The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This section lists the show commands to display information about your WLAN configuration settings.
To display detailed information for a client on a Cisco lightweight access point, use the show client detail command.
show client detail mac_address
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The show client ap command may list the status of automatically disabled clients. Use the show exclusionlist command to display clients on the exclusion list (blacklisted).
The following example shows how to display the client detailed information:
(Cisco Controller) >show client detail 00:0c:41:07:33:a6 Policy Manager State..............................POSTURE_REQD Policy Manager Rule Created.......................Yes Client MAC Address............................... 00:16:36:40:ac:58 Client Username.................................. N/A Client State..................................... Associated Client NAC OOB State............................. QUARANTINE Guest LAN Id..................................... 1 IP Address....................................... Unknown Session Timeout.................................. 0 QoS Level........................................ Platinum 802.1P Priority Tag.............................. disabled KTS CAC Capability............................... Yes WMM Support...................................... Enabled Power Save....................................... ON Diff Serv Code Point (DSPC)...................... disabled Mobility State................................... Local Internal Mobility State.......................... apfMsMmInitial Security Policy Completed........................ No Policy Manager State............................. WEBAUTH_REQD Policy Manager Rule Created...................... Yes NPU Fast Fast Notified........................... Yes Last Policy Manager State........................ WEBAUTH_REQD Client Entry Create Time......................... 460 seconds Interface........................................ wired-guest FlexConnect Authentication....................... Local FlexConnect Data Switching....................... Local VLAN............................................. 236 Quarantine VLAN.................................. 0 Client Statistics: Number of Bytes Received................... 66806 Number of Data Bytes Received................... 160783 Number of Realtime Bytes Received............... 160783 Number of Data Bytes Sent....................... 23436 Number of Realtime Bytes Sent................... 23436 Number of Data Packets Received................. 592 Number of Realtime Packets Received............. 592 Number of Data Packets Sent..................... 131 Number of Realtime Packets Sent................. 131 Number of Interim-Update Sent.............. 0 Number of EAP Id Request Msg Timeouts...... 0 Number of EAP Request Msg Timeouts......... 0 Number of EAP Key Msg Timeouts............. 0 Number of Data Retries..................... 0 Number of RTS Retries...................... 0 Number of Duplicate Received Packets....... 3 Number of Decrypt Failed Packets........... 0 Number of Mic Failured Packets............. 0 Number of Mic Missing Packets.............. 0 Number of RA Packets Dropped............... 6 Number of Policy Errors.................... 0 Radio Signal Strength Indicator............ -50 dBm Signal to Noise Ratio...................... 43 dB ...
To display client location calibration summary information, use the show client location-calibration summary command.
show client location-calibration summary
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to display the location calibration summary information:
(Cisco Controller) >show client location-calibration summary MAC Address Interval ----------- ---------- 10:10:10:10:10:10 60 21:21:21:21:21:21 45
To display the number of probing clients, use the show client probing command.
show client probing
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to display the number of probing clients:
(Cisco Controller) >show client probing Number of Probing Clients........................ 0
To display the roaming history of a specified client, use the show client roam-history command.
show client roam-history mac_address
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following is a sample output of the show client roam-history command:
(Cisco Controller) > show client roam-history 00:14:6c:0a:57:77
To display a summary of clients associated with a Cisco lightweight access point, use the show client summary command.
show client summary [ ssid / ip / username / devicetype]
|
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
Use show client ap command to list the status of automatically disabled clients. Use the show exclusionlist command to display clients on the exclusion list (blacklisted).
The following example shows how to display a summary of the active clients:
(Cisco Controller) > show client summary Number of Clients................................ 24 Number of PMIPV6 Clients......................... 200 MAC Address AP Name Status WLAN/GLAN/RLAN Auth Protocol Port Wired PMIPV6 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- ------ 00:00:15:01:00:01 NMSP-TalwarSIM1-2 Associated 1 Yes 802.11a 13 No Yes 00:00:15:01:00:02 NMSP-TalwarSIM1-2 Associated 1 Yes 802.11a 13 No No 00:00:15:01:00:03 NMSP-TalwarSIM1-2 Associated 1 Yes 802.11a 13 No Yes 00:00:15:01:00:04 NMSP-TalwarSIM1-2 Associated 1 Yes 802.11a 13 No No
The following example shows how to display all clients that are WindowsXP-Workstation device type:
(Cisco Controller) >show client summary WindowsXP-Workstation
Number of Clients in WLAN........................ 0
MAC Address AP Name Status Auth Protocol Port Wired Mobility Role
----------------- -------- ------------- ---------------- ---------- --------------
Number of Clients with requested device type..... 0
To display the summary of clients associated with a WLAN, use the show client wlan command.
show client wlan wlan_id [ devicetype device]
wlan_id |
Wireless LAN identifier from 1 to 512. |
(Optional) Displays all clients with the specified device type. |
|
device |
Device type. For example, Samsung-Device or WindowsXP-Workstation. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following are sample outputs of the show client wlan command:
(Cisco Controller) > show client wlan 1
Number of Clients in WLAN........................ 0
(Cisco Controller) > show client devicetype WindowsXP-Workstation
Number of Clients in WLAN........................ 0
MAC Address AP Name Status Auth Protocol Port Wired Mobility Role
----------------- -------- ------------- ---------------- ---------- --------------
Number of Clients with requested device type..... 0
To display the configuration of a specific wired guest LAN, use the show guest-lan command.
show guest-lan guest_lan_id
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
To display all wired guest LANs configured on the controller, use the show guest-lan summary command.
