Tags
In this post we will look at WLAN advanced tab configurations via CLI. Here is the full list of features. I know this will be the longest post in my blog 😯 as I have to cover all these features.
(WLC2) > config wlan ? aaa-override Configures user policy override via AAA on a WLAN. chd Enable/Disable CHD per WLAN session-timeout Configures client timeout. ccx Configure Cisco Client Extension options. diag-channel Configures Diagnostics Channel Capability on a WLAN. IPv6Support Configures IPv6 support on a WLAN. acl Specify a per-WLAN ACL peer-blocking Configure peer-to-peer blocking on a WLAN. exclusionlist Configures Exclusion-list timeout. channel-scan Configures off channel scanning deferral parameters. h-reap Configures H-REAP options for wlan. dhcp_server Configures the WLAN's DHCP Server. static-ip Configures static IP client tunneling support on a WLAN. mfp Configures Management Frame Protection. dtim Configures the DTIM Period for a WLAN nac Configures NAC on wlan/guest-lan/remote-lan. load-balance Allow|Disallow Load Balance on a WLAN. band-select Allow|Disallow Band Select on a WLAN. call-snoop Configures Call Snooping. sip-cac Configure SIP CAC Failure policy. roamed-voice-client Configure Voice Client Re-Anchor policy
We will create a new WLAN called “Test-19” with wlan-id 19 with following basic settings
– 802.11a only clients
– Gold QoS profile
– WPA2/AES (or support 802.11n data rates)
– Multicast direct feature
– PSK
– UAPSD support
So basic CLI commands you require is like this.
(WLC2) >config wlan create 19 Test-19 Test-19 (WLC2) >config wlan radio 19 802.11a-only (WLC2) >config wlan interface 19 vlan11 (WLC2) >config wlan multicast interface 19 enable vlan11 (WLC2) >config wlan security wpa wpa2 ciphers aes enable 19 (WLC2) >config wlan qos 19 gold (WLC2) >config wlan wmm require 19 (WLC2) >config wlan uapsd compliant-client enable 19 (WLC2) >config wlan security wpa akm psk set-key ascii Cisco123 19
Before go into advanced tab configuration you can take a backup of the WLC config & verify the above & any additional configs related to your WLAN.
config wlan security wpa akm psk enable 19 config wlan security wpa akm 802.1x disable 19 config wlan security wpa enable 19 config wlan wmm require 19 config wlan exclusionlist 19 60 config wlan broadcast-ssid enable 19 config wlan interface 19 vlan11 config wlan create 19 Test-19 Test-19 config wlan qos 19 gold config wlan radio 19 802.11a-only config wlan radio 19 802.11a config wlan session-timeout 19 0
Advanced config page of the WLAN looks like this.
Now we will look at each individual feature configurations via CLI. It is long list, but will cover them all.
1. AAA Override
This is for ACS to override the client attributes (vlan, acl , QoS, etc)
(WLC2) >config wlan aaa-override ?
disable Disables policy override.
enable Enables policy override.
(WLC2) >config wlan aaa-override enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
foreignAp Third Party Access Points.
(WLC2) >config wlan aaa-override enable 19
2. Coverage Hole Detection(CHD)
This is enabled by default & client can trigger power changes of the AP. Let’s disable
(WLC2) >config wlan chd ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan chd 19 ?
