Showing results for 
Search instead for 
Did you mean: 

Cisco IOS-XE 17.6.1 for the Catalyst 9800 Wireless Controllers

Cisco Employee

We are pleased to announce the immediate availability of the IOS-XE release 17.6.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link:




Supported Access Points


Cisco Catalyst 9100 Series Access Points


  • Cisco Catalyst 9105AX Access Points
  • Cisco Catalyst 9115AX Access Points
  • Cisco Catalyst 9117AX Access Points
  • Cisco Catalyst 9120AX Access Points
  • Cisco Catalyst 9130AX Access Points

Indoor Access Points


  • Cisco Aironet 1800 Series Access Points
  • Cisco Aironet 2800 Series Access Points
  • Cisco Aironet 3800 Series Access Points
  • Cisco Aironet 4800 Series Access Points

Outdoor Access Points


  • Cisco Catalyst 9124 Wi-Fi 6 Access Points 
  • Cisco Aironet 1540 Series Access Points
  • Cisco Aironet 1560 Series Access Points
  • Cisco Industrial Wireless 3700 Series Access Points
  • Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Point
  • Cisco 6300 Series Embedded Services Access Point


Software Compatibility Matrix


Cisco Catalyst 9800 Wireless Controller Software

Cisco Identity Services Engine

Cisco Prime Infrastructure

Cisco AireOS IRCM Interoperability

Cisco DNA Center

Cisco DNA Spaces Connector

Cisco DNA Spaces – On-Premise (CMX)

Bengaluru 17.6.1

ISE 2.4 + latest patch

2.6 + latest patch

2.7+ latest patch

3.0 + latest patch

3.10 MR







DNA Space Connector





The section below provides information about the key new features and enhancements in the 17.6.1 release.


ROW Regulatory Domain


This innovation helps to reduce the number of regulatory domains by modifying the existing pre-provision domain workflow to determine regulatory domains at runtime. Traditionally we supported 18 regulatory domains which have now been reduced to 8 with a bunch of them being included in ROW or the rest of the world. So, there are 7 non-row domains, and the rest are part of ROW. It is being released with the 9124 AP. Once it is on-site it will come up in 2.4 GHz only and will be allowed to join the controller. Once it joins the controller it will either have the country code configured in an AP profile or will be manually set by the user. 


WLAN Wizard and Walk Me Through


With Cisco IOS XE 17.6 Release, a WLAN Wizard is available under the Wireless Setup icon. This wizard eases the process of creating WLANs for Local Mode, FlexConnect Mode, and guest access by guiding the user in a step-by-step workflow. The following WLAN types are supported through this wizard.


Local Mode

  • PSK
  • Dot1x
  • Local Webauth
  • External Webauth
  • Central Web Auth


FlexConnect Mode

  • Local Webauth
  • External Webauth
  • Central Web Auth


Guest CWA

  • Foreign
  • Anchor


The second UI enhancement driving adoption is the Walk me Through Workflow and this is essential to aid the configuration of complex, multi-step, multi-object workflows such as AAA, FlexConnect site, 802.1x authentication, local web auth, QoS, and open Roaming that is more involved than a single-entity creation.


AP Tag Persistency


Currently, for the policy, site, and RF tags to be preserved on APs when moving from one WLC to another, the AP to tag mappings would need to be configured identically on each WLC. Otherwise, the tag configuration would need to be written to each AP individually, using a CLI exec command. Using this method, the AP would keep the configured tags when joining any WLC given that target WLC has the necessary tags configured. However, for deployments with many APs, individually writing the tag configurations to each AP is not practical and adds unnecessary management overhead.

With 17.6, AP tag persistency can be enabled via UI or CLI. Whenever APs join a WLC with tag persistency enabled, the tags mapped to it will be saved to the AP without having to write the tag configurations to each AP individually.


Control Plane Traffic on Service Port


In the 17.6 release the dedicated Service Port Gi0 on the C9800 appliance can be utilized to segregate the control traffic on WLC C9800 platforms so the control traffic flows on the service port and the data traffic on the dedicated data ports. This will be supported on all standalone appliances such as the 9800-40, 9800-80, and 9800-L. The protocols supported are LDAP, SNMP, RADIUS (CoA), Restconf, Netconf, TACACS, gNMI, NTP, SYSLOG, NetFlow, File transfer, SSH/HTTP, and FQDN.


