade. You are wrong in this case :shock: . Here is what PI2.2 Quick Start Guide says about it.

“This version of Prime Infrastructure does not offer an in-place upgrade. To upgrade to the latest version, you must instead install this version of Prime Infrastructure as a virtual appliance on a fresh server, or order it pre-installed on a fresh hardware appliance. You can then migrate your data from your old Prime Infrastructure installation to the new one, using an application backup from the previous installation.

If you are currently using one of the following versions of Prime Infrastructure, you can back up your existing data and then restore that data to a different server running Prime Infrastructure 2.2:

• Cisco Prime Infrastructure 2.1.2 (with the UBF patch)
• Cisco Prime Infrastructure 2.1.1 (with the UBF patch)
• Cisco Prime Infrastructure 2.1.0.0.87
• Cisco Prime Infrastructure 1.4.2
• Cisco Prime Infrastructure 1.4.1
• Cisco Prime Infrastructure 1.4.0.45

If you are using a version earlier than 1.4.0.45 or 2.1.0.0.87, you will need to upgrade your server to version 2.1.0.0.87 (or version 1.4.0.45) before taking the backup.”

So in this post we will see what it involved to go to PI2.2 from a previous release. In my case, I am running PI 2.1.0.0.87 where I can directly take backup & restore of a PI 2.2 server.

First of all you need to build your PI2.2 server using .ova files available on CCO page(Downloads Home-> Products-> Cloud and Systems Management-> Routing and Switching Management-> Network Management Solutions-> Prime Infrastructure-> Prime Infrastructure 2.2-> Prime Infrastructure Software-2.2).

Since I am using VM, I have used PI-VA-2.2.0.0.158.ova to build the VM. Depend on the scale of your network, you need to size the VM accordingly. Below shown the minimum server requirement & supported scale for each type of installation.

Once you build the PI2.2 VM, then you need to backup & restore the existing PI application backup.

I have used remote-backup option where I can backup existing config onto a remote FTP server. You can configure a remote FTP repository as shown below. I have given a name called “ftpserver” & specify its IP address & username password.

prime2/admin(config)# repository ftpserver
 prime2/admin(config-Repository)# url ftp://x.x.y.214
 prime2/admin(config-Repository)# user <username> password plain <ftp_password>
 prime2/admin(config-Repository)# exit

You can verify the remote ftp server using below command where it should listed all files available in that FTP server

prime2/admin# show repository ftpserver
 10_14_7_247_140918_0230.cfg
.

Then you can backup your Prime Application configuration onto that FTP server as shown below.  Note that depend on the database size, time taken for the backup may vary. In my case it took around 50min to complete this backup process.

prime2/admin# backup PI-Backup ?
 repository  Repository to store backup in
prime2/admin# backup PI-Backup repository ?
 <WORD>  Repository name (Max Size - 80)
prime2/admin# backup PI-Backup repository ftpserver ?
 application  Application-only backup, excludes OS system data
 <cr>         Carriage return.
prime2/admin# backup PI-Backup repository ftpserver application ?
 <WORD>  Application name to be backed up (Max Size - 255)

prime2/admin# backup PI-Backup repository ftpserver application NCS
 
% Creating backup with timestamped filename: PI-Backup-141218-1452.tar.gpg
 Backup Started at : 12/18/14 14:52:29
 Stage 1 of 7: Database backup ...
 Database size: 96G
 -- completed at  12/18/14 15:13:42
 Stage 2 of 7: Database copy ...
 -- completed at  12/18/14 15:13:42
 Stage 3 of 7: Backing up support files ...
 -- completed at  12/18/14 15:14:57
 Stage 4 of 7: Compressing Backup ...
 -- completed at  12/18/14 15:15:26
 Stage 5 of 7: Building backup file ...
 -- completed at  12/18/14 15:31:29
 Stage 6 of 7: Encrypting backup file ...
 -- completed at  12/18/14 15:37:42
 Stage 7 of 7: Transferring backup file ...
 -- completed at 12/18/14 15:40:29
 Total Backup duration is: 0h:48m:0s

Note that I have shutdown the old VM & use same hostnames , IP for the new VM. Once new VM built,You can define a remote FTP repository specifying the same FTP server where config backed up.

prime2/admin(config)#repository ftpserver
 prime2/admin(config-Repository)# url ftp://x.x.y.214
 prime2/admin(config-Repository)# user <username> password plain <ftp_password>
 prime2/admin(config-Repository)# exit
 
 prime2/admin# show repository ftpserver
 10_14_7_247_140918_0230.cfg

Then you can restore the backed up configuration as shown below. Note that there are some important notes displayed where you have to pay attention. You have to be patient & it will take around 1.5 hours (again depend on your PI database size)

 prime2/admin#restore PI-Backup-141218-1452.tar.gpg repository ftpserver application NCS

* NOTE *
 If the system console is disconnected or got cleared on session timeout
 run 'show restore log' to see the output of the last restore session.