The following is a sample output of the show guest-lan guest_lan_id command:
(Cisco Controller) >show guest-lan 2 Guest LAN Identifier........................... 1 Profile Name................................... guestlan Network Name (SSID)............................ guestlan Status......................................... Enabled AAA Policy Override............................ Disabled Number of Active Clients....................... 1 Exclusionlist Timeout.......................... 60 seconds Session Timeout................................ Infinity Interface...................................... wired Ingress Interface.............................. wired-guest WLAN ACL....................................... unconfigured DHCP Server.................................... 10.20.236.90 DHCP Address Assignment Required............... Disabled Quality of Service............................. Silver (best effort) Security Web Based Authentication................... Enabled ACL........................................ Unconfigured Web-Passthrough............................ Disabled Conditional Web Redirect................... Disabled Auto Anchor................................ Disabled Mobility Anchor List GLAN ID IP Address Status
To display icon parameters, use the show icons file-info command.
show icons file-info
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following is sample output from the show icons file-info command:
Cisco Controller > show icons file-info ICON File Info: No. Filename Type Lang Width Height ---- ----------------------- ------ ---- ----- ------ 1 dhk_icon.png png eng 200 300 2 myIconCopy2.png png eng 222 333 3 myIconCopy1.png png eng 555 444
To display the network configuration settings, use the show network summary command.
show network summary
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example displays the output of the show ipv6 summary command:
(Cisco Controller) >show network summary RF-Network Name............................. johnny Web Mode.................................... Enable Secure Web Mode............................. Enable Secure Web Mode Cipher-Option High.......... Disable Secure Web Mode Cipher-Option SSLv2......... Disable Secure Web Mode RC4 Cipher Preference....... Disable OCSP........................................ Disabled OCSP responder URL.......................... Secure Shell (ssh).......................... Enable Telnet...................................... Enable Ethernet Multicast Forwarding............... Enable Ethernet Broadcast Forwarding............... Enable IPv4 AP Multicast/Broadcast Mode............ Multicast Address : 239.9.9.9 IPv6 AP Multicast/Broadcast Mode............ Multicast Address : ff1e::6:9 IGMP snooping............................... Enabled IGMP timeout................................ 60 seconds IGMP Query Interval......................... 20 seconds MLD snooping................................ Enabled MLD timeout................................. 60 seconds MLD query interval.......................... 20 seconds User Idle Timeout........................... 300 seconds ARP Idle Timeout............................ 300 seconds Cisco AP Default Master..................... Disable AP Join Priority............................ Disable Mgmt Via Wireless Interface................. Enable Mgmt Via Dynamic Interface.................. Enable Bridge MAC filter Config.................... Enable Bridge Security Mode........................ EAP Mesh Full Sector DFS........................ Enable AP Fallback ................................ Enable Web Auth CMCC Support ...................... Disabled Web Auth Redirect Ports .................... 80 Web Auth Proxy Redirect ................... Disable Web Auth Captive-Bypass .................. Disable Web Auth Secure Web ....................... Enable Fast SSID Change ........................... Disabled AP Discovery - NAT IP Only ................. Enabled IP/MAC Addr Binding Check .................. Enabled Link Local Bridging Status ................. Disabled CCX-lite status ............................ Disable oeap-600 dual-rlan-ports ................... Disable oeap-600 local-network ..................... Enable oeap-600 Split Tunneling (Printers)......... Disable WebPortal Online Client .................... 0 WebPortal NTF_LOGOUT Client ................ 0 mDNS snooping............................... Disabled mDNS Query Interval......................... 15 minutes Web Color Theme............................. Default L3 Prefer Mode.............................. IPv4
To display information about the pairwise master key (PMK) cache, use the show pmk-cache command.
show pmk-cache { all | MAC}
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to display information about a single entry in the PMK cache:
(Cisco Controller) >show pmk-cache xx:xx:xx:xx:xx:xx
The following example shows how to display information about all entries in the PMK cache:
(Cisco Controller) >show pmk-cache all PMK Cache                     Entry Station             Lifetime   VLAN Override          IP Override -----------------   --------   --------------------   ---------------
To display a summary of RF profiles in the controller, use the show rf-profile summary command.
show rf-profile summary
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following is the output of the show rf-profile summary command:
(Cisco Controller) >show rf-profile summary Number of RF Profiles............................ 2 Out Of Box State................................. Disabled RF Profile Name Band Description Applied ------------------------- ------- ------------------------- ------- T1a 5 GHz <none> No T1b 2.4 GHz <none> No
To display the RF profile details in the Cisco wireless LAN controller, use the show rf-profile details command.
show rf-profile details rf-profile-name
rf-profile-name |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following is the output of the show rf-profile details command::
(Cisco Controller) >show rf-profile details T1a Description...................................... <none> Radio policy..................................... 5 GHz Transmit Power Threshold v1...................... -70 dBm Transmit Power Threshold v2...................... -67 dBm Min Transmit Power............................... -10 dBm Max Transmit Power............................... 30 dBm Rx Sop Threshold................................. Medium 802.11a Operational Rates 802.11a 6M Rate.............................. Mandatory 802.11a 9M Rate.............................. Supported 802.11a 12M Rate............................. Mandatory 802.11a 18M Rate............................. Supported 802.11a 24M Rate............................. Mandatory 802.11a 36M Rate............................. Supported 802.11a 48M Rate............................. Supported 802.11a 54M Rate............................. Supported Max Clients...................................... 200 Client Trap Threshold............................ 50 Multicast Data Rate.............................. 0 Rx Sop Threshold................................. 0 dBm Cca Threshold.................................... 0 dBm Slot Admin State:................................ Enabled Band Select Probe Response....................... Disabled Band Select Cycle Count.......................... 2 cycles Band Select Cycle Threshold...................... 200 milliseconds Band Select Expire Suppression................... 20 seconds Band Select Expire Dual Band..................... 60 seconds Band Select Client Rssi.......................... -80 dBm Load Balancing Denial............................ 3 count Load Balancing Window............................ 5 clients Coverage Data.................................... -80 dBm Coverage Voice................................... -80 dBm Coverage Exception............................... 3 clients Coverage Level................................... 25 %
To display a summary of the icons present in the flash memory of the system, use the show icons summary command.
