Cisco 9115 AP config

heyjunsun · ‎01-08-2024

hello

I am setting up Cisco AP 9115

https://www.youtube.com/watch?v=kW9nJ3MEZX0

I saw the link and got to SSID creation.

I don't know how to set up AAA server-related settings and Radius server-related settings.

I am sending the configuration that I set for reference.

Current configuration : 12500 bytes

!

! Last configuration change at 08:58:24 UTC Mon Oct 16 2023

!

version 16.12

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

! Call-home is enabled by Smart-Licensing.

service call-home

no platform punt-keepalive disable-kernel-core

no platform punt-keepalive settings

platform console serial

!

hostname WLCAC2A.A110.050C

!

boot-start-marker

boot-end-marker

!

no aaa new-model

no fips authorization-key

call-home

! If contact email address in call-home is configured as sch-smart-licensing@cisco.com

! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.

contact-email-addr sch-smart-licensing@cisco.com

profile "CiscoTAC-1"

active

destination transport-method http

no destination transport-method email

!

ip name-server 208.67.222.222 208.67.220.220

login on-success log

!

flow exporter default-flow-exporter

destination local wlc

!

flow monitor default-flow-monitor

exporter default-flow-exporter

record wireless avc basic

!

crypto pki trustpoint TP-self-signed-941827864

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-941827864

revocation-check none

rsakeypair TP-self-signed-941827864

!

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

!

crypto pki certificate chain TP-self-signed-941827864

certificate self-signed 01

3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 39343138 32373836 34301E17 0D323331 30313630 38333630

305A170D 33303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3934 31383237

38363430 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02

82010100 CE9CB82E F8CAA33C 5281ABAA 38E9C70F 9B16CCED 4BA0AA44 AA3654EC

132D8831 C2F7A12F 2C44BEDC 51E3307D 21CE19C3 04C5D383 273E8CCB 3190FF01

B4D4F485 45426F37 5CA13811 76AF4B08 43AB5B6B 3DA51DAB EFE14267 C8333706

FBDAA9FA F6664CC8 4978697A 43D1741D 16E7A8AF 62040DC0 E5AFDEC2 6C0C7466

5334A538 7C06570C 020ACF3B AFC3DE29 07E39308 DFE73E09 D0C86154 5F6023AA

27B18EEC 03C4DAC8 A8881A63 56ECE52B 1B059F9C 7E9B2C46 65254BE0 71BD38D2

79E02D40 BE168E79 2C91018A C8B91759 1C01D4AD C4F00C13 CE722398 A3E10CA3

B78966BE B8166810 3F79BE13 23ED993A 297D7159 9DB9120C 7E449204 F6A9CBF5

9A25C2B1 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F

0603551D 23041830 168014C0 27101A37 DE465DB6 4BB8FD6F E04DEC82 7CFA1730

1D060355 1D0E0416 0414C027 101A37DE 465DB64B B8FD6FE0 4DEC827C FA17300D

06092A86 4886F70D 01010505 00038201 0100A142 72313481 BF89A96F 566BCC60

0E8364A0 A9CA623E 83BC78FE 65437448 4174680F 49C288AF F035C1C5 B7C0F3C2

DC943BFA 0CAFE82A 449F46C3 25A5BEE4 4CDF4258 B4200470 6BA6EC6D 86703B29

E2AC5E9A E31609B4 8EB27B89 E4466F52 2322C5D5 BC183D4A 46EAFFF9 25A74842

BE2AD3EF C7C2FAB9 BF3C6018 45ABD8A7 2564D0B5 6A673DF6 8E21E0DB 6D4B174F

D474301E 0638C5DB 5660F1D2 52A2B4DC 84AA66A6 C4319625 C87416AF 729E4E35

FFFB917E 88534EDA 37822561 39648717 3479911A 43B2E4B8 C1B632D6 1375F087

D8177BB5 652F9D37 21DB64D6 4B09D9A6 DC1A552F E8E2277B 08166D00 3249C93E

8A10FA14 D50DA709 13EA30CD B7B2A895 AE63

quit

crypto pki certificate chain SLA-TrustPoint

certificate ca 01

30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030

32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363

6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934

3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305

43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720

526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030

82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D

CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520

1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE

4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC

7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188

68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7

C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191

C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44

DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201

06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85

4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500

03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905

604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B

D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8

467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C

7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B

5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678

80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB

418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0

D697DF7F 28

quit

!

memory free low-watermark processor 33020

!

license udi pid C9800-AP sn FGL2712LDY7

device classifier

username xxx privilege 15 password xxx

!

redundancy

mode sso

!