Restore will restart the application services. Continue? (yes/no) [yes] ? yes

DO NOT press ^C while the restoration is in progress
Aborting restore with a ^C may leave the system in a unrecoverable state

Initiating restore.  Please wait...
 Restore Started at 12/18/14 16:22:42
 Stage 1 of 9: Transferring backup file ...
 -- completed at 12/18/14 16:24:48
 Stage 2 of 9: Decrypting backup file ...
 -- completed at  12/18/14 16:32:13
 Stage 3 of 9: Unpacking backup file ...
 -- completed at  12/18/14 16:32:15
 Stopping strongSwan IPsec...
 Stage 4 of 9: Decompressing backup ...
 -- completed at  12/18/14 16:42:23
 Stage 5 of 9: Restoring Support Files ...
 -- completed at  12/18/14 16:42:27
 Stage 6 of 9: Restoring Database Files ...
 -- completed at  12/18/14 16:42:45
 Stage 7 of 9: Recovering Database ...
 -- completed at  12/18/14 17:04:49
 Stage 8 of 9: Updating Database Schema ...
 Stage 1 of 5: Pre Migration Schema Upgrade ...
 -- completed at: 2014-12-18 17:24:06.287, Time Taken : 0 hr, 15 min, 21 sec
 Stage 2 of 5: Schema Upgrade ...
 : This could take long time based on the existing data size.
 -- completed at: 2014-12-18 17:34:56.075, Time Taken : 0 hr, 10 min, 49 sec
 Stage 3 of 5: Post Migration Schema Upgrade ...
 -- completed at: 2014-12-18 17:44:13.068, Time Taken : 0 hr, 9 min, 16 sec
 Stage 4 of 5: Enabling DB Constraints ...
 -- completed at: 2014-12-18 17:44:39.7, Time Taken : 0 hr, 0 min, 22 sec
 Stage 5 of 5: Finishing Up ...
 -- completed at: 2014-12-18 17:44:52.668, Time Taken : 0 hr, 0 min, 12 sec
 -- completed at  12/18/14 17:45:18
 Stage 9 of 9: Re-enabling Database Settings ...
 -- completed at  12/18/14 17:45:18
 Total Restore duration is: 01h:22m:36s
 INFO: Restore completed successfully.
 
Starting PI Server... This may take some time
 Passwd reset alread in progress
Starting Prime Infrastructure...
This may take a while (10 minutes or more) ...
 Prime Infrastructure started successfully.
Starting strongSwan 5.0.1 IPsec [starter]...

prime2/admin# show application status NCS
Health Monitor Server is running.
Matlab Server Instance 1 is running
Ftp Server is running
Database server is running
Matlab Server is running
Tftp Server is running
NMS Server is running.
Matlab Server Instance 2 is running
Plug and Play Gateway is running.
SAM Daemon is running ...
DA Daemon is running ...

If everything went well you should be able to log onto your PI2.2 & enjoy the features of new version :smile: .

Here is PI 2.x  roadmap information sent by Phillip.

Prime Infrastructure – Update – October 2014

Cisco has published initial release (8.1.102.0) of AireOS 8.1 code. In this post we will look at what it brings & points you need to consider before jump into this code. Here is the release notes of 8.1.102.0 code.

Main purpose of this code release is  to support two new controller platforms (CT5520 & CT8540). These two platform has largely increased scalability compare to its predecessor  CT5508 & CT8510 platforms. (eg 500AP,7K clients ,8Gbps throughput  in 5508 where as 1500AP, 20K clients, 20Gbps in 5520)

This does not mean 5508 & 8510 goes EoL, but if you are purchasing AireOS controllers, these two new platform are the one you should buying now on.

The other important fact about this new software version is Cisco has stop supporting 3 different indoor AP models namely 1130,1240,1250 series. Also this new codes stops supporting 1520 series outdoor AP models. You may already knew that if you seen the below post few months back

https://supportforums.cisco.com/blog/12385701/cisco-access-point-models-not-supported-81-code

This will be the most  critical factor when deciding move on to this new code, if you already having a deployed wireless network. If you have those AP models, then start replacing them prior to move on to 8.1

If you are not in that situation, then you have to keep a WLC with older software version (7.4,7.6 or 8.0) to support those AP models in future (until you replace them)

Also 1040,1140,1260 Series AP will able to register 8.1 code WLC, but those AP model will not support any new features added in 8.1. Here is the list of AP model supported in this new code. Refer this compatibility matrix document for more details

Lightweight APs: 1040, 1140, 1260, 1600, 1700, 2600, 2700, 3500e, 3500i, 3500p, 3600e, 3600i, 3600p, 3702e, 3702i, 3702p, 600 OEAP, 700, 700W, AP801, and AP802

Outdoor Mesh APs: 1532E, 1532I, 1552E, 1552H, 1552I, 1552C, 1552EU, 1552CU, 1552S, and 1570

Another important point to note if you have deployed 5508 as Mobility Controller in Converged Access deployment (3850/3650 as MA, 5508/WiSM2 as MC). In 8.1 code this MC functionality is not supported in AireOS WLC. So if you have dedicated MC with AireOS, you have to plan to migrate that to IOS-XE MC (such as 5760)

Still “new mobility” feature is supported in AireOS & you can configure mobility between AireOS & IOS-XE MC (5760). So roaming will work between these two systems. Below extract from Release Note.

“Seamless roaming with Inter-Release Controller Mobility (IRCM) between Cisco 8510 WLC, Cisco 8540 WLC, and Cisco 5520 WLC with Cisco 5760 WLC—Enables seamless mobility and wireless services across high scale WLCs running Cisco AireOS and Cisco IOS using new mobility for features such as Layer 2 and Layer 3 roaming and guest access or termination.”