show icons summary
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following is sample output from the show icons summary command::
Cisco Controller > show icons summary Icon files (downloaded) in Flash memory No. Filename Size --- ----------------------- ----- 1. dhk_icon.png 120694 2. myIconCopy1.png 120694 3. myIconCopy2.png 120694
To display configuration information for a specified wireless LAN or a foreign access point, or to display wireless LAN summary information, use the show wlan command.
show wlan { apgroups | summary | wlan_id | foreignAp | lobby-admin-access}
Displays the configuration of a WLAN. The Wireless LAN identifier range is from 1 to 512. |
|
Displays the configuration for support of foreign access points. |
None
For 802.1X client security type, which creates the PMK cache, the maximum session timeout that can be set is 86400 seconds when the session timeout is disabled. For other client security such as open, WebAuth, and PSK for which the PMK cache is not created, the session timeout value is shown as infinite when session timeout is disabled.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to display a summary of wireless LANs for wlan_id 1:
(Cisco Controller) >show wlan 1 WLAN Identifier.................................. 1 Profile Name..................................... aicha Network Name (SSID).............................. aicha Status........................................... Enabled MAC Filtering.................................... Disabled Broadcast SSID................................... Enabled AAA Policy Override.............................. Disabled Network Admission Control RADIUS Profiling Status ...................... Disabled DHCP ......................................... Disabled HTTP ......................................... Disabled Client Profiling Status ...................... Disabled DHCP ......................................... Disabled HTTP ......................................... Disabled Radius-NAC State.............................. Enabled SNMP-NAC State................................ Enabled Quarantine VLAN................................ 0 Maximum number of Associated Clients............. 0 Maximum number of Clients per AP Radio........... 200 Number of Active Clients......................... 0 Exclusionlist Timeout............................ 60 seconds Session Timeout.................................. 1800 seconds User Idle Timeout................................ 300 seconds User Idle Threshold.............................. 0 Bytes NAS-identifier................................... Talwar1 CHD per WLAN..................................... Enabled Webauth DHCP exclusion........................... Disabled Interface........................................ management Multicast Interface.............................. Not Configured WLAN IPv4 ACL.................................... unconfigured WLAN IPv6 ACL.................................... unconfigured mDNS Status...................................... Disabled mDNS Profile Name................................ unconfigured DHCP Server...................................... Default DHCP Address Assignment Required................. Disabled Static IP client tunneling....................... Enabled PMIPv6 Mobility Type............................. none Quality of Service............................... Silver (best effort) Per-SSID Rate Limits............................. Upstream Downstream Average Data Rate................................ 0 0 Average Realtime Data Rate....................... 0 0 Burst Data Rate.................................. 0 0 Burst Realtime Data Rate......................... 0 0 Per-Client Rate Limits........................... Upstream Downstream Average Data Rate................................ 0 0 Average Realtime Data Rate....................... 0 0 Burst Data Rate.................................. 0 0 Burst Realtime Data Rate......................... 0 0 Scan Defer Priority.............................. 4,5,6 Scan Defer Time.................................. 100 milliseconds WMM.............................................. Allowed WMM UAPSD Compliant Client Support............... Disabled Media Stream Multicast-direct.................... Disabled CCX - AironetIe Support.......................... Enabled CCX - Gratuitous ProbeResponse (GPR)............. Disabled CCX - Diagnostics Channel Capability............. Disabled Dot11-Phone Mode (7920).......................... Disabled Wired Protocol................................... None Passive Client Feature........................... Disabled IPv6 Support..................................... Disabled Peer-to-Peer Blocking Action..................... Disabled Radio Policy..................................... All DTIM period for 802.11a radio.................... 1 DTIM period for 802.11b radio.................... 1 Radius Servers Authentication................................ Global Servers Accounting.................................... Global Servers Interim Update............................. Disabled Dynamic Interface............................. Disabled Local EAP Authentication......................... Enabled (Profile 'Controller_Local_EAP') Radius NAI-Realm................................. Enabled Security 802.11 Authentication:........................ Open System FT Support.................................... Disabled Static WEP Keys............................... Disabled 802.1X........................................ Disabled Wi-Fi Protected Access (WPA/WPA2)............. Enabled WPA (SSN IE)............................... Enabled TKIP Cipher............................. Disabled AES Cipher.............................. Enabled WPA2 (RSN IE).............................. Enabled TKIP Cipher............................. Disabled AES Cipher.............................. Enabled Auth Key Management 802.1x.................................. Enabled PSK..................................... Disabled CCKM.................................... Enabled FT(802.11r)............................. Disabled FT-PSK(802.11r)......................... Disabled PMF-1X(802.11w)......................... Enabled PMF-PSK(802.11w)........................ Disabled FT Reassociation Timeout......................... 20 FT Over-The-Air mode............................. Enabled FT Over-The-Ds mode.............................. Enabled GTK Randomization.......................... Disabled SKC Cache Support.......................... Disabled CCKM TSF Tolerance......................... 1000 Wi-Fi Direct policy configured................ Disabled EAP-Passthrough............................... Disabled CKIP ......................................... Disabled IP Security................................... Disabled IP Security Passthru.......................... Disabled Web Based Authentication...................... Disabled Web-Passthrough............................... Disabled Conditional Web Redirect...................... Disabled Splash-Page Web Redirect...................... Disabled Auto Anchor................................... Disabled FlexConnect Local Switching................... Enabled flexconnect Central Dhcp Flag................. Disabled flexconnect nat-pat Flag...................... Disabled flexconnect Dns Override Flag................. Disabled FlexConnect Vlan based Central Switching ..... Disabled FlexConnect Local Authentication.............. Disabled FlexConnect Learn IP Address.................. Enabled Client MFP.................................... Optional PMF........................................... Disabled PMF Association Comeback Time................. 1 PMF SA Query RetryTimeout..................... 