enable enable CHD per WLAN
disable disable CHD per WLAN
(WLC2) >config wlan chd 19 disable
3. Session Timeout
The session timeout is the maximum time for a client session to remain active before requiring reauthorization.This is enabled by default & set to 1800s (30 min). You can change this value or disable it. It is important to know different type of security method have diff max values. When I try to set 1 day for my WPA2-PSK WLAN it’s rejected. So will set it for 4 hours (14400s)
(WLC2) >config wlan session-timeout ? <WLAN id> Enter WLAN Identifier between 1 and 512. foreignAp Third Party Access Points. (WLC2) >config wlan session-timeout 19 ? <seconds> The duration of session in seconds (0 = infinity is true only for open system). (WLC2) >config wlan session-timeout 19 86400 Invalid parameter specified. System Type Timeout Range Open system 0-65535 (sec) 802.1x 300-86400 (sec) static wep 0-65535 (sec) cranite 0-65535 (sec) fortress 0-65535 (sec) CKIP 0-65535 (sec) open+web auth 0-65535 (sec) web pass-thru 0-65535 (sec) wpa-psk 0-65535 (sec) disable To disable reauth/session-timeout timers. Reauth is valid for non-psk and non-static cases. Session-timeout is valid for all other cases. (WLC2) >config wlan session-timeout 19 14400
4. Aironet IE (CCX)
The Cisco Client Extensions (CCX) software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco access points and to support Cisco features that other client devices do not, including those features that are related to increased security, enhanced performance, fast roaming, and power management.
This is enabled by default.CCX support is enabled automatically for every WLAN on the controller and cannot be disabled. However, you can configure Aironet information elements (IEs)
If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.
(WLC2) >config wlan ccx ? AironetIeSupport Configure the support of Aironet IE. (WLC2) >config wlan ccx aironetIeSupport ? enable Enable the support of Aironet IE. disable Disable the support of Aironet IE. (WLC2) >config wlan ccx aironetIeSupport enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan ccx aironetIeSupport enable 19 ? (WLC2) >config wlan ccx aironetIeSupport enable 19 CCX Aironet IE Support already in the requested state.
5. Diagnostic Channel
The diagnostic channel feature enables you to troubleshoot problems in regard to client communication with a WLAN. The client and Access Points can be put through a defined set of tests to identify the cause of communication difficulties that the client experiences and then allow corrective measures to be taken to make the client operational on the network. Since this is only using for troubleshooting & we cannot change any settings of diagnostic WLAN we will leave it disable.
(WLC2) >config wlan diag-channel ?
disable Disables Diagnostics Channel Capability on a WLAN.
enable Enables Diagnostics Channel Capability on a WLAN.
(WLC2) >config wlan diag-channel disable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan diag-channel disable 19
6. IPv6 Support
This is trivial as it allow to support IPv6.
(WLC2) >config wlan ipv6Support ?
enable Enable IPv6 support on a WLAN.
disable Disable IPv6 support on a WLAN.
(WLC2) >config wlan ipv6Support enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan ipv6Support enable 19
7. ACL override
If you want to override interface ALC for this specific WLAN you can configure an ACL an apply it to WLAN.
(WLC2) >config wlan acl ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan acl 19 ?
<ACL Name> Enter the ACL Name ('none' will clear the ACL)
(WLC2) >config wlan acl 19 none
8. Peer to Peer Blocking
This will allow to control client-to-client direction communication. In voice WLAN we need to ensure P2P blocking is disabled (otherwise voice conversation between two end point will be impacted). For this example we will enable it on this WLAN.
(WLC2) >config wlan peer-blocking ?
disable Disable peer-to-peer blocking on a WLAN.
drop Enable peer-to-peer blocking and set the action to 'Drop'.
forward-upstream Enable peer-to-peer blocking and set the action to 'Forward-Upstream'.
(WLC2) >config wlan peer-blocking drop 19
9. Client Exclusion
This to exclude a client for certain amount of seconds after violating client exclusion policy settings. By default this is enabled & client will be excluded for 60s if violate the configured policy. In this example will extend that time to 300s
(WLC2) >config wlan exclusionlist ? <WLAN id> Enter WLAN Identifier between 1 and 512. foreignAp Third Party Access Points. (WLC2) >config wlan exclusionlist 19 ? <seconds> Exclusion-list timeout (in seconds). zero (0) requires admin override. disabled Disables exclusion-listing. enabled Enables exclusion-listing. (WLC2) >config wlan exclusionlist 19 enabled (WLC2) >config wlan exclusionlist 19 300
10. Maximum allowed clients
This is to set a value of max client associated to this WLAN. In this example will set it to 1000.
(WLC2) >config wlan max-associated-clients ?