Here is the some of key features introduced in 8.1

Enhanced HD experience:
– Dynamic Bandwidth Selection (DBS)—Automatic and intelligent configuration of 5-GHz channel bandwidth (20, 40, 80 MHz) for good channel width. This can be achieved by the learning of both client mix and the presence of neighboring APs and wireless networks.
– Flexible Dynamic Frequency Selection (DFS)—Automatic adjustment of channel selection and channel width for 5 GHz spectral regions requiring radar detection and avoidance.
– Enhanced Interference Mitigation—Event-driven RRM (ED-RRM) is additionally triggered by Wi-Fi interference (faster channel change than the typical dynamic channel assignment cycle in RRM).
– Optimized Roaming Extensions —802.11v Basic Service Set (BSS) Transition Management (the infrastructure provides explicit advice to clients for reassociation and roaming).

 Cisco WLAN Express and Best Practices on Wireless Controllers —Simplifies the initial (day 0) setup for Cisco WLCs with over-the-air setup and best practices defaults that enable RF parameter optimization and network profiles

AVC for FlexConnect Local Switch AP-This release extends the AVC functionality from Cisco WLC to the AP. The AVC on FlexConnect AP provides application visibility and control for locally switched client traffic. The AVC on FlexConnect uses Protocol Pack 8.0 and NBAR engine version 16

Guest Anchor Priority —Assigns a fixed priority to each anchor WLC or HA pair. The highest priority Cisco WLC is designated as the primary anchor. This feature also allows load distribution in round-robin fashion if the priorities are of the same assigned value.

Multi-country domain support on WLC for bridge AP—Enables multiple country codes to be configured on a single Cisco WLC with bridge mode APs connected.

Like any other code, it has listed large number of open/resolved bugs in this code. You have to deploy & see how stable this new code is.

Reference
Cisco Wireless Release 8.1 Bulletin
Cisco WLAN Configuration Guide – Release 8.1
Cisco 5520 WLC Deployment Guide
Cisco 8540 WLC Deployment Guide

Related Posts

1. What’s new in WLC 8.0

If you are familiar with Cisco UCS servers, you may be already familiar with CIMC upgrade procedure. If not this post may help you to upgrade CIMC of your Cisco 8540/5520  WLCs.

What is CIMC ?
The Cisco Integrated Management Controller (CIMC) is the management service for the C-Series servers. CIMC runs within the serve.

Why do you require a CIMC upgrade ?
If you read these security advisories on CIMC, you understand why it is require to upgrade CIMC of those C series servers.

Specific to WLC, there are few critical bugs fixed in later version of CIMC. So it is a good idea to keep your WLC’s CIMC upgraded

CSCvo33873
Symptom:
After a wireless LAN controller reloads, no access points are able to join.
SSH and HTTPS connections to the controller fail.
If you access the WLC via the console, and issue the command "show certificate all" - no certificates are seen.

Conditions:
5520 or 8540 WLC that has just reloaded.
The WLC was manufactured after 9-Sep-2015 (when a manufacturing change that was supposed to have fixed this problem was implemented.)

The WLC has 8.2MR2, 8.3 or above installed (which contains the CSCuy67885 fix, that was supposed to have fixed the problem.)

The WLC does NOT however have CIMC HUU 3.0.4d (or above) installed.

Workaround:
Connect CIMC. Enable CIMC connectivity on the controller, using "imm" commands. Browse to the CIMC interface. Find the FlexFlash, and manually enable HyperVisor in the "Enable/Disable Virtual Disk(s)" action. See:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/troubleshooting/trb-guide-wlc-5520-8540.html#pgfId-1309804

Then perform a full HUU install of CIMC 3.0.4d (or whatever the latest supported CIMC is, for the 5520/8540.)

Cisco 8540 and 5520 series controllers are based on Cisco  UCS C series servers. Specifically Cisco 8540 is C240M4 series  and Cisco 5520 controller is C220M4 hardware. It is recommended to use UCS Host Upgrade Utility (HUU) for this work. You can download that firmware from Cisco download page. Since this post based on standalone 8540 (not SSO) controller, I downloaded ucs-c240m4-huu-4.0.2h.iso  which is the latest. (for 5520, you require ucs-c220m4-huu-4.0.2h.iso image)

You should have your WLC CIMC port connected to network with IP address configured on that interface. CIMC is the first port (see below, note it is 5520 WLC in this photo) of 4 ports available.

You can use “imm summary” CLI command to verify CIMC interface IP address configuration.

(8540-WLC) >imm summary

This will take some time... 
Please be patient!
User ID.......................................... admin
DHCP............................................. Enabled
IP Address....................................... x.x.32.100
Subnet Mask...................................... 255.255.254.0
Gateway.......................................... x.x.33.250

If it is not configured you can configure it statically or let it get IP via DHCP

(8540-WLC) >imm ?
address IMM Static IP configuration
dhcp Enable | Disable | Fallback DHCP.
restart Saves settings and Restarts IMM Module.
summary Displays IMM Parameters.
username Configures Login Username for IMM.

(8540-WLC) >imm address x.x.32.100 255.255.254.0 x.x.33.250
(8540-WLC) >imm username admin password <cimc_password>

You can access CIMC interface IP using https:

You can “Launch KVM Console” to open it. Make sure you security setting allow it if you using Mac OS

You have to simply follow instruction and keep continue until you get KVM console page.