200 Tkip MIC Countermeasure Hold-down Timer....... 60 Call Snooping.................................... Disabled Roamed Call Re-Anchor Policy..................... Disabled SIP CAC Fail Send-486-Busy Policy................ Enabled SIP CAC Fail Send Dis-Association Policy......... Disabled KTS based CAC Policy............................. Disabled Band Select...................................... Disabled Load Balancing................................... Disabled Mobility Anchor List WLAN ID IP Address Status ------- --------------- ------ 802.11u........................................ Enabled Network Access type............................ Chargeable Public Network Internet service............................... Enabled Network Authentication type.................... Not Applicable HESSID......................................... 00:00:00:00:00:00 IP Address Type Configuration IPv4 Address type............................ Available IPv6 Address type............................ Not Known Roaming Consortium List Index OUI List In Beacon ----- -------------- --------- 1 313131 Yes 2 DDBBCC No 3 DDDDDD Yes Realm configuration summary Realm index.................................. 1 Realm name................................... jobin EAP index.................................. 1 EAP method................................. Unsupported Index Inner Authentication Authentication Method ----- -------------------- --------------------- 1 Credential Type SIM 2 Tunneled Eap Credential Type SIM 3 Credential Type SIM 4 Credential Type USIM 5 Credential Type Hardware Token 6 Credential Type SoftToken Domain name configuration summary Index Domain name ------------------- 1 rom3 2 ram 3 rom1 Hotspot 2.0.................................... Enabled Operator name configuration summary Index Language Operator name ----- -------- ------------- 1 ros Robin Port config summary Index IP protocol Port number Status ----- ----------- ----------- ------- 1 1 0 Closed 2 1 0 Closed 3 1 0 Closed 4 1 0 Closed 5 1 0 Closed 6 1 0 Closed 7 1 0 Closed WAN Metrics Info Link status.................................. Up Symmetric Link............................... No Downlink speed............................... 4 kbps Uplink speed................................. 4 kbps MSAP Services.................................. Disabled Local Policy ---------------- Priority Policy Name -------- --------------- 1 Teacher_access_policy
The following example shows how to display a summary of all WLANs:
(Cisco Controller) >show wlan summary Number of WLANs.................................. 1 WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility ------- ------------------------------------- -------- -------------------- --------------- 1 apsso / apsso Disabled management none
The following example shows how to display the configuration for support of foreign access points:
(Cisco Controller) >show wlan foreignap Foreign AP support is not enabled.
The following example shows how to display the AP groups:
(Cisco Controller) >show wlan apgroups Total Number of AP Groups........................ 1 Site Name........................................ APuser Site Description................................. <none> Venue Name....................................... Not configured Venue Group Code..................................Unspecified Venue Type Code...................................Unspecified Language Code.................................... Not configured AP Operating Class............................... 83,84,112,113,115,116,117,118,123 RF Profile ---------- 2.4 GHz band..................................... <none> 5 GHz band....................................... <none> WLAN ID Interface Network Admission Control Radio Policy ------- ----------- -------------------------- ------------ 14 int_4 Disabled All AP Name Slots AP Model Ethernet MAC Location Port Country Priority ------------------ ----- ------------------- ----------------- ---------------- ---- ------- -------- Ibiza 2 AIR-CAP2602I-A-K9 44:2b:03:9a:8a:73 default location 1 US 1 Larch 2 AIR-CAP3502E-A-K9 f8:66:f2:ab:23:95 default location 1 US 1 Zest 2 AIR-CAP3502I-A-K9 00:22:90:91:6d:b6 ren 1 US 1 Number of Clients................................ 1 MAC Address AP Name Status Device Type ----------------- ------------- ------------- ----------------- 24:77:03:89:9b:f8 ap2 Associated Android
This section lists the config commands to configure WLANs.
To enable or disable the Dynamic Transmit Power Control (DTPC) setting for an 802.11 network, use the config 802.11 dtpc command.
config 802.11{ a | b} dtpc { enable | disable}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to disable DTPC for an 802.11a network:
(Cisco Controller) > config 802.11a dtpc disable
To disconnect a client, use the config client deauthenticate command.
config client deauthenticate { MAC | IPv4/v6_address | user_name}
IPv4/v6_address |
IPv4 or IPv6 address. |
user_name |
Client user name. |
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to deauthenticate a client using its MAC address:
(Cisco Controller) >config client deauthenticate 11:11:11:11:11
To delete client profile , use the config client profiling command.
config client profiling delete { mac_address}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to delete a client profile:
(Cisco Controller) >config client profiling delete 37:15:86:2a:Bc:cf
Note | Executing the above command changes the Device Type to "Unknown". The Client does not get deleted but instead the profiling info of the client is removed, and retains the client as it is still associated. There is no confirmation message from the CLI, due to architecture limitation of the Cisco WLC. |
To delete an icon or icons from flash, use the config icons delete command in the WLAN configuration mode.
config icons delete{ filename | all }
filename |
Name of the icon to be deleted. |
all |
Deletes all the icon files from the system. |
None
WLAN configuration
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to delete an icon from flash:
Cisco Controller > config icons delete image-1
To configure an icon parameter, use the config icons file-info command in WLAN configuration mode.
config icons file-info filename file-type lang-code width height
filename |
Icon filename. It can be up to 32 characters long. |
file-type |
Icon filename type or extension. It can be up to 32 characters long. |
lang-code |
Language code of the icon. Enter 2 or 3 letters from ISO-639, for example: eng for English. |
width |
Icon width. The range is from 1 to 65535. |
height |
Icon height. The range is from 1 to 65535. |
None
WLAN configuration
Release | Modification |
---|---|
8.3 | This command was introduced. |
This example shows how to configure icon parameters:
Cisco Controller > config icons file-info ima png eng 300 200
To configure the RF profile band selection parameters, use the config rf-profile band-select command.
