Showing results for 
Search instead for 
Did you mean: 
Monica Lluis
Community Manager

Ask the Expert: Deploying and Troubleshooting Wireless Networks

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to configure and troubleshoot a wireless network with Cisco expert  Alexander De Menezes.

Ask questions from Monday February 22 to Friday March 4, 2016

Wireless networks have became pervasive in today's world. Cisco offers very strong wireless porfolio that helps business to connect to the Internet anywhere anytime. 

This session will focus on answering question regarding how to deploy a wireless network and also, the common pitfalls and issues that might happen in an installed wireless network. 


Alexander De Menezes  is a Technical Support engineer in the Cisco Technical Assistance Center in Cisco Brussels.  He is expert on any wireless products, including Wireless LAN controllers and Access Points. He also has in-depth knowledge of AAA and IBNS technologies. Alexander joined Cisco in 2007. He holds a Master in Sciences in Advanced Electronic Engineering from the University of Warwick, UK. 

Alexander  might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Getting Started with Wireless Community

Find other

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Accepted Solutions

Hi Daniel

Its a great question, but i won't be able to give a detailed response in this short space, so i will share you some very good info on troubleshooting available under Ciscolive site:

There are a lot of  troubleshooting sessions on wireless in CiscoLive, i think the 2 below sessions will give you the info you are looking for:

BRKEWN-3011 - Advanced Troubleshooting of Wireless LANs (2016 Berlin)

BRKEWN-3000 - Advanced - Analyzing and fixing WiFi issues - Cisco WLC tools and packet capture analysis techniques(2015 Milan)

Do let me know if you have any specific troubleshooting scenario which is unclear or if any problems with accessing above content from Cisco live:


View solution in original post

Hi Robinoliv,

Is this for new deployed APs, since i also see AP uptime of 1 day for example for AP02/AP09/AP08.

Short AP uptime would mean AP loosing connectivity to switch port,  so example PoE issue (like Switch PoE budget issue or AP switch port flaps or unstable switch to which AP is plugged).

For Aps which have shorter "association up time" as compared to the "AP up time", that would mean the APs are loosing connectivity to the WLC and rejoining back.

In your case there are APs with both short AP uptime and differing association uptime. 

To troubleshoot this problem:

1)You may want to check on WLC release, for example on we see 7.6 release marked as deferred release, so you can check on release notes and have WLC moved to a latter Cisco suggested release (can be viewed from >software downloads page).

2)If not running on deferred WLC releases and you still see the issue, then 

Check on AP event.log/show logging as it will show some info on problem event corresponding to AP uptime data.

For example from telnet/ssh to specific AP:
ap#debug capwap console cli

ap#show logging

Also you can correlate above problem occurrence timestamps to WLC data,from WLC cli:

show msglog

show traplog

3)Enable core dump on APs:

WLC command :
config ap core-dump enable <TFTP server IP> <filename> compress 

For this we will then need to make sure the AP can reach the TFTP server.So if any crash event on the AP, the core dump will be automatically sent out by AP to TFTP server.

4)If any crash event seen on AP, we can then retrieve all the relevant "event.log/crash/rcore/coredump/show tech-support" from those specific Aps "dir flash:" for the relevant timestamp of AP problem occurrence.

For example from telnet/ssh to specific AP,you can capture:
ap#debug capwap console cli

ap#show tech-support
ap#show logging

ap#dir flash:

Under AP "dir flash" only check for files which have timestamp corresponding to problem occurrence time on APs.Then to transfer any relevant files to TFPT/FTP, for example:

ap#copy flash:crash.txt tftp:

ap#copy flash:r0.rcore tftp:

Or alternatively to transfer these files via WLC method:

(Cisco Controller) >Show ap crash-file 
(Cisco Controller) >show ap core-dump <AP name>
(Cisco Controller) >config ap crash-file get-crash-data <AP name>
(Cisco Controller) >config ap crash-file get-radio-core-dump x <AP name>
(Cisco Controller) >show ap eventlog <AP name>

Should you not see any useful data from the AP "dir flash:" for problem occurrence timestamp,then do let me know, as it may need a Cisco TAC case for detailed troubleshooting.