You can go to “Virtual Media -> Activate Virtual Devices” as shown below

Once you activate Virtual Devices, you can map ISO image to CD/DVD

Note: Image below shows c220M4 (when I capture screenshot incorrectly select that image )  , you should select c240m4 iso image for 8540

Then you can go  to “Power” options and click “reset system” or “Power Cycle System”

Once server is booting up, You should hit F6 to change boot options. We need server to boot from KVM mapped DVD.

This will allow you to select boot from KVM map DVD image.

You will see it is boot with HUU image and prompt you to agree (be patience, it will take time)

It will take 15-20 min to copy all required files and prompt you the update options. You should go with update All unless you specifically want one component upgrade.

Each component will be upgraded and it will take 30-45 min to finish these component upgrade process.

Once upgrade finished, you can exist from that window and power cycle

It will take 15-20min to server to properly boot after CIMC upgrade. So overall you will have little more than 1hr outage while this work completed. Make sure you take necessary outage window arranged, if you do this upgrade to production 8540/5520 WLCs

You can also use “show imm chassis <>” command to verify  those upgraded BIOS information

(8540-WLC) >show imm chassis ?

bios Fetch Chassis BIOS information
current Fetch Chassis Current information
fan Fetch Chassis FAN information
fan-profile Fetch Chassis FAN power profile
mac Fetch Chassis MAC information
memory Fetch Chassis Memory information
power-supply Fetch Chassis Power Supply information
sol-info Fetch Serial Over Lan information
temperature Fetch Chassis Temperature information

(8540-WLC) >show imm chassis bios 
BIOS Information
Vendor: Cisco Systems, Inc.
Version: C240M4.4.0.2d.0.0627191030
Release Date: 06/27/2019

I have to do this upgrade on 8540-HA pair  5520-HA pair soon. I will post the process once I do that task.

References
1. 8540/5520 Console access via CIMC
2. 8540/5520 Troubleshooting Guide
3. Firmware Upgrade on UCS servers through Host Upgrade Utility (HUU)

RELATED POSTS

1. CIMC Upgrade on WLC-HA pair

In this post we will look at CIMC upgrade process of WLC HA pair. If you have not deployed WLC in HA -SSO (High Availability with Stateful Switch Over) it is high time to think about it. If you have standalone WLC deployment , then you require to get longer outage window (1 hr+ ) to perform this sort of maintenance work. Refer my previous post if you are upgrading CIMC of a standalone WLC.

I have upgraded pair of 8540 & 5520 recently, here is some of my learnings worth to note. At the time of this writing, HUU v4.0(2h) is the latest firmware version. It is important you to  read UCS-C series release notes  before doing this work.

Good news is that you can do CIMC upgrade of WLC-SSO pair without having an outage.

I had my 8540 CIMC versions 2.0(6d) & 2.0(8d). Sometime you will see CPU missing alerts and overall status “faulty” with old versions of CIMC. I had this behavior with my 8540s. When I logged a case, first response from TAC was to reseat 2nd CPU , I had to check with few of my friends how many CPU they can see in their 8540s.

As I did not hear any of them got 2 CPUs in their 8540, I kept asking question from TAC. Then they gave me a bugID CSCux20012 (note There are 477 support cases ) as explanation & suggesting later version of CIMC would fix it.

First of all make sure you got WLC’s CIMC port connected to network & you can access that IP address via https. If you haven’t configure it at all default admin/password combination should work in general. If that does not work for you & you haven’t set it up earlier try “cisco1234“. You know why when you read below field notice.

FN64093 – UCS-C series default password incorrect for units shipped 17 Nov 2015 – 6 Jan 2016

It is always recommend to configure CIMC IP address, that can easily remember which WLC you connect to.

(WLC1) >show interface summary

Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ ----- 
management LAG 1000 x.x.x.200 Static Yes No 
redundancy-management LAG 1000 x.x.x.201 Static No No

(WLC1) >imm summary

User ID.......................................... admin
DHCP............................................. Disabled
IP Address....................................... y.y.y.201
Subnet Mask...................................... 255.255.254.0
Gateway.......................................... y.y.y.250

I configured my CIMC IP address y.y.y.201 in WLC1 which is one unit in HA-pair. In that way I know .201 is that single WLC (irrespective of you connect via “redundancy-management” interface or “CIMC interface”. Other Unit got .202 in respective subnets for redundancy management & CIMC.

Once you got your CIMC accessible, one of the most useful feature to enable is “SOL- Serial Over LAN” . In this way, you can get your WLC’s console access remotely. Unless you like to be your DC & physically connect to console port (2nd port of 4), this is the best way to do it. Once you enable this feature, your physical serial port will be disable (as COM0 is mapped to physical port). I tried to used COM1 for SOL, that did not work for me.

In older version of CIMC, you can go to “Server -> Remote Presence -> Serial over LAN -> enable“. Remember to use COM0 & 9600bps, if you get it working with COM1, let me know. Note that by default they use port number 2400 and if you SSH to your CIMC IP address using port 2400, you will get WLC console access.

In later versions of CIMC, you can go to “Compute -> Remote Management -> Serial over LAN“. I modified SSH port number to 8540.

You can refer “Console access to 8540/5520 via CIMC” cisco document for more details.

Prior to upgrade, you can start a ping to 5 different IP address (WLC management, redundancy management of WLC1 & WLC2, CIMC address of WLC1 & WLC2). Once you boot standby WLC with HUU (pls refer previous post of detail instruction), you will see that WLC redundant management IP address is unreachable on your ping monitors. Once you boot from kVM mapped DVD, it will take around 15 min to copy firmware files/tools and discover components of your C series server.