<max no. of clients> Maximum no. of client connections to be accepted
(WLC2) >config wlan max-associated-clients 1000 ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan max-associated-clients 1000 19
11. Static IP tunneling
Normally Static IP wireless clients roaming won’t work unless you enable this feature. If you want to support Static IP wireless users in the WLAN to roam between different controller you have to enable this feature. This feature & IPv6 support cannot co-exist. So I have disabled IPv6 support on this WLAN.
(WLC2) >config wlan static-ip ? tunneling Configures static IP client tunneling support on a WLAN. (WLC2) >config wlan static-ip tunneling ? enable Enable static IP client tunneling support on a WLAN. disable Disable static IP client tuneling support on a WLAN. (WLC2) >config wlan static-ip tunneling enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan static-ip tunneling enable 19 Static IP tunneling cannot be configured since IPv6 is enabled for wlan. (WLC2) >config wlan ipv6Support disable 19 (WLC2) >config wlan static-ip tunneling enable 19
12. Off Channel Scanning
In deployments with certain power-save clients, you sometimes need to defer the Radio Resource Management’s (RRM) normal off-channel scanning to avoid missing critical information from low-volume clients (for example, medical devices that use power-save mode and periodically send telemetry information). This feature improves the way that Quality of Service (QoS) interacts with the RRM scan defer feature.
You can use a client’s Wi-Fi Multimedia (WMM) UP marking to configure the access point to defer off-channel scanning for a configurable period of time if it receives a packet marked UP.
You can assign a QoS policy (bronze, silver, gold, and platinum) to a WLAN to affect how packets are marked on the downlink connection from the access point regardless of how they were received on the uplink from the client. UP=1,2 is the lowest priority, and UP=0,3 is the next higher priority. The marking results of each QoS policy are as follows:
Bronze marks all downlink traffic to UP= 1.
Silver marks all downlink traffic to UP= 0.
Gold marks all downlink traffic to UP=4.
Platinum marks all downlink traffic to UP=6.
By default this feature is enabled for UP of 4,5,6 packets & will defer the RRM off-channel scan for 100ms. We will enable this on UP of 3 as well & increase the defer-time to 200ms for all of those.
(WLC2) >config wlan channel-scan ? defer-priority Configures priority markings for packets that can defer off channel scan. defer-time Configures minimum allowable elapsed time since a defer-priority pkt is seen. (WLC2) >config wlan channel-scan defer-priority ? <priority> User priority value, 0-7 (WLC2) >config wlan channel-scan defer-priority 3 ? disable Disable packet at given priority to defer off channel scanning. enable Enable packet at given priority to defer off channel scanning. (WLC2) >config wlan channel-scan defer-priority 3 enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan channel-scan defer-priority 3 enable 19 (WLC2) >config wlan channel-scan defer-time ? <msecs> Deferral time in msecs <0-60000> (WLC2) >config wlan channel-scan defer-time 200 ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan channel-scan defer-time 200 19
13. H-REAP
This is to enable H-REAP local switching, Local Authentication features on this WLAN. Will enable those features on this WLAN. There are certain limitation where you cannot configure this when static IP tunneling is enabled. You should familiar with this under H-REAP configuration.
(WLC2) >config wlan h-reap ? ap-auth Configures ap authentication (WLAN must be locally switched). learn-ipaddr Configures IP address learning (WLAN must be locally switched). local-switching Configures local switching of client data associated to H-REAP. (WLC2) >config wlan h-reap ap-auth ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan h-reap ap-auth 19 ? enable Enables ap authentication. disable Disables ap authentication. (WLC2) >config wlan h-reap local-switching 19 enable (WLC2) >config wlan h-reap ap-auth 19 enable
14. DHCP
You can override interface configured DHCP server by this setting. Also certain type of WLAN (like guest) you can make DHCP IP assignment is mandatory. Since I have configured static IP tunnel support earlier I will leave this as it is. Also worth to note that this only applicable for defalt ap group. So if your WLAN ID is greater than 16 you cannot override the interface DHCP server configuration.