class-map match-any AutoQos-4.0-RT1-Class

match dscp ef

match dscp cs6

class-map match-any AutoQos-4.0-RT2-Class

match dscp cs4

match dscp cs3

match dscp af41

class-map match-any AutoQos-4.0-wlan-Voip-Signal-Class

match protocol skinny

match protocol cisco-jabber-control

match protocol sip

match protocol sip-tls

class-map match-any AutoQos-4.0-wlan-Voip-Data-Class

match dscp ef

class-map match-any AutoQos-4.0-wlan-Multimedia-Conf-Class

match protocol cisco-phone-video

match protocol cisco-jabber-video

match protocol ms-lync-video

match protocol webex-media

class-map match-any AutoQos-4.0-wlan-Bulk-Data-Class

match protocol ftp

match protocol ftp-data

match protocol ftps-data

match protocol cifs

class-map match-any AutoQos-4.0-wlan-Scavanger-Class

match protocol netflix

match protocol youtube

match protocol skype

match protocol bittorrent

class-map match-any AutoQos-4.0-wlan-Transaction-Class

match protocol cisco-jabber-im

match protocol ms-office-web-apps

match protocol salesforce

match protocol sap

!

policy-map AutoQos-4.0-wlan-ET-SSID-Input-AVC-Policy

class AutoQos-4.0-wlan-Voip-Data-Class

set dscp ef

class AutoQos-4.0-wlan-Voip-Signal-Class

set dscp cs3

class AutoQos-4.0-wlan-Multimedia-Conf-Class

set dscp af41

class AutoQos-4.0-wlan-Transaction-Class

set dscp af21

class AutoQos-4.0-wlan-Bulk-Data-Class

set dscp af11

class AutoQos-4.0-wlan-Scavanger-Class

set dscp cs1

class class-default

set dscp default

policy-map AutoQos-4.0-wlan-ET-SSID-Output-Policy

class AutoQos-4.0-RT1-Class

set dscp ef

class AutoQos-4.0-RT2-Class

set dscp af31

class class-default

!

interface GigabitEthernet0

mac-address 0000.5e00.0101

ip dhcp client client-id GigabitEthernet0

ip dhcp client broadcast-flag clear

ip address 172.18.104.231 255.255.255.0

no negotiation auto

!

interface Vlan100

description 100

no ip address

!

ip http server

ip http authentication local

ip http secure-server

ip http secure-trustpoint CISCO_IDEVID_SUDI

ip http client source-interface GigabitEthernet0

ip forward-protocol nd

ip tftp blocksize 8192

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 250

ip dns server

!

control-plane

!

banner exec ^C

########################################################################################################

# #

# Welcome to the Cisco Catalyst 9800-AP Embedded Wireless Controller command line interface. #

# #

# Please see command reference guide for the complete list of supported commands for this release: #

# https://www.cisco.com/c/en/us/td/docs/wireless/embedded_wireless_controller_configuration_guide.html #

# #

########################################################################################################

^C

!

line con 0

stopbits 1

line vty 0 4

login local

transport input ssh

line vty 5 15

login local

transport input ssh

!

ntp server 0.ciscome.pool.ntp.org

ntp server 1.ciscome.pool.ntp.org

ntp server 2.ciscome.pool.ntp.org

!

wireless aaa policy default-aaa-policy

wireless cts-sxp profile default-sxp-profile

no wireless ipv6 ra wired

wireless management interface GigabitEthernet0

wireless profile airtime-fairness default-atf-policy 0

wireless profile flex default-flex-profile

description "default flex profile"

wireless profile image-download default

description "default image download profile"

wireless profile mesh default-mesh-profile

description "default mesh profile"

wireless profile policy DBLIFE_18104

autoqos mode enterprise-avc

no central association

no central dhcp

no central switching

description "For 18104"

service-policy input AutoQos-4.0-wlan-ET-SSID-Input-AVC-Policy

service-policy output AutoQos-4.0-wlan-ET-SSID-Output-Policy

vlan 100

no shutdown

wireless profile policy default-policy-profile

no central association

no central switching

description "default policy profile"

http-tlv-caching

ipv4 flow monitor default-flow-monitor input

ipv4 flow monitor default-flow-monitor output

wireless tag site default-site-tag

description "default site tag"

no local-site

wireless tag policy DBLIFE_18104

description "For the 18104"

wlan DBLIFE_18104 policy DBLIFE_18104

wireless tag policy default-policy-tag

description "default policy-tag"

wireless tag rf DBLIFE_18104

24ghz-rf-policy Low_Client_Density_rf_24gh

5ghz-rf-policy 80mhz

description "For the 18104"

wireless tag rf default-rf-tag

description "default RF tag"

wireless fabric control-plane default-control-plane

wlan DBLIFE_18104 1 DBLIFE_18104

ccx aironet-iesupport

security wpa psk set-key ascii xxx

security wpa akm psk

no shutdown

ap dot11 24ghz rf-profile Low_Client_Density_rf_24gh

coverage data rssi threshold -90

coverage level 2

coverage voice rssi threshold -90

description "pre configured Low Client Density rfprofile for 2.4gh radio"

high-density rx-sop threshold low

tx-power v1 threshold -65

no shutdown

ap dot11 24ghz rf-profile High_Client_Density_rf_24gh

description "pre configured High Client Density rfprofile for 2.4gh radio"