View solution in original post

Brett Verney

Hi Alexander,

I have trouble understanding when to use a Flex ACL vs a normal WLC ACL, especially when it comes to things like Central Web Auth using ISE.

I have two questions;

1.) What ACLs need to be present on the WLC for ISE to reference when using CWA for guests access.

2.) Where do the Flex ACLs for CWA need to be referenced in a FlexConnect group?

Thanks heaps!


Hi Brett,

I share some links to clarify it in more detail.

Page 8 onwards for info on question 1:

Page 10 onwards for config details on question 2:

Also another link for info on CWA with Flexconnect APs:

There are some bugs to note here which is probably causing confusion.Depending on what is your WLC version and if you upgrade from 7.5/7.6 to 8.x, your earlier working CWA setup with flex connect ACLs may break, these are the bugs to watch out for:

CSCue68065 CWA with Flex APs require a local ACL with same name as Flex ACL
CSCuv04255 8510 wlc not getting portal page while doing cwa
CSCuy01846 ACL blocking some traffic after upgrade
CSCuy18455 Documentation should reflect Airspace ACL behavior change

As mentioned in above document link:

An issue with FlexConnect APs is that you must create a FlexConnect ACL separate from your
normal ACL. This issue is documented in Cisco Bug CSCue68065 and is fixed in Release 7.5.
In WLC 7.5 and later, only a FlexACL is required, and no standard ACL is needed. The WLC
expects that the redirect ACL returned by ISE is a normal ACL. However, to ensure it
works, you need the same ACL applied as the FlexConnect ACL.

There is a note in 8.x release:

and for 8500 WLC platform:

CSCuv04255 8510 wlc not getting portal page while doing cwa

When flexconnect ACL and regular ACL has the same name and the same exact acl

Remove the regular ACL or have the same regular ACL name as the flexconnect group ACL with deny statement

Hope that helps to clarify?


Thanks Alex,

This is some good information!

Much appreciated


Hello Brett,

If Alex was able to help, feel free to rate his answer. This helps all the community members to find quality content faster and encourage experts to continue to provide great answers.

Thanks a lot,

Monica Lluis

Community Manager

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

I have a few questions:

-Is there any link that explain how to configure the Authentication and Accounting Server for a 1832i running mobility express as master controller?

-Have your ever tried EAP-TLS on a 1832i or similar using Mobility Express?. I have seen authentication issues on Windows Laptops, access-accept not being displayed in the packet capture so I will follow the troubleshooting procedure you posted above.

-If I have 4 AP's (5 Ghz) on each corner of an auditorium with a separation from 20-30 meters, how did I get TP = 1 on almost all of them if the WLC is using RRM?. My understanding is that even though they displayed a similar PL (power level) = 1 in the WLC, they were actually providing different signal strength depending on the UNII channel on which they were assigned (so no channel interference would happen). For instance, AP 1 & 2 were using UNII-1 channels so they were using 14 dBm and 11 dBm as the WLC TP was 1 and 2 respectively. AP 3 was assigned UNII-3 channel (23 dBm) for WLC TP = 1 and AP 4 was assigned UNII-2 channel (17 dBm) for WLC TP = 1. Please correct me if I am wrong. I am using 2602AP.

-Can we affirm that RRM on 2.4 Ghz is applied only if I have 4 neighbor AP's because we have only 3 channels available so the 4 neighbor AP is the one that actually triggers the WLC RRM mechanism?. I have seen a few notes/posts about this but not a formal confirmation.


Can you help?  Employees have hard time connecting to Wi-Fi. it is authenticated 802.1x I through Radius. have found Trap Log, any of the Rague raios can afffect performance?

