Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
1
Helpful
4
Replies

9800 WLC Mesh AP Local MAC Auth Help - Fuzzy on the WLAN Setting.

8uck5nort
Level 1
Level 1

‎07-18-2024 09:15 AM

Background:

I am setting up mesh wireless on a 9800.

I am going to import several mesh APs from a 5520 controller and add some new ones. I am using a converted configuration.

The converted config only has username, macaddress, mac. No WLAN specified.

Converted 5520 Example:

username 1a2b3c4d5e6f mac
 
This worked on a 9800 Example:
username 1a2b3c4d5e6d mac description my-meshtest-ap01
 
I did not specify any WLAN specific configuration. However, when I enter the mac using the 9800 GUI it makes me select a specific WLAN and there is no "any WLAN" option as there was on the 5520.
 
Now having said all that multiple people have entered in macs over the years on our 5520s using a combination of "any WLAN" and "ProductionWLAN(s)" Our mesh setup on the 5520 appears to not care what WLAN is specified and works with all WLAN assigned to the AP group the mesh AP is assigned.
 
So real fuzzy here one what this all means. I like to keep configuration settings to the bare minimum. If I don't need to specify the WLAN the I don't want to. I am also building out ansible playbooks to automate this process and supporting unnecessary code is potentially problematic, but that is a different conversation.
 
So why specify a WLAN at all when using local mac authen/author for mesh APs at all.? What does this setting actually do or was intended to do? Is this more important in a 9800 configuration vs a 5520? 
Labels:
0 Helpful
4 Replies 4

marce1000
VIP
VIP

‎07-18-2024 11:49 AM

 

  - It could be a result of a somewhat stronger security architecture in the sense that the setting on 9800 restricts the particular VLAN(s) that can be bridged in the Mesh network , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Rich R
VIP
VIP

‎07-20-2024 02:38 AM

MAC usernames can be used for client device local authentication (where the WLAN would matter) and also for mesh AP local authentication where the WLAN won't matter.

Be careful with using converted config - it should really only be used as a starting point and guideline for your new 9800 config because there are many features either not fully supported by the converter or not supported by the 9800 at all.

For 9800 mesh setup see:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215100-join-mesh-aps-to-catalyst-9800-wireless.html (no WLAN specified)
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_mesh_ewlc.html
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#OutdoorDeployments

Also take note of https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#MigrationfromAireOSWLCtoC9800

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

8uck5nort
Level 1
Level 1

‎07-22-2024 06:27 AM - edited ‎07-22-2024 06:28 AM

Appreciate the replies. I was using the 9800 mesh documentation that is called out.

I guess I did not make the connection between the mac list being used for multiple purposes.

I am not sure why then the GUI makes you add a WLAN vs the CLI not requiring it.

The more I think about it I guess someone made a call when developing the GUI? I am assuming here on my conclusion. They made the assumption that this is the minimum fields needed to make the mac list usable whether for client auth or for mesh auth. From that angle it makes sense now. Appreciate the help with fleshing out the "Why?".

0 Helpful

Rich R
VIP
VIP
In response to 8uck5nort

‎07-22-2024 09:29 AM - edited ‎07-22-2024 09:32 AM

I am not sure why then the GUI makes you add a WLAN vs the CLI not requiring it.
The WLAN field is not mandatory on the GUI so you can leave it blank.
Agreed that it is a bit confusing - one of many things on the GUI that leave room for improvement.
As a rule I do everything I can on the CLI - quicker, clearer, simpler and more reliable - but that's just me.  I hate waiting for screens to load and watching timers twirling every time I click on something or submit something.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card