Twinax/AO SFP Support


The following Twinax/AO SFPs are now supported in addition to the existing ones already supported on the 9800-40 and 9800-80


  • SFP-H10GB-CU1M
  • SFP-H10GB-CU1.5M
  • SFP-H10GB-CU2M
  • SFP-H10GB-CU2.5M
  • SFP-H10GB-CU3M
  • SFP-H10GB-CU5M
  • SFP-H10GB-ACU10M


Interface Status of Standby controller through Active using SNMP


In Release 17.3 we introduced monitoring the health of the standby controller in an HA pair using programmatic interfaces (NETCONF/YANG, RESTCONF) and CLIs without going through the active controller. This included monitoring parameters such as CPU, memory, interface status, power supply failure, fan failure, and temperature. With 17.5 we brought in a lot more support to monitor the standby via the active controller and made some enhancements to the capabilities available via the standby directly.

Specifically, new MIBs and traps that were previously not supported such as the Hot standby notification trap and Bulk sync trap, show environment CLI to display sensor information, getting sensor information using programmatic interfaces, and getting the power, fan, and RP sensor information using SNMP SENSOR MIB


With 17.6 we take it a step further and allow monitoring of the interface entries on the standby via the active controller using SNMP, adding to the standby monitoring capabilities as more and more customers are looking for a way to get the health of the standby at all times. The Wireless Management interface, Redundancy Management Interface as well as the Service Port (Device management Interface) can be used with SNMP on the Active Controller.


SSID per radio on Dual 5GHz


As you know - Dual 5 GHz is possible with the XOR Radio on some of the Wave 2 APs and the 9120 11ax access point. You can use manual configuration or FRA auto to move slot 0 from 2.4 GHz to 5GHz making it a dual 5GHz AP. In addition, on the 9130 and 9124, with the tri-radio capability, it is possible to turn the 8x8 5GHz radio into two 4x4 5Hz radios.

This capability has enabled some use-cases that were previously not possible such as, the ability to assign a separate WLAN to each of these 5gHz radios. This is usually done to separate a development network from corporate resources or providing a separate guest network without impacting the enterprise network's capacity. 


aWIPS Signature Enhancement and Syslog Support


In the Cisco IOS XE Amsterdam 17.3.1 Release and earlier releases, 10 signatures were supported. In the 17.5.x release, 15 additional signatures were introduced. With 17.6, we now have support for 2 new alarms which are for the detection of CTS and RTS Virtual Carrier Sense attacks.

A wireless denial of service attacker can take advantage of the privilege granted to the RTS (Request to send) and CTS (Clear to send) frames to reserve the RF medium for transmission. By transmitting back-to-back CTS and RTS frames and basically flooding them, an attacker reserves the wireless medium and forces other wireless devices sharing the RF medium to hold back their transmissions. With 17.6 we detect when an attacker configures a large duration value of >=20ms in RTS/CTS frames and generates an attack of at least 25 frames/second - these are classified as the RTS and CTS Virtual Carrier Sense Attack (with Alarm ID: 10026 and 10027). The duration field in RTS/CTS indicates the duration for which the medium is to be cleared for data frame transmission and RTS/CTS attacks with large duration values can hog the Wi-Fi medium and make the APs and Clients not able to transmit Wi-Fi frames.


With this release, we also support aWIPS alarms to be logged as Syslog events, when such an alarm is detected.  This helps customers who may not have access to Cisco DNA Center and need an alternate way to consume the alarm data. The alarms can be seen in the logging history of the Catalyst 9800 WLC or can be exported as Syslog messages when an external Syslog server is configured.


Randomized &  Changing MAC


Traditionally wireless clients used to associate to the wireless network using the burnt-in address (BIA) or also called real MAC or UAA universally administered address. The use of this burn-in address everywhere raises the question of end-user privacy as the end-users could be tracked with WIFI’s MAC address. To improve the privacy design of the end-user products, Apple, Android, and Windows are now enabling locally administered MAC address (LAA) or local mac as we refer to for WIFI operation. The problem for the network admin becomes tracking these clients and several features that rely on MAC addressees such as mac filtering, web-auth using mac filtering, iPSK, static DHCP binding, WIFI location, user-defined network (UDN) just to name a few.


With phase 1 in release 17.5, we introduced the ability to Identify the random mac usage and provide the visibility for easy detection of issues and troubleshooting on WLC and DNAC and the ability to control the client join and access to Wi-Fi Network using RCM which can be achieved through WLC and ISE integration using the URL portal redirect. We have the ability to deny the clients that are using LAA or Random MAC.


