cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3048
Views
5
Helpful
10
Replies

Procedure to migrate Mesh access points from WISM2 to Cisco 9800

pnahirny
Level 1
Level 1

Hi,

I have been trying to migrate IW3702-2E-UXK9 access points configured as Mesh APs (bridge mode) on a WISM2 to a Cisco 9800 WLC HA-Pair with no success.

 

I have successfully migrated 2702/3702 access points configured as local mode.

I have copied the mac-filter list for authorizing Mesh APs from the WISM2 to the Cisco 9800 and followed the Mesh deployment guide at https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-1/deployment-guide/c9800-mesh-rel-17-1.pdf  This document mentions setting "authorize APs to mac address" as enabled under Configuration>AAA>AAA Advanced>AP Policy but I'm concerned that this will mean all APs including local mode APs will have to be configured in the mac-filter list. 

 

The AP Join fails stats on the Cisco 9800 show as "AP auth pending" for the mesh AP I'm trying to move from  the WISM2 by setting the primary controller for the AP as the Cisco 9800, which is the same process I've successfully used for moving local mode APs.

 

Does anybody have a good procedure for migrating mesh APs from Aire-OS to Cisco 9800 IOS-XE?

 

Thanks and much appreciated.

 

Pete

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

Look at the below thread may help you :

 

https://community.cisco.com/t5/wireless/wlc-config-converter-aireos-ios-xe/td-p/2895495

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the quick reply but I have used the config conversion tool to migrate the config on the WISM2 to Cisco 9800. The config conversion created the mac filter list and I tried moving the mesh APs from the WISM2 to the Cisco 9800 but fails with auth pending messages so I amended the config by following the Cisco 9800 Mesh config guide but still getting auth pending failure messages

Can you post your AP join profile for these AP's, converter sometimes mess up the AP join profile for Mesh AP;s while converting. Please make sure that all parameters are correctly configured under AP join profile and also under mesh profile please verify that the 2 Auth's are configured and method is set to EAP. 

 

If your AP's are not joined before to the controller please add the below commands to the controller

aaa authentication dot1x default local

aaa authorization cred default local 

 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215100-join-mesh-aps-to-catalyst-9800-wireless.html

 

Thanks for the response. The document you list is the one of a few config guides I've followed. Strangely, I get the same errors the document shows in the troubleshooting section but that section doesn't explain how it was fixed!
The conversion tool didn't produce config for a mesh profile. The only piece of config it provided related to the Mesh APs was the mac filter list so using the config guides I added the following config;
aaa authentication dot1x Mesh_Authc local group RAD_GRP_AUTH_TME-Wirele3
aaa authorization credential-download Mesh_Authz local group RAD_GRP_AUTH_TME-Wirele3
!
wireless profile mesh Mesh_Profile
method authentication Mesh_Authc
method authorization Mesh_Authz
!
ap profile Mesh_APJoin
mesh-profile Mesh_Profile
I don't have the commands so will look in to this.
aaa authentication dot1x default local
aaa authorization cred default local

Thanks,

Pete

Hi,

I added the commands suggested 

aaa authentication dot1x default local

aaa authorization cred default local

I then moved the RAP from the AireOS WLC to the Cisco 9800 WLC and it successfully joined but the MAPs that were associated with this RAP became stranded. They did not move across with the RAP and lost connectivity to the AireOS WLC so I moved the RAP back to the AireOS WLC and the MAPs rejoined.

Should I have moved the MAPs before the RAP, which would then leave the MAPs stranded until the RAP is moved?

The MAPs are not easily accessible, hence I'm wary of doing something that hasn't been proven in case they become stranded. Much appreciated for any tips from somebody who has done this before and can share the procedure.

 

Thanks,

 

Pete

pnahirny
Level 1
Level 1

Update. Procedure that worked for me is;

configure on C9800 

aaa authentication dot1x default local

aaa authorization cred default local

set primary WLC as C9800 and secondary as AireOS on MAP high availabilty setting

set primary WLC as C9800 on RAP high availability setting

Eventually both RAP and MAPs will migrate from the AireOS controller to the C9800

I'm a little confused. I'm migrating from Cisco 8540, 8.10. to Cisco 9800 17.3

Is this the complete procedure?

configure on C9800 

aaa authentication dot1x default local

aaa authorization cred default local

set primary WLC as C9800 and secondary as AireOS on MAP high availabilty setting

set primary WLC as C9800 on RAP high availability setting

Eventually both RAP and MAPs will migrate from the AireOS controller to the C9800

 

Or should I add the following commands as well?

aaa authentication dot1x Mesh_Authc local group RAD_GRP_AUTH_TME-Wirele3
aaa authorization credential-download Mesh_Authz local group RAD_GRP_AUTH_TME-Wirele3
!
wireless profile mesh Mesh_Profile
method authentication Mesh_Authc
method authorization Mesh_Authz
!
ap profile Mesh_APJoin
mesh-profile Mesh_Profile
I don't have the commands so will look in to this.
aaa authentication dot1x default local
aaa authorization cred default local

Thanks

Hi,

The issue I had was that the AireOS to IOS-XE config conversion tool missed the 2 commands listed, though it had included other AAA commands. When I added the additional 2 commands to what had already been configured under AAA I was able to successfully migrate the Mesh APs. The mesh APs have a MAC filter list configured on the WLC which is used to authenticate them hence I needed the extra 2 commands which specify local authentication/authorization when the mesh APs join the WLC.

Regards,

 

Pete

Hi pnahirny,

Did the MAPS upgraded their software version?

I have configured filters on my c9800 so AP will get the correct tags automatically. Would that work?

I'm migrating from 2504 running version 8.2.130.0 to C9800 running 17.3.6

 

Hi,

 

Yes, the MAPs are upgraded to the IOS-XE version on the C9800 as part of the join process to the WLC. 

Regards,

 

Pete

Review Cisco Networking for a $25 gift card