Number of Traps since last reset    4401997   
Number of Traps since log last viewed    8996  

Trap Log

System Time Trap
0 Fri Feb 26 09:02:20 2016 Rogue AP : a8:a7:95:a4:77:2e removed from Base Radio MAC : 88:75:56:ec:81:60 Interface no:0(802.11n(2.4 GHz))
1 Fri Feb 26 09:02:05 2016 Rogue AP : 78:61:7c:06:ec:b2 removed from Base Radio MAC : 54:78:1a:2e:85:30 Interface no:0(802.11n(2.4 GHz))
2 Fri Feb 26 09:01:56 2016 Rogue AP : c4:04:15:a9:61:4a removed from Base Radio MAC : 54:78:1a:2e:88:00 Interface no:0(802.11n(2.4 GHz))
3 Fri Feb 26 09:01:51 2016 Rogue AP : 34:6f:90:9c:f0:c4 removed from Base Radio MAC : 54:78:1a:2e:85:30 Interface no:0(802.11n(2.4 GHz))
4 Fri Feb 26 09:01:51 2016 Rogue AP : 34:6f:90:9c:f0:c4 removed from Base Radio MAC : 88:75:56:ed:1b:40 Interface no:0(802.11n(2.4 GHz))
5 Fri Feb 26 09:01:50 2016 Rogue AP : 74:85:2a:c0:d8:2a removed from Base Radio MAC : 54:78:1a:2e:89:c0 Interface no:0(802.11n(2.4 GHz))
6 Fri Feb 26 09:01:49 2016 Rogue AP : 74:85:2a:f4:98:2a removed from Base Radio MAC : 54:78:1a:2e:89:c0 Interface no:0(802.11n(2.4 GHz))
7 Fri Feb 26 09:01:49 2016 Rogue AP : 00:19:e3:fa:a3:b9 removed from Base Radio MAC : 54:78:1a:2e:89:c0 Interface no:0(802.11n(2.4 GHz))
8 Fri Feb 26 09:01:27 2016 AAA Authentication Failure for UserName:host/AL000051.MHIPWPS.COM User Type: WLAN USER
9 Fri Feb 26 09:01:06 2016 Adhoc Rogue : 02:18:4a:8a:bf:91 detected on Base Radio MAC : 54:78:1a:2e:81:c0 Interface no:0(802.11n(2.4 GHz)) on Channel 6 with RSSI: -67 and SNR: 8
10 Fri Feb 26 09:00:14 2016 Rogue AP : 6c:c2:17:56:56:3c detected on Base Radio MAC : 20:3a:07:e0:51:70 Interface no:0(802.11b/g) on Channel 6 with RSSI: -93 and SNR: 2 and Classification: unclassified


There is an AAA authentication failure in that trap log.

Some suggestions:

1)Check on the AAA/RADIUS server authentication report, for the authentication failure/state for a given client reporting problems.It should give you further details on the problem.Do you see the AAA/RADIUS server sending an "access-accept" to the wireless client auth request?

2)From WLC cli, run a debug client and attempt to replicate the problem state on that client:

show client detail <wireless client MAC>

In what policy manager state is the client stuck in while reporting the problems? 

Also for details of problem state:

debug client <take a specific Client MAC>

(I could help you with the debug client analysis,but not sure if you would want to share your data on public forum for security reasons?)

3)Rogue AP detection is common on 2.4Ghz as it may be from neighbouring or 3rd party wireless devices.You can run a check on the WLC "show run-config" for channel utilisation on 2.4Ghz band.For example if you have only 1 client associated to AP and high channel util like 25-30% and higher,then you need to check further for issues like:

-possible incorrect AP placement/positioning.

-Was wireless site survey done?

-Are lower data rates enabled,as that can cause large cell sizes and APs hearing a lot of neighbours.

You can directly search for channel util from WLC "show run-config" in notepad editor with keyword "Channel Utilization":

AP Name.......................................... APxyz
Channel Utilization.......................... 48 %
Attached Clients............................. 1 clients

This is a useful tool to check on the configuration and stats,You need to use the WLC "show run-config" and upload it to the tool:


Hello Alex,

Can you please take a look here?

I have a question about designing an indoor wlan using only few AP's and splitters+external antennas. Thank you!