Once you click “Update All” and confirm you would like to proceed, it will start upgrading CIMC,BIOS,LOM & RAID firmware. I would say it will take around 30 min for component upgrades to complete.

Once upgrade finishes, you can click “Exit” & confirm. Then your server will reboot couple of times (if you monitor your ping to CIMC IP address, you will notice it will go down couple of time.

Roughly around 20-25 min later, you will see your WLC redundancy management start reachable. If you have your SOL configured. you will see activity on your WLC console while you waiting patiently.

Once, you check redundancy status using “show redundancy summary” & ensure everything is normal, you can failover traffic to this Unit (redundancy force-switchover CLI command on active unit)  & follow the same procedure on next Unit. So in this way, you can perform this CIMC upgrade on a WLC – HA pair without having much trouble.

(WLC1) >show redundancy summary 
Redundancy Mode = SSO ENABLED 
Local State = ACTIVE 
Peer State = STANDBY HOT 
Unit = Secondary (Inherited AP License Count = 3000)
Unit ID = 70:E4:22:x:x:x
Redundancy State = SSO
Mobility MAC = 5C:83:8F:x:x:x
Redundancy Port = UP
BulkSync Status = Complete
Average Redundancy Peer Reachability Latency = 117 Micro Seconds
Average Management Gateway Reachability Latency = 2153 Micro Seconds

Hope this post if useful if you are performing this task on your WLC HA pair.

References
1. WLC – High Availability (SSO) Deployment Guide

RELATED POSTS

1. CIMC Upgrade – Standalone 8540/5520 

In this post, we will look at the AAA config for 9800 device administration. Even though most of these config common across many Cisco IOS devices, here we use a 9800 WLC as example here.

Here are some background details about the TACACS+ (Terminal Access Controller Access-Control System Plus) protocol. TACACS+ defined originally as a IETF draft in 1997 & then updated RFC8907 in 2020 & provide AAA (Authentication, Authorization & Accounting) functionality. Mainly it is using for device administration

TACACS+ packet header got a 12-byte header and it got “type” fields that defined 3 types of TACACS packets.

TAC_PLUS_AUTHEN (0x00) – Authentication
TAC_PLUS_AUTHOR (0x02) – Authorization
TAC_PLUS_ACCT (0x03) – Accounting

The sequence number starts with 1 by client and increments by 1. TACACS server will use an even number sequence number starting with 2. The “Session ID” uniquely identifies a session (Authentication, Authorization, or accounting) and uses a strong random number generation method to derive it.

The body of the TACACS packets may be obfuscated using a shared secret that is configured on the client & TACACS server. Once you capture TACACS traffic, you can easily see the cleartext view by configuring a shared secret on Wireshark under the TACACS protocol.

Let’s look at the basic AAA commands you require on 9800 (or any IOS device). First, you have to enable aaa services using the “aaa new-model” command. Once you add that command, you will see it will remove any local logins configured under VTY lines.

aaa new-model
+aaa session-id common
line vty 0 4
 -login local
line vty 5 15
 -login local

Then you can define TACACS Server with IP address & shared secret.

tacacs server ISE-TAC
 address ipv4 192.168.100.12
 key Vipassana123

Then you can create a TACACS Group and add a previously defined server to it.

C9800-2(config)#aaa group server ?
  ldap     Ldap server-group definition
  radius   Radius server-group definition
  tacacs+  Tacacs+ server-group definition

aaa group server tacacs+ TAC-GRP
 server name ISE-TAC

Then you can define authentication list (TAC-AUTH) to use TAC-GRP you created and in case of AAA server is not reachable, you can fall-back to “local” authentication. If you want to use it for SSH then you can apply it under line VTY.

aaa authentication login TAC-AUTH group TAC-GRP local
!
line vty 0 15
 login authentication TAC-AUTH

You can define an authorization method list (TAC-AUTHOR) to use TAC-GRP and then “local” in case of AAA server not reachable. EXEC authorization is a special from of command authorization where it verifies user privileges immidiately after login authentication

aaa authorization exec TAC-AUTHOR group TAC-GRP local if-authenticated 
!
line vty 0 15
 authorization exec TAC-AUTHOR

If you want TACACS+ to be use for each CLI command authorization, you can use your authorization method list to do that. Keep in mind, this require AAA server to evaluate each CLI command you enter on the device.

aaa authorization config-commands
aaa authorization commands 1 TAC-AUTHOR local if-authenticated 
aaa authorization commands 15 TAC-AUTHOR local if-authenticated
!
line vty 0 15
 authorization commands 1 TAC-AUTHOR
 authorization commands 15 TAC-AUTHOR

You can define accounting method list to use defined TAC-GRP. In this case we use “default” method list as we do not want to different accounting based on connection type.

aaa accounting exec default start-stop group TAC-GRP
aaa accounting commands 1 default start-stop group TAC-GRP
aaa accounting commands 15 default start-stop group TAC-GRP

Fort GUI access to use AAA you can use it under HTTP Authentication

ip http authentication aaa login-authentication TAC-AUTH
ip http authentication aaa exec-authorization TAC-AUTHOR