(WLC2) >config wlan dhcp_server ? <WLAN id> Enter the WLAN ID. foreignAp Third Party Access Points. (WLC2) >config wlan dhcp_server 19 ? <IP addr> Enter the override DHCP server's IP Address (0.0.0.0 = default interface value). (WLC2) >config wlan dhcp_server 19 192.168.200.1 ? required Optionally specify whether DHCP address assignment is required. (WLC2) >config wlan dhcp_server 19 192.168.200.1 required Cannot mandate dhcp required when Static IP tunneling is enabled. DHCP server override is applicable only to the default AP group.
15. Management Frame Protection(MFP)
This is to provide protection to management frame between client & AP. You need to remember this is Cisco implmentation of MFP & not IEEE standard version (802.11w). So if you client support proper IEEE 802.11w it may not work with cisco MFP. So better to disable this as a best practice in today’s world. By default it is set to optional.
(WLC2) >config wlan mfp ? client Configures Client MFP. (WLC2) >config wlan mfp client ? disable Disables MFP protection on a WLAN. enable Enables MFP protection on a WLAN. (WLC2) >config wlan mfp client enable ? <WLAN id> Enter a WLAN Identifier between 1 and 512. (WLC2) >config wlan mfp client enable 19 ? required Clients must negotiate MFP (WLC2) >config wlan mfp client enable 19 required (WLC2) >config wlan mfp client disable 19
16. DTIM
In 802.11a/n and 802.11b/g/n networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data.
Typically, the DTIM value is set to 1 (to transmit broadcast and multicast frames after every beacon) or 2 (to transmit after every other beacon). For instance, if the beacon period of the 802.11a/n or 802.11b/g/n network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames 5 times per second. Either of these settings are suitable for applications, including Voice Over IP (VoIP), that expect frequent broadcast and multicast frames.
However, the DTIM value can be set as high as 255 (to transmit broadcast and multicast frames after every 255th beacon) if all 802.11a/n or 802.11b/g/n clients have power save enabled. Because the clients have to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts less frequently which results in a longer battery life. For example, if the beacon period is 100 ms and you set the DTIM value to 100, the access point transmits buffered broadcast and multicast frames once every 10 seconds. This rate allows the power-saving clients to sleep longer before they have to wake up and listen for broadcasts and multicasts, which results in a longer battery life.
A beacon period, which is specified in milliseconds on the controller, is converted internally by the software to 802.11 Time Units (TUs), where 1 TU = 1.024 milliseconds. On Cisco’s 802.11n access points, this value is rounded to the nearest multiple of 17 TUs. For example, a configured beacon period of 100 ms results in an actual beacon period of 104 ms
(WLC2) >config wlan dtim ? 802.11a Configure the DTIM Period for 802.11a radio for a WLAN 802.11b Configure the DTIM Period for 802.11b/g radio for a WLAN (WLC2) >config wlan dtim 802.11a ? <value> Enter the DTIM period, valid values 1 to 255 (WLC2) >config wlan dtim 802.11a 200 ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan dtim 802.11a 200 19 (WLC2) >config wlan dtim 802.11b 150 19
17. NAC
Not sure about this at the time of this writing.
(WLC2) >config wlan nac ? snmp Configures SNMP NAC support(Legacy OOB). radius Configures Radius NAC support(Identity Service Engine). (WLC2) >config wlan nac radius ? enable Enable Radius NAC for this WLAN disable Disable Radius NAC for this WLAN (WLC2) >config wlan nac radius enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan nac radius enable 19 Request failed - Radius NAC is available only for WLANs that are configured for 802.1X/WPA/WPA2 Layer 2 security.
18. Client Load Balance
This will allow load balance the client association between APs. As warning message indicated when configuring this is not good for voice services and you should disable it on voice WLANs.
