What to allow through firewall for AFC on WLC 9800?

stonent01 · ‎10-08-2024

I'm trying to get AFC working on my 9800-40 but it doesn't seem to be able to communicate with the Cisco back end. What URLs or IPs do we need to allow through the firewall to allow this to work? I don't think our management vlan has any outside internet access at this time so I'd have to request anything individually.

The controller has been upgraded to 17.12.xxx for a few weeks and the AFC screen just says "No Valid Token" According to the documentation, all hardware implementations of the 9800 should automatically register and only the cloud versions of the 9800 have to be specifically registered.

Flavio Miranda · ‎10-08-2024

@stonent01

As per the prerequisites for AFC, yes, you need to give internet access to the WLC. You need to permit HTTPS traffic

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-14/config-guide/b_wl_17_14_cg/m_afc.html

Prerequisites

Ensure that there is cloud connectivity from the controller to the cloud, with a DNS entry in place. AFC operates through either the management port or data ports.

The AFC request is sent only when the controller is onboarded with cloud. This is automatic for hardware platforms like 9800-80, 9800-40 and 9800-L. For cloud controller, you have to manually enter a one-time password (OTP). See Onboarding the Cloud Controller.
Before sending an AFC request, check whether the AFC service can be requested by using the show wireless afc ap command. If command output shows yes or up status for all the parameters of an AP, then request is sent out.
Standard APs must register with the AFC system by providing the following parameters:
- Geographic coordinates (latitude and longitude)
- Antenna height above ground level and tolerance as uncertainty height
- FCC identification number
- Manufacturer’s unique serial number

jagan.chowdam · ‎10-08-2024

TCP Port 443 must be open for the AFC.

Have you verified connectivity using "show cloud-services summary" & "Show wireless afc statistics" ?

Jagan Chowdam

/**Pls rate useful responses**/

stonent01 · ‎10-08-2024

I do not have the 6GHz AP online right now. It's been given to the contractor for installation on our building.

show cloud-services summary
Cloudm Onboarding Status
------------------------

State : Onboarded
URL : https://dnaservices.cisco.com/api/tethering/v1/enrollment/enroll/byname/C9800

No valid token

Show wireless afc statistics
Total number of 6GHz APs : 0
Number of APs requiring AFC service : 0
Messages sent to AFC : 0
Successful messages received from AFC : 0
Errored AFC messages : 0
AFC messages pending : 0
Minimum response time (ms) : 0
Maximum response time (ms) : 0
Average response time (ms) : 0
Health check query : Idle
Health check status : No valid token
Health check timestamp : 10/08/2024 10:41:41
Number of times health check went down : 0

Health check event history
Timestamp #Times Event State RC Context
---------------------------- -------- ----------------------- ------------------------------ --- -----------------------------
10/08/2024 10:41:41.57430 70158 Scheduled 0 Timer: 30s
10/08/2024 10:41:41.57418 70159 Not sent No token 0

jagan.chowdam · ‎10-08-2024

AFC is a cloud-based service that connects with Cisco's AFC Service Provider to manage spectrum sharing and assign channels and power levels for access points operating in the 6GHz band.

For indoor APs, AFC is OFF by default, where as outdoor APs AFC is ON.

You need to enable AFC in RF Profiles. You also require a GPS/GNSS enabled AP for AFC to work.

Once you take care of these, AFC attachment is automatic as long as Port 443 is opened.

The prerequisites mentioned in @Flavio Miranda post are crucial.

Jagan Chowdam

stonent01 · ‎10-08-2024

Well that's my thing. I need to know specifically which DNS entries or IPs it needs to access. That's what I'm asking more than anything else. That's what my firewall group is going to require to allow it through. I've already done the other prerequisites.