Here is the summary of CLI config described above. (for simpliciy)

aaa new-model
!
tacacs server ISE-TAC
 address ipv4 192.168.100.12
 key Vipassana123
!
aaa group server tacacs+ TAC-GRP
 server name ISE-TAC
!
aaa authentication login TAC-AUTH group TAC-GRP local
!
aaa authorization exec TAC-AUTHOR group TAC-GRP local if-authenticated
!
aaa accounting exec default start-stop group TAC-GRP
aaa accounting commands 1 default start-stop group TAC-GRP
aaa accounting commands 15 default start-stop group TAC-GRP
!
line vty 0 15
 login authentication TAC-AUTH
 authorization exec TAC-AUTHOR
!
ip http authentication aaa login-authentication TAC-AUTH
ip http authentication aaa exec-authorization TAC-AUTHOR
!
***** If you need Command Authorization ****
aaa authorization config-commands
aaa authorization commands 1 TAC-AUTHOR local if-authenticated 
aaa authorization commands 15 TAC-AUTHOR local if-authenticated
!
line vty 0 15
 authorization commands 1 TAC-AUTHOR
 authorization commands 15 TAC-AUTHOR

If you want console session also to be authenticated & authorized against AAA server, then you can apply those under line console 0 as well. You require to add “aaa authorization console” command in global config as well.

aaa authorization console
!
line con 0
 login authentication TAC-AUTH
 authorization exec TAC-AUTHOR

In case you want to use a local username for console authentication, you can do something similar to below. You should have a local user defined with required privileges (priv 15 users directly go to exec prompt where as other priv user has to enter enable password).

username mrn-local privilege 15 secret xxxx 
!
aaa authentication login CON-AUTH local
aaa authorization console
aaa authorization exec CON-AUTHOR local
!
line con 0
 login authentication CON-AUTH
 authorization exec CON-AUTHOR

I have used Cisco ISE as a TACACS server and you can refer to this detailed guide (worth keeping a copy of that document) on how you should design ISE for TACACS and configure the policy on ISE. Below diagram (taken from the above document) show the Authentication, Authorization & Accounting packet flow that you should expect.

I have configured “cpi” as an admin user with privilege 15 and “mrn-staff” as a general user locally defined on ISE which will get privilege level 5 shell access. Let’s test our configuration while capturing packets in 9800 to see what’s happening with AAA. Below shows TACACS Authorization Policy with configured TACACS profile.

Here is the 9800 Packet Capture setting (9800 GUI -> Troubleshooting > Packet Capture) that you can use to filter TACACS communication when accessing 9800 WLC via SSH. Given ACL has defined on the 9800 to filter out that traffic when taking PCAP.

With that setting, I have captured TACACS traffic while “cpi” & “mrn-staff” users trying to access 9800 via SSH. Here is the PCAP file (tacacs-9800.pcap) for your reference. You can enter the shared secret key (Vipassana123) that I have used in order to see details of TACACS frame body.

Without decryption, you will see an “encrypted request” for frame number 253.

Once decrypted you will see the details below. You will see “mrn-staff” user on 192.168.129.102 trying to access TTY line 2. Prviledge Level 1 indicate user’s current priviledge level.

Authentication Start (seq#1), Auth Reply (Seq#2 or #4) and Authentication Continue (seq#3) frame body include following info (refer RFC8907 for details)

Here is the those frame details in wireshark capture. You can filter all related packets using Session ID (right-click and “Apply As Filter” or drag & drop that to display-filter area). As you can see Auth Seq 1 & 3 sent by the client. Sequence & 2 & 4 by ISE server. In sequence 2, ask for a password for Authentication (in seq 3 client sending it) & in sequence 4 confirm authentication has passed.

Then you will see two Authorization (Request/Reply) frames. In the request message, you can see “privilege level 1” which was the user’s current privilege. In the Reply message user has been given “priv-lvl=5” shell access. Status “PASS_ADD” in the reply message indicates the request has been authorized.

Accounting messages are followed by authorization. You will see those accounting messages reqularly (Note: I have keep WLC GUI open using “rasika” as username and you can see certain accounting messages related to that session as well)

Here is the 2nd Authentication for “cpi” user where you can see “authorization” reply (frame#681) got with privilege level 15 shell access.

You can see “cpi” user issue “configure terminal” & successful as well (refer frame #789 & #791)

Here are few things I have come across when it comes to 9800 AAA. There can be many more , if you know particular things to be aware of, pls provide that info as a comment.

1. Managing 9800 with DNAC
In order DNAC to properly manage 9800 with appropriate NETCONF, we had to add following two lines (CSCvy00489) in aaa config. It is describe in this deployment guide as well. If you are using AAA group as default method, you may need to modify your configs of 9800.

aaa authentication login default local 
aaa authorization exec default local

2. 9800 AAA fallback (refer 9800 best practice guide)
If you have multiple AAA servers, then it is important to configure the dead-criteria and the deadtime timers on 9800 (CSCtl06706). With these commands the Catalyst 9800 marks a non-responsive server as “dead” and moves to the backup server. To configure these timers, use the following CLI commands:

radius-server dead-criteria time 5 tries 3
radius-server deadtime 5

If you want to test AAA fallback in controlled manner, you can apply an ACL to block traffic to particular AAA server (& permit all other traffic). In 9800 WLC you can apply an ACL like below on management SVI interface. In our configuration, you can see if “local” authentication/authorization being in used when ISE server is not reachable.

ip access-list extended BLOCK-ISE
 10 deny   ip host 192.168.100.12 any
 20 permit ip any any
!
interface Vlan100
 ip address 192.168.100.20 255.255.255.0
 ip access-group BLOCK-ISE in

Here is a really good post about TACACS on IOS devices by Daniel Dib

AAA Deep Dive on Cisco Devices.

