Showing results for 
Search instead for 
Did you mean: 

Cisco IOS-XE 17.6.1 for the Catalyst 9800 Wireless Controllers

Cisco Employee

We are pleased to announce the immediate availability of the IOS-XE release 17.6.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link:




Supported Access Points


Cisco Catalyst 9100 Series Access Points


  • Cisco Catalyst 9105AX Access Points
  • Cisco Catalyst 9115AX Access Points
  • Cisco Catalyst 9117AX Access Points
  • Cisco Catalyst 9120AX Access Points
  • Cisco Catalyst 9130AX Access Points

Indoor Access Points


  • Cisco Aironet 1800 Series Access Points
  • Cisco Aironet 2800 Series Access Points
  • Cisco Aironet 3800 Series Access Points
  • Cisco Aironet 4800 Series Access Points

Outdoor Access Points


  • Cisco Catalyst 9124 Wi-Fi 6 Access Points 
  • Cisco Aironet 1540 Series Access Points
  • Cisco Aironet 1560 Series Access Points
  • Cisco Industrial Wireless 3700 Series Access Points
  • Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Point
  • Cisco 6300 Series Embedded Services Access Point


Software Compatibility Matrix


Cisco Catalyst 9800 Wireless Controller Software

Cisco Identity Services Engine

Cisco Prime Infrastructure

Cisco AireOS IRCM Interoperability

Cisco DNA Center

Cisco DNA Spaces Connector

Cisco DNA Spaces – On-Premise (CMX)

Bengaluru 17.6.1

ISE 2.4 + latest patch

2.6 + latest patch

2.7+ latest patch

3.0 + latest patch

3.10 MR







DNA Space Connector





The section below provides information about the key new features and enhancements in the 17.6.1 release.


ROW Regulatory Domain


This innovation helps to reduce the number of regulatory domains by modifying the existing pre-provision domain workflow to determine regulatory domains at runtime. Traditionally we supported 18 regulatory domains which have now been reduced to 8 with a bunch of them being included in ROW or the rest of the world. So, there are 7 non-row domains, and the rest are part of ROW. It is being released with the 9124 AP. Once it is on-site it will come up in 2.4 GHz only and will be allowed to join the controller. Once it joins the controller it will either have the country code configured in an AP profile or will be manually set by the user. 


WLAN Wizard and Walk Me Through


With Cisco IOS XE 17.6 Release, a WLAN Wizard is available under the Wireless Setup icon. This wizard eases the process of creating WLANs for Local Mode, FlexConnect Mode, and guest access by guiding the user in a step-by-step workflow. The following WLAN types are supported through this wizard.


Local Mode

  • PSK
  • Dot1x
  • Local Webauth
  • External Webauth
  • Central Web Auth


FlexConnect Mode

  • Local Webauth
  • External Webauth
  • Central Web Auth


Guest CWA

  • Foreign
  • Anchor


The second UI enhancement driving adoption is the Walk me Through Workflow and this is essential to aid the configuration of complex, multi-step, multi-object workflows such as AAA, FlexConnect site, 802.1x authentication, local web auth, QoS, and open Roaming that is more involved than a single-entity creation.


AP Tag Persistency


Currently, for the policy, site, and RF tags to be preserved on APs when moving from one WLC to another, the AP to tag mappings would need to be configured identically on each WLC. Otherwise, the tag configuration would need to be written to each AP individually, using a CLI exec command. Using this method, the AP would keep the configured tags when joining any WLC given that target WLC has the necessary tags configured. However, for deployments with many APs, individually writing the tag configurations to each AP is not practical and adds unnecessary management overhead.

With 17.6, AP tag persistency can be enabled via UI or CLI. Whenever APs join a WLC with tag persistency enabled, the tags mapped to it will be saved to the AP without having to write the tag configurations to each AP individually.


Control Plane Traffic on Service Port


In the 17.6 release the dedicated Service Port Gi0 on the C9800 appliance can be utilized to segregate the control traffic on WLC C9800 platforms so the control traffic flows on the service port and the data traffic on the dedicated data ports. This will be supported on all standalone appliances such as the 9800-40, 9800-80, and 9800-L. The protocols supported are LDAP, SNMP, RADIUS (CoA), Restconf, Netconf, TACACS, gNMI, NTP, SYSLOG, NetFlow, File transfer, SSH/HTTP, and FQDN.


Twinax/AO SFP Support


The following Twinax/AO SFPs are now supported in addition to the existing ones already supported on the 9800-40 and 9800-80


  • SFP-H10GB-CU1M
  • SFP-H10GB-CU1.5M
  • SFP-H10GB-CU2M
  • SFP-H10GB-CU2.5M
  • SFP-H10GB-CU3M
  • SFP-H10GB-CU5M
  • SFP-H10GB-ACU10M


Interface Status of Standby controller through Active using SNMP


In Release 17.3 we introduced monitoring the health of the standby controller in an HA pair using programmatic interfaces (NETCONF/YANG, RESTCONF) and CLIs without going through the active controller. This included monitoring parameters such as CPU, memory, interface status, power supply failure, fan failure, and temperature. With 17.5 we brought in a lot more support to monitor the standby via the active controller and made some enhancements to the capabilities available via the standby directly.