With phase 2 in release 17.6, we are introducing something called DUID - device unique identifier. This involves introducing a DUID/GUID in the certificate, which gets presented to ISE during auth and ISE extracts this ID and maintains a mapping of ID to MAC address. This way a client is always identified by its DUID no matter what private MAC it uses to connect.


C-ANT9104 Antenna


The C-ANT9104 antenna is designed specifically to solve challenges encountered in stadiums/large public venues/high client density environments.  The antenna comes complete with a pre-installed Cisco Catalyst C9130AXE series AP and is ready to install a mount and hang out of the box.  There are no field serviceable upgrade options or need to access the internal AP.

Proper testing of this antenna requires long-distance coverage (50-200 feet distance to users).  The antenna is designed to be mounted on the ceiling as well as from the walls or angles from the overhead to achieve the desired coverage. Coverage should be insured using appropriate measurement tools (Ekahau, iBwave) or other tools supporting reliable active measurement.  Validating cell isolation and performance characteristics requires similar numbers of users and devices as expected during normal operation.  Please test with as much load and distance as is possible.

The C-ANT9104 is a dual-band antenna supporting one 2.4 GHz 4x4 radio and dual 5 GHz 4x4 radios in the following configurations:

2.4 GHz

  • Fixed coverage at 75 x 80 degree beamwidth @ 7 dBi gain

5 GHz

  • Narrow – 25 x 25 degree @ 10 dBi Gain
  • Beam Steering - angles of 0, 10 or 20 degree @ 10 dBi gain
  • Wide – 25 x 80 degree @ 7 dBi gain



Release Notes

Link to release notes:

Leo L
VIP Community Legend

And where is the Catalyst 9136i?

After upgrade some APS 9120 and 9115 in my lab from 17.5 to this version, i've seen some roaming issues.

It was a straight upgrade without any changes on the config.

When I roll-back do 17.5 roaming issues just disappeared.


Any ideas?



yes clients the network settings are wrong and maybe something cant be fix, u may have reset all network connections or del the network card let reinstall and check the enciption lev so all are matching, there are some network setting cant be change it push by wifi access point why must be reset. you can not just simply just jump from one kind  ios to a newer one with out probems

VIP Engager

I disagree @jamesbos96602   !  You can usually upgrade from one release to another without problems.

Occasionally the upgrade can introduce new bugs or new features which cause problems.

That roaming problem could be related to either, which is why new releases should always be tested for suitability in your own environment before deployment.  And it goes without saying that you should always be reading the release notes before deploying a new release.


you know i love the words he used u can most of time but not aways, in fack to fix the certifice probem each piece of hard ware must be upgaded. note cisco wont help with this with out a contrack.

i prove that there is been bugs past from one ios to next. i can to tell you in 3 sec i crash the router just useing a command

so i ask how stable is this, probems with cisco forceing people to windows 10 is another probem. but i will ask the vip why dose cisco take the config of each unit with out permistion and also take user passwords as well. u do understand this now agest the laws, now back to my point swich i had only way could be upgraded is by del everything and rebuild it commands are diffrent in some respeck in fack people i talk to had no clue why the commands was there.

by default the routeing part of cisco router is turn off dosent work in all your doc it dose not tell you that u have code the router to be on, also crypto is not config to control the wism 2 card two independed systems and first has no idea how decode the information was grate idea but to is why cisco turn off the certifice athencation they cant get it to work i wounder why.  let me say something else how long did take you to learn to code a swich ?  for me i learn it in a week

to code the wism was not possable do to the certifice probems once it was removed was simple to code. most IT people will refuse to upgade firmware on any servers,  this you all dont get,. and by way i have gotten system boards from cisco in wich cisco used in there network and guss what firmware was so out date was unreal. how long have u done this ? me sence dos. dos i did things microsoft said was not possable at wich point microsoft set me up with busness name and let me become a partner. you disagree all you want but i seen it. and it is fack no IT will do firmware upgrades school teach you so much but there so much more to it. codeing like callhome wiretap really i meen do give me a break. as if i would not trace what each did. and by way i seen this probem with your hardware it was fix in manner i said not allways the case but dose happen