As listed in my previous post Cisco has developed many tools to assist us in Cisco WiFi deploymets. Here is the list for a quick recap.

1. WCAE – Wireless Config Analyzer Express ( AireOS & IOS-XE WLC config analysis)
2. WLCCA –Wireless Config Analyzer (AireOS WLC config analysis tool)
3. WLC Config Converter (Config conversion between AireOS/IOS-XE)
4. Wireless Debug Analyzer (Parses client debug / traces)
5. WLAN Poller (Bulk data collection from APs)
6. WiFi Hawk (Analyze OTA captures)
7. 9800 Guest Shell Scripts (Automate complex data collection)
8. 9800 Telemetry Pipeline – Github (Real-time telemetry visualization from 9800)
9. 9800 Traces to ELK – Github (Automate trace collection from 9800)

WCAE–Wireless Config Analyzer Express is one of the great tools to analyze your WLC configurations against Cisco best practices (Watch this CLUS2022 session from Javier Contreras to understand power of this tool). This tool supports both AireOS & IOS-XE WLC platforms (as oppose to WLCCA which only supports AireOS WLCs). WCAE comes in two different flavours & desktop version give additional reports & analysis.

1. Cloud version (https://cway.cisco.com/wireless-config-analyzer)
2. Mini Desktop-Win 10 or MacOS (https://github.com/CiscoDevNet/wcae)

With the configuration model changes & IOS-XE platforms being used in Cisco 9800 and many of us not familiar with all the configuration best practices required. Therefore If you are working on a 9800 deployment, this is your best tool to analyze your configuration & find out issues (WLC Config Converter is another tool if you need AireOS to IOS-XE CLI mapping). Here is the quick summary of what WCAE can do for you.

• Application to analyze and validate your Wireless Network, including all controller types, and any AP model
• Based on learnings over years of case experience from TAC and Wireless Escalation teams
• New implementation for the WLC Config Analyzer. it is a new re-write of the application, with clean up and improved checks
• Objectives:
  • Save time processing WLC configurations, finding hundreds of different possible configuration errors
    • In depth RF Analysis
    • Audit config against best practices rule sets
• It is fully offline to the controller, it does not store any data, or sends any data back
• It is not a TAC supported product, it is basically provided “as is”

You require “show tech wireless” output from your 9800 WLCs or “show run-config” outtput from AireOS WLCs. Pls notet that “show tech” output does not work with the application. It is very common you get “show tech” output instead of “show tech wireless” when you have to ask customer to provide it to you. It is best if you can set “terminal len 0” prior to collect the output from you 9800. You can enable “term len 24” once you get it. In AireOS WLCs

### 9800 WLCs ###
C9800-1#terminal len 0
C9800-1#show tech wireless
.
.
### After collecting output you can set previous ter len ###
C9800-1#terminal len 24

### AireOS WLCs ###
(H3504) >config paging disable
(H3504) >show run-config
.
.
### After collecting output you can enable paging ###
(H3504) >config paging enable

In here I have used mini Desktop version & you should have familiarity of the GUI wrapper looks if you read my previos post on “WiFi Hawk“. Once you run the “wcae.exe” in administrator mode, you will see familiar GUI wrapper.

If you are into find some configuration issues (WLC or AP specific) “Controller Check Results” & “APs check Results” is what you need to look first.

Here is a sample of “WLC check results” output where it giver “Error”, “Warning” or “Info” level severity and in which category of mismatches that it identify. Also it suggest you recommended action to fix the given issue. Here is an example

Then you noticed “Client Audit” section on the maint content page. Cisco will analyze configuration against best practices for differnt major client types (Apple ios, Cisco 8821, Drager medical devices, Spectralink, Vocera). You should check those reports if you got an environment where one of these devices are important to you. Example for Apple client here is the ruleset that it check agains (link available on xls spreadsheet for you to easliy find it)

Global Validations

• EDCA is Fastlane
• 5GHz band is enabled
• 5GHz radios are present
• High Troughput (11n, 11ax, 11ac) are enabled
• No more than 10% of clients are on low SNR

WLAN/Policy profile combinations

• Policy and WLAN profiles are both enabled
• Radio policy is 5GHz only
• 11v Transition Service is enabled
• 11v Directed Multicast is enabled
• 11v BSS Max Idle is enabled
• 1k Neighbor List is enabled
• Fast Roaming (either Adaptive or FT enabled)
• if FT is in use, either respective FT-PSK or FT-dot1x are enabled
• if FT is in use, Over DS is disabled
• AutoQoS is set to fastlane
• WMM must be either optional or mandatory
• if 9130/9124 APs are present, and using 17.4 or higher, Fastlane+ requirements are met: PMF is enabled, feature is enabled

RF Profiles

This is only validated for 5GHz band

• All MCS rates are enabled
• 6 and 9 mbps are disabled
• 12 is mandatory
• 24 is set as supported
• Channel width is 20 or 40
• if Channel width is “best”, max width is set to 40

If you want to get all the detail about APs,”APs configuration” report is the one you should look for. There are lot of RF related reports available under that section. Here is sample for “AP configuration”. Pls note all the columns are not displays here

If you are managing a Cisco WLC or deploying Cisco WLC, this is a tool to save lot of your time and get your configurations close to Cisco best practices guides. Below shows best practices documents for 9800 & AireOS for your reference.