Hi Istvan,

I am against that idea, using splitters to increase coverage will be a bad choice and will result in incorrect design,increase the troubleshooting hours/cost and worst of all result in a bad wireless network performance.

Besides if you plan for voice deployment, then i would stay with the site survey recommendations and the voice deployment guide requirements.

Splitters is sometimes used for only specific short range coverage scenarios,for example with splitters we will loose diversity,signal attenuation at ports/connectors/cables, with different cable lengths from antennas to splitters there is big problems like packet corruptions and nulls from differing signal propagation times.

For example,below is also not going to scale with splitters as antennas covering differing cells will lead to multi-path problems and packet corruption:
To avoid asymmetric RF and signal drop, we also need to have AP and client power match so that the AP can listen to the Phone (otherwise the Phone may hear the AP well, but the AP may not hear the phone with weak signal),  Please refer to page 44 &45 which mentions about DTPC/AP placement/Data Rates and Transmit Power:

Hope that helps?


Thank you Alex!

Hi Abraham,

You are absolutely right, i see mobility express documentation needs to be updated urgently, i haven't seen any detailed documentation on configurations other than the mobility express deployment guide.So i am going to check this internally in TAC and attempt to have some documents for that on

I will get back to you on this with an update during the week.I haven't tried EAP-TLS yet on the mobility express setup.

You are correct about the RRM calculations , there is an old doc on RRM which is planned to be updated during this year.I will check further on timeframe with the BU.


Hi Alexander,

So far we've deployed a wireless network for a multi floor building, user density in the floors is different then we've forced to install more APs in this floors than others.

I have some question about our installation:

1. Should have we used same APs and antennas for best performance? now our APs are 2602 and 2702 both with external and internal anttenas, and all of the antennas  are AIR-ANT2544.

2. Channel utilization on some floors are in 30 to 40 percent. how much channel utilization is reasonable? but air quality reports are OK and I can see 90 percent or higher for that in average?

3.  There are clients near the APs, but they sometimes roam to the far APs, how can i find reason of this roaming? when I check this clients in prime the only reason for them to roam is amount of RSSI, but sometimes client roaming to an AP doesn't lead to a better RSSI.

4. Can the high load on an AP be cause of client roaming? I don't know, because of beacon loss?

5. And is there any recommendation for this kind of building with different user density in floors?

Thanks in advance.

Jackson Braddock

Hello Alex,

What recommendations do you have to troubleshoot a WLAN where the authentication is failing?  Thanks for your help on this.

- Jackson

Hi Jackson,

I assume you refer to a setup using Cisco WLC and not standalone IOS APs.

You will also need to verify if the wireless client supplicant is correctly configured for the EAP authentication method as defined on the RADIUS/AAA server.

For debugging on Cisco WLC via cli:

show client detail <wireless mac of failing client>

debug client <wireless mac of failing client>

To disable all debugs:

debug disable-all

From the debug, we can search for the keyword: Access-Accept

For a successful client authentication attempt ,we will have following line in the debug:
"Processing Access-Accept for mobile"

If an "access-accept" is not seen in the WLC debug or if we have an "access-reject" from RADIUS/AAA server, then the troubleshooting will need to be focussed on the RADIUS/AAA server.
For example, if using a Cisco ISE  as RADIUS server,we can run a tcpdump/sniffer trace or view the user live authentication detail report or run "runtime-aaa" in debug level for details into authentication flow.

As example, from the tcpdump/sniffer trace on RADIUS/AAA server, we can filter sniffer capture on "radius" and verify if we have the "access-accept" frame for the client/user access request frame.

Now if we have the "access-accept" for the client/user , but the client is still not working and not in "RUN" policy manager state on the WLC.
Then based on your WLAN/SSID config, if you have some WLAN/SSID config like below ,the issue may then be in latter 4 way handshake process after 802.1X EAP authentication is completed.

Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled

Auth Key Management
802.1x.................................. Enabled

For some info on client policy state on the WLC:

Do let me know if you see something unclear in the debug, and I will gladly help.


Content for Community-Ad