Solved: Re: Configure SSO on productive 9800 WLC

QW_netzwerk · ‎08-08-2024

We have one single Cisco 9800 WLC on productive. We want to add another 9800 WLC to create SSO. I didn't find any proper document outlining the steps to follow.

It would be helpful if someone shared who has experience configuring WLC SSO in such a scenario or any document that adequately describes it.

marce1000 · ‎08-11-2024

- @QW_netzwerk As I said, I strongly recommend to setup in 'business downtime period' ; before going back
to production use the WirelessAnalyzer procedure as explained in my first reply (mandatory!)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

MHM Cisco World · ‎08-08-2024

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/220277-configure-high-availability-sso-on-catal.html

MHM

marce1000 · ‎08-08-2024

- This document is more exhaustive https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-1/deployment-guide/c9800-ha-sso-deployment-guide-rel-17-1.pdf
In general I am not in favor of it , if something would happen or something wrong would be done (better before production)
Anyway either when staging , working on it and or finished use the CLI command on the (primary available controller)
show tech wireless and feed the output from that into Wireless Config Analyzer please note do not use a simple
show tech as input for this procedure (use the full command as mentioned in green)

For further troubleshooting if needed
- test wireless redundancy rping (test connectivity to partner RP port)

show redundancy | i ptime|Location|Current Software state|Switchovers
show chassis
show chassis detail
show chassis ha-status local
show chassis ha-status active
show chassis ha-status standby
show chassis rmi
show redundancy
show redundancy history
show redundancy switchover history
show tech wireless redundancy
show redundancy states
show platform hardware slot R0 ha_port interface stats

show platform hardware slot R0 ha_port sfp idprom (show details of SFP in SP) = if used ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Haydn Andrews · ‎08-08-2024

https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-1/deployment-guide/c9800-ha-sso-deployment-guide-rel-17-1.pdf

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Leo Laohoo · ‎08-10-2024

What is the exact model of the WLC?

How many APs will be joined to the WLC now? How about in the next 2 years?

How many daily wireless clients (peak)?

Is external web authentication configured?

QW_netzwerk · ‎08-10-2024

The model we're using is the C9800-L-F-K9.

Together, 22 APs are joined to the running WLC, which is the active one. In the next two years, another 40 APs will join.

The peak of daily wireless clients is 280.

Yes, external web authentication is configured.

marce1000 · ‎08-11-2024

- @QW_netzwerk As I said, I strongly recommend to setup in 'business downtime period' ; before going back
to production use the WirelessAnalyzer procedure as explained in my first reply (mandatory!)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Leo Laohoo · ‎08-11-2024

@QW_netzwerk wrote:
Yes, external web authentication is configured.

I would not recommend HA SSO because of this.

marce1000 · ‎08-11-2024

>....I would not recommend HA SSO because of this.
@Leo Laohoo Leo , as usual your replies are much appreciated , but can you also explain why ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Leo Laohoo · ‎08-11-2024

@marce1000 wrote:
can you also explain why ?

This is a direct quote from a WNBU, "There is nothing wrong with the hardware (of the 9800), but the software disappoints."

I have 8540 in both HA SSO and N + 1. Our N+ 1 has never seen a reboot/crash since 2015.

Recently, we tore our 9800-80 apart (from HA SSO) and they are all in N + 1.

9800-80: IOS v17.12.3, 3080 APs, <10k daily client count, inter-controller roaming, 12 weeks uptime

All our controllers (8540 & 9800-80) have web authentication enabled.

The above image is the control-plane memory utilization one of our 9800-80 (N+1) on 17.12.3. On 15 May 2024, it had <2900 APs. On 16 May 2024, the AP count went up to >3000. This particular controller only have daily <12k wireless clients at it's peak.

Read the newly-revised Cisco Catalyst 9800 Series Configuration Best Practices (04 May 2024 revision) because it is a stomach-churning -- "Cisco recommends limiting the load to around 80% of the AP and client scale." 80%. Our controller is about to have a heart attack at 50% AP count.

The possible reason why is the developers' "struggle" coding the WNCD, aka "load balancers": 9800-40 has four (4) WNCD and 9800-80 has eight (8), however, 9800-L only has one (1).

For anyone with 9800-40, -80 or even the 9800X (aka 9800-H1, 9800-H2), follow these golden rules:

<50% AP count
<50% client count
No inter-controller roaming (AireOS to IOS-XE &/or IOS-XE to IOS-XE)
No Web Authentication
NO to HA SSO
PSK or OPEN SSID and and nothing else