(WLC2) >config wlan load-balance ? allow Allow|Disallow Load Balance on a WLAN. (WLC2) >config wlan load-balance allow ? enable Allow Load Balance on a WLAN. disable Disallow Load Balance on a WLAN. (WLC2) >config wlan load-balance allow enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan load-balance allow enable 19 WARNING: Allowing load balance on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y
19. Band Select
Band selection enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of three nonoverlapping channels. To prevent these sources of interference and improve overall network performance, you can configure band selection on the controller.
Band selection works by regulating probe responses to clients. It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels
On a side note, this will only effect if you configure radio policy all for a given WLAN. Otherwise this will have no effect even though you configured. GUI output shows it as “unticked” even though CLI config shows it is enabled. Also for voice clients this could introduce some additional delays and recommended to turn it off if you are servicing voice.
(WLC2) >config wlan band-select ? allow Allow|Disallow Band Select on a WLAN. (WLC2) >config wlan band-select allow ? enable Allow Band Select on a WLAN. disable Disallow Band Select on a WLAN. (WLC2) >config wlan band-select allow enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan band-select allow enable 19 WARNING: Allow Band Select on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y
20. Voice- SIP
This will allow you to configure SIP specfic settings for a voice WLAN. You need to have Platinum QoS profile in order to support this feature.
(WLC2) >config wlan call-snoop ? enable Enables Call Snooping on the WLAN. disable Disables call Snooping on the WLAN. (WLC2) >config wlan call-snoop enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan call-snoop enable 19 Request failed. Please set WLAN QoS to Platinum to enable call-snooping (WLC2) >config wlan roamed-voice-client ? re-anchor Roamed client Re-Anchor policy (WLC2) >config wlan roamed-voice-client re-anchor ? disable Disable Roamed Client Re-Anchor policy enable Enable Roamed Client Re-Anchor policy (WLC2) >config wlan roamed-voice-client re-anchor enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan roamed-voice-client re-anchor enable 19 (WLC2) >config wlan sip-cac ? send-486busy Configure SIP 486 Busy on CAC Failure. disassoc-client Configure Client Dis-Assoc on SIP CAC Failure. (WLC2) >config wlan sip-cac send-486busy ? disable Disable sending SIP 486 Busy on SIP CAC Failure. enable Enable sending SIP 486 Busy on SIP CAC Failure. (WLC2) >config wlan sip-cac send-486busy enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan sip-cac send-486busy enable 19 Configuration is already in the requested state (WLC2) >config wlan sip-cac disassoc-client ? disable Disable Client Dis-Assoc on SIP CAC Failure. enable Enable Client Dis-Assoc on SIP CAC Failure. (WLC2) >config wlan sip-cac disassoc-client enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan sip-cac disassoc-client enable 19 Warning! Enabling this functionality will Dis-Associate the Client in case of SIP CAC Failure
That covers all the advanced features of a WLAN via CLI configuration. So my WLAN configuration looks like this on GUI.
Next post we will look at few example CLI configurations of different WLANs.
Related Posts
1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 3
4. Configuring WLAN via CLI – Part 4
5. Configuring WLAN via CLI – Part 6
mrn-cciew 
Nice job mate..I think in the next attempt you will use only CLI.. 🙂
Thanks Chris
outstanding post. perhaps cisco can approach you to do their documentation.
Thank
Thanks Akbar…Good that you found it very useful…
By the way, I am getting this info from Cisco docs & presenting it in a different way that I used to understand it. Found many others like the way how I am presenting it 🙂
Rasika
If one is configuring on CLi security for EAP-TLS or for EAP-PEAP/MS-CHAPv2 is there a difference in the cli commands? It is easier checking boxes in gui but for tens of controllers it will be easier to run a script
Definetely you can configure everything via CLI. Pls refer CLI command reference for all required commands.
HTH
Rasika
Hi…
Could you help me about number 17 in his document ?
I´m implement authentication with ISE here but, after enable this feature:
((WLC2) >config wlan nac radius enable 19
Request failed – Radius NAC is available only for WLANs that are configured for 802.1X/WPA/WPA2 Layer 2 security.
Show me the same message and until now I cant solve this problem.
Does your WLAN configured for 802.1X ? if so you should be able to configure that feature
Rasika