1. Cisco 9800 Configuration Best Practices
2. Cisco AireOS WLC best practices

If you are using Cisco 9800, you know that Cisco stopped supporting Wave 1 (17xx/27xx/37xx) APs beyond 17.3.x codes. Here is a slide from a recent Ciscolieve 2023 presentation (BRKEWN-2338) that listed 9800 IOS-XE recommendations.

However, Cisco recently announced wave 1 AP support in IOS-XE 17.9.3 code (In fact I heard about it the first time in the above Ciscolive presentation). This will help customers who got wave1 APs to adopt 9800 migration faster and also move forward with their 9800 WLC firmware without stuck in 17.3.x code.

Here is the release note of 9800 in 17.9.3 which highlighted the support of Wave 1 APs. Features wise you still get 17.3.x parity with those Wave 1 APs even you with 17.9.3.

One reason for such a decision is the last day of software maintenance for 17.3.x code listed 31st March 2023. For a lot of customers who had Wave 1 APs stuck in 17.3.x code as they could not upgrade their AP fleet in time (budget constraints, supply chain issues during the pandemic, etc). Now last day of 17.3.x maintenance release approaches they have to go to different codes to get proper bug fixes, and security patches on the 9800 codes they run.

I have tested my lab 3702 to get registered & clients can connect, In your case, you have to test it in your environment and upgrade your 9800 to 17.9.3 (if you are with 17.3.x and got wave-1 APs on your 9800). That will provide a code that gets maintenance fixes for your 9800 firmware at least for the next couple of years.

When you choose a firmware version to upgrade, always go with an extended maintenance release code train. Both 17.3.x & 17.6.x EoL has been announced. In that way planning to upgrade to 17.9.x is something you should consider. As of March 2023, we got its third maintenance release (17.9.3). Typically I would start using it in production environments when you got 3rd or 4th maintenance release of a major code train.

Here are some CLI commands (from WLC & AP end) that you can use to verify

C9800-2#sh ap name AP1-3702 config general | in Ver|Model
Software Version                                : 17.9.3.50
Boot Version                                    : 15.2.4.0
Mini IOS Version                                : 7.6.1.118
AP Model                                        : AIR-CAP3702I-Z-K9
IOS Version                                     : 15.3(3)JPN2$


AP1-3702#sh capwap client rcb 
AdminState                  :  ADMIN_ENABLED 
Primary SwVer               :  17.9.3.50 
Backup  SwVer               :  0.0.0.0 
NumFilledSlots              :  2 
Name                        :  AP1-3702 
Location                    :  default location 
MwarName                    :  C9800-2 
MwarApMgrIp                 :  192.168.100.20
MwarHwVer                   :  0.0.0.0 
ApMode                      :  Local 
ApSubMode                   :  Not Configured 
OperationState              :  UP 
CAPWAP Path MTU             :  1421 
Link-Encryption (AP)        :  Disabled
Link-Encryption (MWAR)      :  Enabled
Prefer-mode                 :  IPv4
LinkAuditing                :  disabled
AP Rogue Detection Mode     :  Enabled
AP Tcp MSS Adjust           :  Enabled
AP Tcp MSS size             :  1250

Hope this is good news for most of you.

I received this Bluetooth console adapter from Intertooth for testing purposes. A huge thank you to Bojan for sending it over—your support is greatly appreciated. The adapter is incredibly easy to set up and use, eliminating the usual hassle of dealing with USB-to-serial cables and searching for the right drivers.

Intertooth supports both RS232 and USB consoles. As shown in the images below, you can use either a Cat6 Ethernet cable or the provided USB-mini cable (depending on the device’s console port) to access the device’s console. This device has a battery life of around 15 hours of operation and in certain cases, you can let the device charge when using USB-mini cable option. Here are the unique features of the product.

You can refer to the following documents to get the full details about the product.

1. User manual
2. Supported Device

You can simply add ‘intertooth’ as a Bluetooth device to your computer (Mac or Windows). Below is a screenshot of the prompt that appears when adding the intertooth device to my Windows laptop. By default, it will not ask for a PIN, since I have set a PIN (you will see how to configure it a bit later)

Once paired with your intertooth, it is normal to appear as “Not connected“

Then you can go to your favorite terminal access application, you should be able to select your intertooth as a console port.

It should directly prompt you for your device console credentials (if configured). You can access the ‘intertooth’ device configuration menu by simply typing $$$$$.

You can do a few simple configurations like hostname, LED color, brightness and a PIN for security when pairing it to a computer.

You can set up a bluetooth PIN for your device and that is required when you pair it for your computer.

Configurations will be automatically saved when you type the exit command.

Additionally, you can configure the baud rate of the console connection. This is quite useful because the latest Cisco APs (starting with version 17.12.x) have changed it to 115200 bps to improve the AP booting time. Here is example of accessing a Cisco switch with standard 9600 bps baud rate.

Here is when I need to access an AP console running on 17.12.x or later.

There are few view commands available to verify configs, battery life and version details.

Here is the BLE console in action. I ran the “show tech support” command a few times while connecting to a cisco device via intertooh.

Since I am back to consulting work (balancing it with my teaching), this is a very useful tool to carry around these days to get device console access. If you haven’t heard of ‘intertooth’ probably it is a good time to check it out.