topic Re: What to allow through firewall for AFC on WLC 9800? in Wireless

What to allow through firewall for AFC on WLC 9800?

Stonent — Tue, 08 Oct 2024 14:55:19 GMT

I'm trying to get AFC working on my 9800-40 but it doesn't seem to be able to communicate with the Cisco back end. What URLs or IPs do we need to allow through the firewall to allow this to work? I don't think our management vlan has any outside internet access at this time so I'd have to request anything individually.

The controller has been upgraded to 17.12.xxx for a few weeks and the AFC screen just says "No Valid Token" According to the documentation, all hardware implementations of the 9800 should automatically register and only the cloud versions of the 9800 have to be specifically registered.

Re: What to allow through firewall for AFC on WLC 9800?

Flavio Miranda — Tue, 08 Oct 2024 15:17:42 GMT

@Stonent

As per the prerequisites for AFC, yes, you need to give internet access to the WLC. You need to permit HTTPS traffic

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-14/config-guide/b_wl_17_14_cg/m_afc.html

Prerequisites

Ensure that there is cloud connectivity from the controller to the cloud, with a DNS entry in place. AFC operates through either the management port or data ports.

The AFC request is sent only when the controller is onboarded with cloud. This is automatic for hardware platforms like 9800-80, 9800-40 and 9800-L. For cloud controller, you have to manually enter a one-time password (OTP). See Onboarding the Cloud Controller.
Before sending an AFC request, check whether the AFC service can be requested by using the show wireless afc ap command. If command output shows yes or up status for all the parameters of an AP, then request is sent out.
Standard APs must register with the AFC system by providing the following parameters:
- Geographic coordinates (latitude and longitude)
- Antenna height above ground level and tolerance as uncertainty height
- FCC identification number
- Manufacturer’s unique serial number

Re: What to allow through firewall for AFC on WLC 9800?

jagan.chowdam — Tue, 08 Oct 2024 15:36:51 GMT

TCP Port 443 must be open for the AFC.

Have you verified connectivity using "show cloud-services summary" & "Show wireless afc statistics" ?

Jagan Chowdam

/**Pls rate useful responses**/

Re: What to allow through firewall for AFC on WLC 9800?

Stonent — Tue, 08 Oct 2024 15:42:48 GMT

I do not have the 6GHz AP online right now. It's been given to the contractor for installation on our building.

show cloud-services summary
Cloudm Onboarding Status
------------------------

State : Onboarded
URL : https://dnaservices.cisco.com/api/tethering/v1/enrollment/enroll/byname/C9800

No valid token

Show wireless afc statistics
Total number of 6GHz APs : 0
Number of APs requiring AFC service : 0
Messages sent to AFC : 0
Successful messages received from AFC : 0
Errored AFC messages : 0
AFC messages pending : 0
Minimum response time (ms) : 0
Maximum response time (ms) : 0
Average response time (ms) : 0
Health check query : Idle
Health check status : No valid token
Health check timestamp : 10/08/2024 10:41:41
Number of times health check went down : 0

Health check event history
Timestamp #Times Event State RC Context
---------------------------- -------- ----------------------- ------------------------------ --- -----------------------------
10/08/2024 10:41:41.57430 70158 Scheduled 0 Timer: 30s
10/08/2024 10:41:41.57418 70159 Not sent No token 0

Re: What to allow through firewall for AFC on WLC 9800?

jagan.chowdam — Tue, 08 Oct 2024 17:45:46 GMT

AFC is a cloud-based service that connects with Cisco's AFC Service Provider to manage spectrum sharing and assign channels and power levels for access points operating in the 6GHz band.

For indoor APs, AFC is OFF by default, where as outdoor APs AFC is ON.

You need to enable AFC in RF Profiles. You also require a GPS/GNSS enabled AP for AFC to work.

Once you take care of these, AFC attachment is automatic as long as Port 443 is opened.

The prerequisites mentioned in @Flavio Miranda post are crucial.

Jagan Chowdam

Re: What to allow through firewall for AFC on WLC 9800?

Stonent — Tue, 08 Oct 2024 19:07:57 GMT

Well that's my thing. I need to know specifically which DNS entries or IPs it needs to access. That's what I'm asking more than anything else. That's what my firewall group is going to require to allow it through. I've already done the other prerequisites.

Re: What to allow through firewall for AFC on WLC 9800?

rmuccifo — Fri, 10 Jan 2025 16:14:44 GMT

You need to allow access to dnaservices.cisco.com port 443 and commercial.ocsp.identrust.com port 80.

Re: What to allow through firewall for AFC on WLC 9800?

eglinsky2012 — Thu, 13 Mar 2025 20:59:02 GMT

We're having an issue with 9800-80 in SSO HA running 17.12.4 and AFC as well. We permitted the addresses and ports @rmuccifo provided above with no luck. AFC Health Statistics > Health check status says "Device not onboarded". That seems to imply we need to go through the onboarding with the OTP, etc. after all. Is that true, or is this indicating a connectivity issue?

Also, the config guide mentions "AFC operates through either the management port or data ports" but does not elaborate on how to configure this. Which is the default, or how can I verify which his being used? I need it to be the Wireless Management Interface (the shared VIP).

Re: What to allow through firewall for AFC on WLC 9800?

rmuccifo — Fri, 14 Mar 2025 09:47:09 GMT

You don't need to do the onboarding with OTP with a 9800-80, that will be done automatically, assuming controller is able to reach dnaservices.cisco.com.

The controller will automatically try to reach the cloud through management or data port, there's no specific configuration required.

You can see which VRF is being used using "show cloud-services detail". It will switch between management VRF and forwarding VRF automatically until it is able to reach the cloud.

If device is not onboarded, or you see "No valid token" under "show cloud-services detail" it means there's some connectivity problem. Also, make sure that proxy is configured if your network requires that for https traffic.

Re: What to allow through firewall for AFC on WLC 9800?

eglinsky2012 — Tue, 18 Mar 2025 15:38:09 GMT

@rmuccifoThank you for that info. After more troubleshooting, our firewall was not allowing the traffic to commercial.ocsp.identrust.com due to the OCSP application (a form of certificate checking) being used. Once we allowed that on the outbound firewall policy, I was able to use ""show cloud-services detail" to verify that the state is now Onboarded.

The documentation should be updated to reflect the correct URLs, ports, and the OCSP application that need to be allowed: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_afc.html#config-dna-service As well as clarify that physical controllers do not need to be onboarded manually.