config rf-profile band-select { client-rssi rssi | cycle-count cycles | cycle-threshold value | expire { dual-band value | suppression value} | probe-response { enable | disable}} profile_name
client-rssi |
Configures the client Received Signal Strength Indicator (RSSI) threshold for the RF profile. |
rssi |
Minimum RSSI for a client to respond to a probe. The range is from -20 to -90 dBm. |
cycle-count |
Configures the probe cycle count for the RF profile. The cycle count sets the number of suppression cycles for a new client. |
cycles |
Value of the cycle count. The range is from 1 to 10. |
cycle-threshold |
Configures the time threshold for a new scanning RF Profile band select cycle period. This setting determines the time threshold during which new probe requests from a client come in a new scanning cycle. |
value |
Value of the cycle threshold for the RF profile. The range is from 1 to 1000 milliseconds. |
expire |
Configures the expiration time of clients for band select. |
dual-band |
Configures the expiration time for pruning previously known dual-band clients. After this time elapses, clients become new and are subject to probe response suppression. |
value |
Value for a dual band. The range is from 10 to 300 seconds. |
suppression |
Configures the expiration time for pruning previously known 802.11b/g clients. After this time elapses, clients become new and are subject to probe response suppression. |
value |
Value for suppression. The range is from 10 to 200 seconds. |
probe-response |
Configures the probe response for a RF profile. |
enable |
Enables probe response suppression on clients operating in the 2.4-GHz band for a RF profile. |
disable |
Disables probe response suppression on clients operating in the 2.4-GHz band for a RF profile. |
profile name |
Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters. |
The default value for client RSSI is –80 dBm.
The default cycle count is 2.
The default cycle threshold is 200 milliseconds.
The default value for dual-band expiration is 60 seconds.
The default value for suppression expiration is 20 seconds.
Release | Modification |
---|---|
8.3 | This command was introduced. |
When you enable band select on a WLAN, the access point suppresses client probes on 2.4-GHz and moves the dual band clients to the 5-Ghz spectrum. The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running.
The following example shows how to configure the client RSSI:
(Cisco Controller) >config rf-profile band-select client-rssi -70
To configure the RF profile DCA settings, use the config rf-profile channel command.
config rf-profile channel { add chan profile name | delete chan profile name | foreign { enable | disable} profile name | chan-width { 20 | 40 | 80} profile name}
add |
Adds channel to the RF profile DCA channel list. |
delete |
Removes channel from the RF profile DCA channel list. |
foreign |
Configures the RF profile DCA foreign AP contribution. |
chan-width |
Configures the RF profile DCA channel width. |
chan |
Specifies channel number. |
profile name |
Specifies the name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters. |
enable |
Enables foreign AP interference. |
disable |
Disables foreign AP interference. |
{20 | 40 | 80} |
Specifies RF Profile DCA channel width. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to add a channel to the RF profile DCA channel list:
(Cisco Controller) >config rf-profile channel add 40 admin1
The following example shows how to configure the RF profile DCA channel width:
(Cisco Controller) >config rf-profile channel chan-width 40 admin1
To configure the threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller, use the config rf-profile client-trap-threshold command.
config rf-profile client-trap-threshold threshold profile_name
threshold |
Threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller. The range is from 0 to 200. Traps are disabled if the threshold value is configured as zero. |
profile_name |
Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure the threshold value of the number of clients that associate with an access point:
(Cisco Controller) >config rf-profile client-trap-threshold 150
To create a RF profile, use the config rf-profile create command.
config rf-profile create { 802.11a | 802.11b/g} profile-name
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to create a new RF profile:
(Cisco Controller) >config rf-profile create 802.11a RFtestgroup1
To configure the RF profile client-aware FRA feature, use the config rf-profile fra client-aware command.
config rf-profile fra client-aware { client-reset percent rf-profile-name | client-select percent rf-profile-name | disable rf-profile-name | enable rf-profile-name}
client-reset |
Configures the RF profile AP utilization threshold for radio to switch back to Monitor mode. |
percent |
Utilization percentage value ranges from 0 to 100. The default is 5%. |
rf-profile-name |
Name of the RF Profile. |
client-select |
Configures the RF profile utilization threshold for radio to switch to 5GHz. |
percent |
Utilization percentage value ranges from 0 to 100. The default is 50%. |
disable |
Disables the RF profile client-aware FRA feature. |
enable |
Enables the RF profile client-aware FRA feature. |
The default percent value for client-select and client-reset is 50% and 5% respectively.
Release | Modification |
---|---|
8.5 | This command was introduced. |
The following example shows how to configure the RF profile utilization threshold for redundant dual-band radios to switch back from 5GHz client-serving role to Monitor mode:
(Cisco Controller) >config rf-profile fra client-aware client-reset 15 profile1
The following example shows how to configure the RF profile utilization threshold for redundant dual-band radios to switch from Monitor mode to 5GHz client-serving role:
(Cisco Controller) >config rf-profile fra client-aware client-select 20 profile1
The following example shows how to disable the RF profile client-aware FRA feature:
(Cisco Controller) >config rf-profile fra client-aware disable profile1
The following example shows how to enable the RF profile client-aware FRA feature:
(Cisco Controller) >config rf-profile fra client-aware enable profile1
To configure the data rate on a RF profile, use the config rf-profile data-rates command.
config rf-profile data-rates { 802.11a | 802.11b } { disabled | mandatory | supported} data-rate profile-name
Default data rates for RF profiles are derived from the controller system defaults, the global data rate configurations. For example, if the RF profile's radio policy is mapped to 802.11a then the global 802.11a data rates are copied into the RF profiles at the time of creation.