Specifically, new MIBs and traps that were previously not supported such as the Hot standby notification trap and Bulk sync trap, show environment CLI to display sensor information, getting sensor information using programmatic interfaces, and getting the power, fan, and RP sensor information using SNMP SENSOR MIB


With 17.6 we take it a step further and allow monitoring of the interface entries on the standby via the active controller using SNMP, adding to the standby monitoring capabilities as more and more customers are looking for a way to get the health of the standby at all times. The Wireless Management interface, Redundancy Management Interface as well as the Service Port (Device management Interface) can be used with SNMP on the Active Controller.


SSID per radio on Dual 5GHz


As you know - Dual 5 GHz is possible with the XOR Radio on some of the Wave 2 APs and the 9120 11ax access point. You can use manual configuration or FRA auto to move slot 0 from 2.4 GHz to 5GHz making it a dual 5GHz AP. In addition, on the 9130 and 9124, with the tri-radio capability, it is possible to turn the 8x8 5GHz radio into two 4x4 5Hz radios.

This capability has enabled some use-cases that were previously not possible such as, the ability to assign a separate WLAN to each of these 5gHz radios. This is usually done to separate a development network from corporate resources or providing a separate guest network without impacting the enterprise network's capacity. 


aWIPS Signature Enhancement and Syslog Support


In the Cisco IOS XE Amsterdam 17.3.1 Release and earlier releases, 10 signatures were supported. In the 17.5.x release, 15 additional signatures were introduced. With 17.6, we now have support for 2 new alarms which are for the detection of CTS and RTS Virtual Carrier Sense attacks.

A wireless denial of service attacker can take advantage of the privilege granted to the RTS (Request to send) and CTS (Clear to send) frames to reserve the RF medium for transmission. By transmitting back-to-back CTS and RTS frames and basically flooding them, an attacker reserves the wireless medium and forces other wireless devices sharing the RF medium to hold back their transmissions. With 17.6 we detect when an attacker configures a large duration value of >=20ms in RTS/CTS frames and generates an attack of at least 25 frames/second - these are classified as the RTS and CTS Virtual Carrier Sense Attack (with Alarm ID: 10026 and 10027). The duration field in RTS/CTS indicates the duration for which the medium is to be cleared for data frame transmission and RTS/CTS attacks with large duration values can hog the Wi-Fi medium and make the APs and Clients not able to transmit Wi-Fi frames.


With this release, we also support aWIPS alarms to be logged as Syslog events, when such an alarm is detected.  This helps customers who may not have access to Cisco DNA Center and need an alternate way to consume the alarm data. The alarms can be seen in the logging history of the Catalyst 9800 WLC or can be exported as Syslog messages when an external Syslog server is configured.


Randomized &  Changing MAC


Traditionally wireless clients used to associate to the wireless network using the burnt-in address (BIA) or also called real MAC or UAA universally administered address. The use of this burn-in address everywhere raises the question of end-user privacy as the end-users could be tracked with WIFI’s MAC address. To improve the privacy design of the end-user products, Apple, Android, and Windows are now enabling locally administered MAC address (LAA) or local mac as we refer to for WIFI operation. The problem for the network admin becomes tracking these clients and several features that rely on MAC addressees such as mac filtering, web-auth using mac filtering, iPSK, static DHCP binding, WIFI location, user-defined network (UDN) just to name a few.


With phase 1 in release 17.5, we introduced the ability to Identify the random mac usage and provide the visibility for easy detection of issues and troubleshooting on WLC and DNAC and the ability to control the client join and access to Wi-Fi Network using RCM which can be achieved through WLC and ISE integration using the URL portal redirect. We have the ability to deny the clients that are using LAA or Random MAC.


With phase 2 in release 17.6, we are introducing something called DUID - device unique identifier. This involves introducing a DUID/GUID in the certificate, which gets presented to ISE during auth and ISE extracts this ID and maintains a mapping of ID to MAC address. This way a client is always identified by its DUID no matter what private MAC it uses to connect.


C-ANT9104 Antenna


The C-ANT9104 antenna is designed specifically to solve challenges encountered in stadiums/large public venues/high client density environments.  The antenna comes complete with a pre-installed Cisco Catalyst C9130AXE series AP and is ready to install a mount and hang out of the box.  There are no field serviceable upgrade options or need to access the internal AP.

Proper testing of this antenna requires long-distance coverage (50-200 feet distance to users).  The antenna is designed to be mounted on the ceiling as well as from the walls or angles from the overhead to achieve the desired coverage. Coverage should be insured using appropriate measurement tools (Ekahau, iBwave) or other tools supporting reliable active measurement.  Validating cell isolation and performance characteristics requires similar numbers of users and devices as expected during normal operation.  Please test with as much load and distance as is possible.

The C-ANT9104 is a dual-band antenna supporting one 2.4 GHz 4x4 radio and dual 5 GHz 4x4 radios in the following configurations:

2.4 GHz

  • Fixed coverage at 75 x 80 degree beamwidth @ 7 dBi gain

5 GHz

  • Narrow – 25 x 25 degree @ 10 dBi Gain
  • Beam Steering - angles of 0, 10 or 20 degree @ 10 dBi gain
  • Wide – 25 x 80 degree @ 7 dBi gain



Release Notes

Link to release notes:

Leo Laohoo
VIP Community Legend

And where is the Catalyst 9136i?

After upgrade some APS 9120 and 9115 in my lab from 17.5 to this version, i've seen some roaming issues.

It was a straight upgrade without any changes on the config.

When I roll-back do 17.5 roaming issues just disappeared.


Any ideas?


Recognize Your Peers
Content for Community-Ad