high-density rx-sop threshold medium

rate RATE_11M disable

rate RATE_12M mandatory

rate RATE_1M disable

rate RATE_2M disable

rate RATE_5_5M disable

rate RATE_6M disable

tx-power min 7

no shutdown

ap dot11 24ghz rf-profile Typical_Client_Density_rf_24gh

description "pre configured Typical Client Density rfprofile for 2.4gh radio"

rate RATE_11M disable

rate RATE_12M mandatory

rate RATE_1M disable

rate RATE_2M disable

rate RATE_5_5M disable

rate RATE_6M disable

no shutdown

ap dot11 5ghz rf-profile 80mhz

channel chan-width 80

no shutdown

ap dot11 5ghz rf-profile Low_Client_Density_rf_5gh

coverage data rssi threshold -90

coverage level 2

coverage voice rssi threshold -90

description "pre configured Low Client Density rfprofile for 5gh radio"

high-density rx-sop threshold low

tx-power v1 threshold -60

no shutdown

ap dot11 5ghz rf-profile High_Client_Density_rf_5gh

description "pre configured High Client Density rfprofile for 5gh radio"

high-density rx-sop threshold medium

rate RATE_6M disable

rate RATE_9M disable

tx-power min 7

tx-power v1 threshold -65

no shutdown

ap dot11 5ghz rf-profile Typical_Client_Density_rf_5gh

description "pre configured Typical Density rfprofile for 5gh radio"

no shutdown

ap tag-source-priority 2 source filter

ap tag-source-priority 3 source ap

ap profile DBLIFE_18104

description "For the 18104"

hyperlocation ble-beacon 0

hyperlocation ble-beacon 1

hyperlocation ble-beacon 2

hyperlocation ble-beacon 3

hyperlocation ble-beacon 4

ntp ip 172.20.15.235

ap profile default-ap-profile

description "default ap profile"

ap ac2a.a110.050c

policy-tag DBLIFE_18104

rf-tag DBLIFE_18104

end

Faizal AB · ‎01-08-2024

Hi Heyjunsun,

Refer the following link to set up through the mobile phone. After that, you can attached to your network.

https://www.youtube.com/watch?v=PEJzT8CqkP8

heyjunsun · ‎01-08-2024

hello Faizal AB

thank you for your reply.

I don't want to set it up through my phone. I want to set it up through a console cable or Webui.

JPavonM · ‎01-08-2024

There are lot of guides from Cisco for 0-day configuration of eWC:
https://www.youtube.com/watch?v=oS68E25wc4A
https://www.youtube.com/watch?v=HvCJTGAO5_c
https://www.cisco.com/c/en/us/products/collateral/wireless/embedded-wireless-controller-catalyst-access-points/white-paper-c11-743398.html#Gettingstarted
https://www.cisco.com/c/en/us/support/docs/wireless/embedded-wireless-controller-on-catalyst-access-points/215303-embedded-wireless-controller-conversion.html#toc-hId--417775502

And through the App:
https://www.youtube.com/watch?v=m5-gC324Uog

heyjunsun · ‎01-09-2024

hello JPavonM

thank you for your reply

The third URL you sent me says

Software release numbers

Cisco EWC on Catalyst Access Points is supported beginning with Release 16.12.2s.

but i used version C9800-AP-universalk9.16.12.04a

Do I need an upgrade to use EWC?

JPavonM · ‎01-09-2024

No you don't have to, but it is recommended to upgrade to latest TAC recommended release, and seeing that 17.6 is coming to EoL soon, I would recommend you to upgrade to 17.9.5 at the end of January.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html

Take into account the upgrade path for the new code (https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/release-notes/rn-17-9-9800.html#Cisco_Concept.dita_59a2987f-2633-4630-8c7b-a8e8aecdeaf7)

heyjunsun · ‎01-09-2024

Hello JPavonM

thank you for your reply

Can't I set it up in question format when booting up like 1832AP?

example

Enter the time zone location index (type 'help' to see a list of time zones): 26

Configure Management Interface IP Address [STATIC][DHCP]: STATIC

I have a terminal configuration, but it's hard to set it to WEBUI

and Is there a way to check the app type? CAPWAP? WLC?

Rich R · ‎01-30-2024

It's a completely different operating system.
1832 ME runs AireOS
9115 EWC runs IOS-XE.
You can do the basic config from CLI on console. When you login it prompts you:
###########################################################################################
# Welcome to the Cisco Catalyst 9800-AP Embedded Wireless Controller command line interface. #
# Please see command reference guide for the complete list of supported commands for this release: #
# https://www.cisco.com/c/en/us/td/docs/wireless/embedded_wireless_controller_configuration_guide.html #
###########################################################################################

Once you have IP access to the EWC you can use the GUI to complete the config.

You really need to upgrade to latest IOS as per TAC recommended link below. Newer IOS has wizards to walk you through all basic config tasks.

Note that you should have DHCP to provide 2 IP addresses for EWC (controller part) and AP (client serving part) of the AP otherwise you'll need to configure static IP on EWC then connect to the AP shell and configure static IP there too. Much easier to just use DHCP initially and then you can configure static for EWC if you want to or reserve IPs on your DHCP server if you don't want them to change.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390