The data rates set with this command are negotiated between the client and the Cisco wireless LAN controller. If the data rate is set to mandatory, the client must support it in order to use the network. If a data rate is set as supported by the Cisco wireless LAN controller, any associated client that also supports that rate may communicate with the Cisco lightweight access point using that rate. It is not required that a client is able to use all the rates marked supported in order to associate.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to set the 802.11b transmission of an RF profile at a mandatory rate at 12 Mbps:
(Cisco Controller) >config rf-profile 802.11b data-rates mandatory 12 RFGroup1
To delete a RF profile, use the config rf-profile delete command.
config rf-profile delete profile-name
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to delete a RF profile:
(Cisco Controller) >config rf-profile delete RFGroup1
To provide a description to a RF profile, use the config rf-profile description command.
config rf-profile description description profile-name
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to add a description to a RF profile:
(Cisco Controller) >config rf-profile description This is a demo desciption RFGroup1
To configure load balancing on an RF profile, use the config rf-profile load-balancing command.
config rf-profile load-balancing { window clients | denial value} profile_name
window |
Configures the client window for load balancing of an RF profile. |
clients |
Client window size that limits the number of client associations with an access point. The range is from 0 to 20. The default value is 5. The window size is part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations:load-balancing window + client associations on AP with lightest load = load-balancing threshold Access points with more client associations than this threshold are considered busy, and clients can associate only to access points with client counts lower than the threshold. This window also helps to disassociate sticky clients. |
denial |
Configures the client denial count for load balancing of an RF profile. |
value |
Maximum number of association denials during load balancing. The range is from 1 to 10. The default value is 3. When a client tries to associate on a wireless network, it sends an association request to the access point. If the access point is overloaded and load balancing is enabled on the controller, the access point sends a denial to the association request. If there are no other access points in the range of the client, the client tries to associate the same access point again. After the maximum denial count is reached, the client is able to associate. Association attempts on an access point from any client before associating any AP is called a sequence of association. The default is 3. |
profile_name |
Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure the client window size for an RF profile:
(Cisco Controller) >config rf-profile load-balancing window 15
To configure the maximum number of client connections per access point of an RF profile, use the config rf-profile max-clients commands.
config rf-profile max-clients clients
clients |
Maximum number of client connections per access point of an RF profile. The range is from 1 to 200. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
You can use this command to configure the maximum number of clients on access points that are in client dense areas, or serving high bandwidth video or mission critical voice applications.
The following example shows how to set the maximum number of clients at 50:
(Cisco Controller) >config rf-profile max-clients 50
To configure the minimum RF profile multicast data rate, use the config rf-profile multicast data-rate command.
config rf-profile multicast data-rate value profile_name
value |
Minimum RF profile multicast data rate. The options are 6, 9, 12, 18, 24, 36, 48, 54. Enter 0 to specify that access points will dynamically adjust the data rate. |
profile_name |
Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters. |
The minimum RF profile multicast data rate is 0.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to set the multicast data rate for an RF profile:
(Cisco Controller) >config rf-profile multicast data-rate 24
To create an out-of-box AP group consisting of newly installed access points, use the config rf-profile out-of-box command.
config rf-profile out-of-box { enable | disable}
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
When an out-of-box AP associates with the controller for the first time, it will be redirected to a special AP group and the RF profiles applicable to this AP Group will control the radio admin state configuration of the AP. You can move APs to the default group or a custom group upon network convergence.
The following example shows how to enable the creation of an out-of-box AP group:
(Cisco Controller) >config rf-profile out-of-box enable
To configure high, medium or low Rx SOP threshold values for each 802.11 band, use the config rf-profile rx-sop threshold command.
config rf-profile rx-sop threshold {high | medium | low | auto} profile_name
high |
Configures the high Rx SOP threshold value for an RF profile. |
medium |
Configures the medium Rx SOP threshold value for an RF profile. |
low |
Configures the low Rx SOP threshold value for an RF profile. |
auto |
Configures an auto Rx SOP threshold value for an RF profile. When you choose auto, the access point determines the best Rx SOP threshold value. |
profile_name |
RF profile on which the Rx SOP threshold value will be configured. |
The default Rx SOP threshold option is auto.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure the high Rx SOP threshold value on an RF profile:
(Cisco Controller) > config 802.11 rx-sop threshold high T1a
To configure the RF profile trap threshold, use the config rf-profile trap-threshold command.
config rf-profile trap-threshold { clients clients profile name | interference percent profile name | noise dBm profile name | utilization percent profile name}
clients |
Configures the RF profile trap threshold for clients. |
clients |
The number of clients on an access point's radio for the trap is between 1 and 200. The default is 12 clients. |
profile name |
Specifies the name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters. |
interference |
Configures the RF profile trap threshold for interference. |
percent |
The percentage of interference threshold for the trap is from 0 to 100 %. The default is 10 %. |
noise |
Configures the RF profile trap threshold for noise. |
dBM |
The level of noise threshold for the trap is from -127 to 0 dBm. The default is -17 dBm. |
utilization |
Configures the RF profile trap threshold for utilization. |
percent |
The percentage of bandwidth being used by an access point threshold for the trap is from 0 to 100 %. The default is 80 %. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure the RF profile trap threshold for clients:
(Cisco Controller) >config rf-profile trap-threshold clients 50 admin1
To configure Transmit Power Control version1 (TPCv1) to an RF profile, use the config rf-profile tx-power-control-thresh-v1 command.
config rf-profile tx-power-control-thresh-v1 tpc-threshold profile_name
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure TPCv1 on an RF profile:
(Cisco Controller) >config rf-profile tx-power-control-thresh-v1 RFGroup1
To configure Transmit Power Control version 2 (TPCv2) to an RF profile, use the config rf-profile tx-power-control-thresh-v2 command.
