Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3049
Views
5
Helpful
10
Replies

Procedure to migrate Mesh access points from WISM2 to Cisco 9800

pnahirny
Level 1
Level 1

‎07-07-2021 07:17 AM

Hi,

I have been trying to migrate IW3702-2E-UXK9 access points configured as Mesh APs (bridge mode) on a WISM2 to a Cisco 9800 WLC HA-Pair with no success.

 

I have successfully migrated 2702/3702 access points configured as local mode.

I have copied the mac-filter list for authorizing Mesh APs from the WISM2 to the Cisco 9800 and followed the Mesh deployment guide at https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-1/deployment-guide/c9800-mesh-rel-17-1.pdf  This document mentions setting "authorize APs to mac address" as enabled under Configuration>AAA>AAA Advanced>AP Policy but I'm concerned that this will mean all APs including local mode APs will have to be configured in the mac-filter list. 

 

The AP Join fails stats on the Cisco 9800 show as "AP auth pending" for the mesh AP I'm trying to move from  the WISM2 by setting the primary controller for the AP as the Cisco 9800, which is the same process I've successfully used for moving local mode APs.

 

Does anybody have a good procedure for migrating mesh APs from Aire-OS to Cisco 9800 IOS-XE?

 

Thanks and much appreciated.

 

Pete

Labels:
0 Helpful
10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

‎07-07-2021 08:12 AM

Look at the below thread may help you :

 

https://community.cisco.com/t5/wireless/wlc-config-converter-aireos-ios-xe/td-p/2895495

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

pnahirny
Level 1
Level 1
In response to balaji.bandi

‎07-07-2021 08:29 AM

Thanks for the quick reply but I have used the config conversion tool to migrate the config on the WISM2 to Cisco 9800. The config conversion created the mac filter list and I tried moving the mesh APs from the WISM2 to the Cisco 9800 but fails with auth pending messages so I amended the config by following the Cisco 9800 Mesh config guide but still getting auth pending failure messages
0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to balaji.bandi

‎07-07-2021 02:20 PM

Can you post your AP join profile for these AP's, converter sometimes mess up the AP join profile for Mesh AP;s while converting. Please make sure that all parameters are correctly configured under AP join profile and also under mesh profile please verify that the 2 Auth's are configured and method is set to EAP. 

 

If your AP's are not joined before to the controller please add the below commands to the controller

aaa authentication dot1x default local

aaa authorization cred default local 

 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215100-join-mesh-aps-to-catalyst-9800-wireless.html

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

pnahirny
Level 1
Level 1
In response to Arshad Safrulla

‎07-08-2021 01:32 AM

Thanks for the response. The document you list is the one of a few config guides I've followed. Strangely, I get the same errors the document shows in the troubleshooting section but that section doesn't explain how it was fixed!
The conversion tool didn't produce config for a mesh profile. The only piece of config it provided related to the Mesh APs was the mac filter list so using the config guides I added the following config;
aaa authentication dot1x Mesh_Authc local group RAD_GRP_AUTH_TME-Wirele3
aaa authorization credential-download Mesh_Authz local group RAD_GRP_AUTH_TME-Wirele3
!
wireless profile mesh Mesh_Profile
method authentication Mesh_Authc
method authorization Mesh_Authz
!
ap profile Mesh_APJoin
mesh-profile Mesh_Profile
I don't have the commands so will look in to this.
aaa authentication dot1x default local
aaa authorization cred default local

Thanks,

Pete

0 Helpful

pnahirny
Level 1
Level 1
In response to Arshad Safrulla

‎07-12-2021 09:41 AM

Hi,

I added the commands suggested 

aaa authentication dot1x default local

aaa authorization cred default local

I then moved the RAP from the AireOS WLC to the Cisco 9800 WLC and it successfully joined but the MAPs that were associated with this RAP became stranded. They did not move across with the RAP and lost connectivity to the AireOS WLC so I moved the RAP back to the AireOS WLC and the MAPs rejoined.

Should I have moved the MAPs before the RAP, which would then leave the MAPs stranded until the RAP is moved?

The MAPs are not easily accessible, hence I'm wary of doing something that hasn't been proven in case they become stranded. Much appreciated for any tips from somebody who has done this before and can share the procedure.

 

Thanks,

 

Pete

0 Helpful

pnahirny
Level 1
Level 1

‎07-22-2021 02:08 AM

Update. Procedure that worked for me is;

configure on C9800 

aaa authentication dot1x default local

aaa authorization cred default local

set primary WLC as C9800 and secondary as AireOS on MAP high availabilty setting

set primary WLC as C9800 on RAP high availability setting

Eventually both RAP and MAPs will migrate from the AireOS controller to the C9800

0 Helpful

doyejide1
Level 1
Level 1
In response to pnahirny

‎04-12-2023 01:44 PM

I'm a little confused. I'm migrating from Cisco 8540, 8.10. to Cisco 9800 17.3

Is this the complete procedure?

configure on C9800 

aaa authentication dot1x default local

aaa authorization cred default local

set primary WLC as C9800 and secondary as AireOS on MAP high availabilty setting

set primary WLC as C9800 on RAP high availability setting

Eventually both RAP and MAPs will migrate from the AireOS controller to the C9800

 

Or should I add the following commands as well?

aaa authentication dot1x Mesh_Authc local group RAD_GRP_AUTH_TME-Wirele3
aaa authorization credential-download Mesh_Authz local group RAD_GRP_AUTH_TME-Wirele3
!
wireless profile mesh Mesh_Profile
method authentication Mesh_Authc
method authorization Mesh_Authz
!
ap profile Mesh_APJoin
mesh-profile Mesh_Profile
I don't have the commands so will look in to this.
aaa authentication dot1x default local
aaa authorization cred default local

Thanks

0 Helpful

pnahirny
Level 1
Level 1
In response to doyejide1

‎04-14-2023 06:26 AM

Hi,

The issue I had was that the AireOS to IOS-XE config conversion tool missed the 2 commands listed, though it had included other AAA commands. When I added the additional 2 commands to what had already been configured under AAA I was able to successfully migrate the Mesh APs. The mesh APs have a MAC filter list configured on the WLC which is used to authenticate them hence I needed the extra 2 commands which specify local authentication/authorization when the mesh APs join the WLC.

Regards,

 

Pete

0 Helpful

JohanGonzalez4730
Level 1
Level 1
In response to pnahirny

‎04-26-2023 04:46 PM

Hi pnahirny,

Did the MAPS upgraded their software version?

I have configured filters on my c9800 so AP will get the correct tags automatically. Would that work?

I'm migrating from 2504 running version 8.2.130.0 to C9800 running 17.3.6

 

0 Helpful

pnahirny
Level 1
Level 1
In response to JohanGonzalez4730

‎04-27-2023 03:18 AM

Hi,

 

Yes, the MAPs are upgraded to the IOS-XE version on the C9800 as part of the join process to the WLC. 

Regards,

 

Pete

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card