LIKE make one point this is why IT dont do upgrades to there servers. risk can be handle by firewalls independed from swichs

if swich works there is no IT person will ever upgrade ios. i do i understand the risk in fack upgrading a cisco swich i had dump the config file and rebuild it risk in doing. yes some times it works as it should and times u wish u never even started it

cisco dose not like upgrade ios for same reason, what will happen is the unknow something might just break, expanle i got 6500 with 720 sup card wism2 card would not athenacate with wifi at all but bigger probem is card would not talk to the swich, so they upgraded bouth cards down side is 1550 wifi wont bond to the controler at all. cisco insteld if takeing uneded services out of upgarde left them in they dont need dhcp they dont need much of what install so upgrade is to big for install

but they could get them to work if they take out these servies.  i got wism2 working but now i must replace all the ap's

you say most time works most time is not good enouf u all can make hack proof system yeat u wont, or maybe u just cant do it , all IT people in usa say i wrong but i bet anything on fack that they dont do firmware updates i will and done so on over 1000s of systems and lost 4 out them unknow reason cause update to fail and broken the board so we went to servers with dual bios if one breaks u boot to other and fix one broken it dose happen it will happen you cant say software with out bugs it is full of bugs how do we deal with them are key but cisco rather not work with people who know how fix these probems that there right and there loss

Leo L
VIP Community Legend

@jamesbos96602 wrote:

i can to tell you in 3 sec i crash the router just useing a command

Only 1?  I can crash an IOS-XE router with the "reload" command or, perhaps, a plain "sh run | " (CSCvo06817).  Heck, I can even sabotage a 9800-80 by running a piece of Cisco-released firmware which will cause all the optic ports to go into error-disable, thereby rendering a very expensive WLC into an equally expensive door jam.  

Bugs are everywhere.  Aruba, Juniper, Extreme, everyone's got one, however, Cisco is unique because of the market price of all Cisco-branded kit.  Even though Cisco relies so much on IoL (IOS over LINUX), any piece of code from Cisco is no longer tested.  Even  publicly-available documentation, configuration guides, hardware installation guides, release notes, bug ID, etc. are no longer being peer-reviewed and contains mistakes that would make a grade school English Grammar teacher faint with a brain aneurism. 

Have you heard of MOSFET?  No, I am not just talking about the component but CSCvd46008 &/or CSCvj76259.  This is a pair of Bug IDs that keep me up at night.  

Every individual who downloads a of software automatically enters into a not-so-exclusive club called "open beta testers".  Every customer must beta-test the code.  It is not an optional exercise.  It is mandatory or face the consequences.  Read all the Release Notes, Configuration Guides, Hardware Installation Guides, Q&A, Ordering Guides with the same focus, zeal and "enthusiasm" like an IRS agent going through your Grand Cayman Island accounting ledger.  

And do not even get me started about the "games" some (not all) TAC desks play -- Y'know, the ones where TAC asks for "outputs" or questions for the sole purpose of putting the TAC case into "CU Waiting" for as long as they can.  

Everybody knows that all Cisco-branded hardware are the most expensive in the market.  With Cisco, we used to say, "you get what you paid for".  But for an English-speaking, American-based HQ, multi-billion dollar, multi-national corporation that is no longer able to produce good/quality, publicly-available documentation, yeah, I find it disturbing (to say the least).  

Back in the "good ole days":  Click the "Feedback" button to a document which needs correction &/or clarification and someone would respond in 3 hours; Organizing an RMA takes an hour before I get the confirmation email instead of the several days spent with ping-pong emails with TAC.   


so why not make hack proof system self healing we know how,   and i did not want make more it was but yea lot more one. but these probems if they work with people be fix but because cisco so closed to any one and next impossable get support with out a contack, and why should i need contrack to fix there probems why am i not getting paid. yes i make system hack proof but note my spelling i have add i never write the code,  i learn how program cisco 720 sup card in weeks but get spelling right in code was big probem of mine, we all no matter how long u been doing this can only go so far, and that ok, why we must work togather not apart.. and i agree on something else swichs more so high end should all be run in kind vr where they protecked from the internet , but to leo to ask you a quistion is there way stop remote commands from going throw a swich any remote commnads some way trap them or redirect them so remote commands cant be used on a network ? i am good in finding what breaks software dam good but to figger out what takes to stop remote commands is above what i understand  i got cisco 6500 sup card is 7200 10 gig  with newest ios. i was thinking a mib file was writen right could surch out the code and then trap the code in a loop,  see i got a probem my system reporting to now i block over 500 ip address and all msn but i cant stop it and i dont have clue why msn is on port 4500 port 500 even throw there block on firewall some how they getting aroud it

Leo L
VIP Community Legend
@jamesbos96602  wrote:

so why not make hack proof system self healing we know how

Not exclusive to Cisco, but, the term "hack-proof" is fallacy.  

And I cannot answer all of your questions because I am having troubles understanding your language.  

Recognize Your Peers
Content for Community-Ad