config rf-profile tx-power-control-thresh-v2 tpc-threshold profile-name
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure TPCv2 on an RF profile:
(Cisco Controller) >config rf-profile tx-power-control-thresh-v2 RFGroup1
To configure maximum auto-rf to an RF profile, use the config rf-profile tx-power-max command.
config rf-profile tx-power-max profile-name
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure tx-power-max on an RF profile:
(Cisco Controller) >config rf-profile tx-power-max RFGroup1
To configure minimum auto-rf to an RF profile, use the config rf-profile tx-power-min command.
config rf-profile tx-power-min tx-power-min profile-name
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure tx-power-min on an RF profile:
(Cisco Controller) >config rf-profile tx-power-min RFGroup1
To add a watchlist entry for a wireless LAN, use the config watchlist add command.
config watchlist add { mac MAC | username username}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to add a watchlist entry for the MAC address a5:6b:ac:10:01:6b:
(Cisco Controller) >config watchlist add mac a5:6b:ac:10:01:6b
To delete a watchlist entry for a wireless LAN, use the config watchlist delete command.
config watchlist delete { mac MAC | username username}
Specifies the MAC address of the wireless LAN to delete from the list. |
|
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to delete a watchlist entry for the MAC address a5:6b:ac:10:01:6b:
(Cisco Controller) >config watchlist delete mac a5:6b:ac:10:01:6b
To disable the client watchlist, use the config watchlist disable command.
config watchlist disable
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to disable the client watchlist:
(Cisco Controller) >config watchlist disable
To enable a watchlist entry for a wireless LAN, use the config watchlist enable command.
config watchlist enable
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable a watchlist entry:
(Cisco Controller) >config watchlist enable
To create, delete, enable, or disable a wireless LAN, use the config wlan command.
config wlan { enable | disable | create | delete} wlan_id [ name | foreignAp name ssid | all]
(Optional) WLAN profile name up to 32 alphanumeric characters. |
|
Release | Modification |
---|---|
8.3 | This command was introduced. |
When you create a new WLAN using the config wlan create command, it is created in disabled mode. Leave it disabled until you have finished configuring it.
If you do not specify an SSID, the profile name parameter is used for both the profile name and the SSID.
If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.
An error message appears if you try to delete a WLAN that is assigned to an access point group. If you proceed, the WLAN is removed from the access point group and from the access point’s radio.
The following example shows how to enable wireless LAN identifier 16:
(Cisco Controller) >config wlan enable 16
To configure support for phones, use the config wlan 7920-support command.
config wlan 7920-support { client-cac-limit | ap-cac-limit} { enable | disable} wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
You cannot enable both WMM mode and client-controlled CAC mode on the same WLAN.
The following example shows how to enable the phone support that requires client-controlled CAC with wireless LAN ID 8:
(Cisco Controller) >config wlan 7920-support ap-cac-limit enable 8
To configure 802.11e support on a wireless LAN, use the config wlan 802.11e command.
config wlan 802.11e { allow | disable | require} wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
802.11e provides quality of service (QoS) support for LAN applications, which are critical for delay sensitive applications such as Voice over Wireless IP (VoWIP).
802.11e enhances the 802.11 Media Access Control layer (MAC layer) with a coordinated time division multiple access (TDMA) construct, and adds error-correcting mechanisms for delay sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability and is especially well suited for use in networks that include a multimedia capability.
The following example shows how to allow 802.11e on the wireless LAN with LAN ID 1:
(Cisco Controller) >config wlan 802.11e allow 1
To configure a user policy override via AAA on a wireless LAN, use the config wlan aaa-override command.
config wlan aaa-override { enable | disable} { wlan_id | foreignAp}
Release | Modification |
---|---|
8.3 | This command was introduced. |
When AAA override is enabled and a client has conflicting AAA and Cisco wireless LAN controller wireless LAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system will move clients from the default Cisco wireless LAN VLAN to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system will also use QoS, DSCP, 802.1p priority tag values, and ACLs provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as Identity Networking.)
If the corporate wireless LAN uses a management interface assigned to VLANÂ 2, and if AAA override returns a redirect to VLANÂ 100, the operating system redirects all client transmissions to VLANÂ 100, regardless of the physical port to which VLANÂ 100 is assigned.
When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is performed by the AAA server if the controller wireless LAN does not contain any client-specific authentication parameters.
The following example shows how to configure user policy override via AAA on WLAN ID 1:
(Cisco Controller) >config wlan aaa-override enable 1
To configure assisted roaming on a WLAN, use the config wlan assisted-roaming command.
config wlan assisted-roaming { neighbor-list | dual-list | prediction} { enable | disable} wlan_id
neighbor-list |
Configures an 802.11k neighbor list for a WLAN. |
dual-list |
Configures a dual band 802.11k neighbor list for a WLAN. The default is the band that the client is currently associated with. |
prediction |
Configures an assisted roaming optimization prediction for a WLAN. |
enable |
Enables the configuration on the WLAN. |
disable |
Disables the configuration on the WLAN. |
wlan_id |
Wireless LAN identifier between 1 and 512 (inclusive). |
The 802.11k neighbor list is enabled for all WLANs.
By default, dual band list is enabled if the neighbor list feature is enabled for the WLAN.
Release | Modification |
---|---|
8.3 | This command was introduced. |
When you enable the assisted roaming prediction list, a warning appears and load balancing is disabled for the WLAN, if load balancing is already enabled on the WLAN.
The following example shows how to enable an 802.11k neighbor list for a WLAN:
(Cisco Controller) >config wlan assisted-roaming neighbor-list enable 1
To configure band selection on a WLAN, use the config wlan band-select allow command.
config wlan band-select allow { enable | disable} wlan_id
enable |
Enables band selection on a WLAN. |
disable |
Disables band selection on a WLAN. |
wlan_id |
Wireless LAN identifier between 1 and 512. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
When you enable band select on a WLAN, the access point suppresses client probes on 2.4-GHz and moves the dual band clients to the 5-Ghz spectrum. The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running.
The following example shows how to enable band selection on a WLAN:
(Cisco Controller) >config wlan band-select allow enable 6
To configure an Service Set Identifier (SSID) broadcast on a wireless LAN, use the config wlan broadcast-ssid command.
config wlan broadcast-ssid { enable | disable} wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure an SSID broadcast on wireless LAN ID 1:
(Cisco Controller) >config wlan broadcast-ssid enable 1
To enable or disable Coverage Hole Detection (CHD) for a wireless LAN, use the config wlan chd command.
config wlan chd wlan_id { enable | disable}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable CHD for WLAN 3:
(Cisco Controller) >config wlan chd 3 enable
To enable or disable Aironet information elements (IEs) for a WLAN, use the config wlan ccx aironet-ie command.
config wlan ccx aironet-ie { enable | disable}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable Aironet information elements for a WLAN:
(Cisco Controller) >config wlan ccx aironet-ie enable
To configure the controller to defer priority markings for packets that can defer off channel scanning, use the config wlan channel-scan defer-priority command.
config wlan channel-scan defer-priority priority [ enable | disable] wlan_id
(Optional) Enables packet at given priority to defer off channel scanning. |
|
(Optional) Disables packet at gven priority to defer off channel scanning. |
|
Release | Modification |
---|---|
8.3 | This command was introduced. |
The priority value should be set to 6 on the client and on the WLAN.
The following example shows how to enable the controller to defer priority markings that can defer off channel scanning with user priority value 6 and WLAN id 30:
(Cisco Controller) >config wlan channel-scan defer-priority 6 enable 30
To assign the channel scan defer time in milliseconds, use the config wlan channel-scan defer-time command.
config wlan channel-scan defer-time msecs wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The time value in milliseconds should match the requirements of the equipment on your WLAN.
The following example shows how to assign the scan defer time to 40 milliseconds for WLAN with ID 50:
(Cisco Controller) >config wlan channel-scan defer-time 40 50
To configure the web authentication page for a WLAN, use the config wlan custom-web command.
config wlan custom-web{ { ext-webauth-url ext-webauth-url wlan_id } | { global { enable | disable}} | { ms-open { enable | disable | url}} | { login-page page-name } | { loginfailure-page { page-name | none}} | { logout-page { page-name | none}} | { sleep-client { enable | disable} wlan_id timeout duration} | { webauth-type { internal | customized | external} wlan_id}}
ext-webauth-url |
Configures an external web authentication URL. |
ext-webauth-url |
External web authentication URL. |
wlan_id |
WLAN identifier. Default range is from 1 to 512. |
global |
Configures the global status for a WLAN. |
enable |
Enables the global status for a WLAN. |
disable |
Disables the global status for a WLAN. |
ms-open |
Configures the ms-open feature on the WLAN. |
enable |
Enables the ms-open feature on the WLAN. |
disable |
Disables the ms-open feature on the WLAN. |
url |
Configures ms-open URL. |
login-page |
Configures the name of the login page for an external web authentication URL. |
page-name |
Login page name for an external web authentication URL. |
loginfailure-page |
Configures the name of the login failure page for an external web authentication URL. |
none |
Does not configure a login failure page for an external web authentication URL. |
logout-page |
Configures the name of the logout page for an external web authentication URL. |
sleep-client |
Configures the sleep client feature on the WLAN. |
timeout |
Configures the sleep client timeout on the WLAN. |
duration |
Maximum amount of time after the idle timeout, in hours, before a sleeping client is forced to reauthenticate. The range is from 1 to 720. The default is 12. When the sleep client feature is enabled, the clients need not provide the login credentials when they move from one Cisco WLC to another (if the Cisco WLCs are in the same mobility group) between the sleep and wake-up times. |
webauth-type |
Configures the type of web authentication for the WLAN. |
internal |
Displays the default login page. |
customized |
Displays a customized login page. |
external |
Displays a login page on an external web server. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure web authentication type in the WLAN.
Cisco Controller config wlan custom-web webauth-type external
To configure a Delivery Traffic Indicator Message (DTIM) for 802.11 radio network config wlan dtim command.
config wlan dtim { 802.11a | 802.11b} dtim wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure DTIM for 802.11a radio network with DTIM value 128 and WLAN ID 1:
(Cisco Controller) >config wlan dtim 802.11a 128 1
To configure the wireless LAN exclusion list, use the config wlan exclusionlist command.
config wlan exclusionlist { wlan_id [ enabled | disabled | time] | foreignAp [ enabled | disabled | time]}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable the exclusion list for WLAN ID 1:
(Cisco Controller) >config wlan exclusionlist 1 enabled
To configure client reassociation and security key caching on the Cisco WLC, use the config wlan flexconnect central-assoc command.
config wlan flexconnect central-assoc wlan-id { enable | disable}
wlan-id |
ID of the WLAN |
enable |
Enables client reassociation and security key caching on the Cisco WLC |
disable |
Disables client reassociation and security key caching on the Cisco WLC |
Client reassociation and security key caching on the Cisco WLC is in disabled state.
Release | Modification |
---|---|
8.3 | This command was introduced. |
A use case for this configuration is a large-scale deployment with fast roaming.
Configuration of central association with local authentication is not supported for the WLAN. After the PMIPv6 tunnel is set up, all data traffic from the PMIPv6 clients are forwarded from the Cisco AP to the local mobility anchor (LMA) in the Generic Routing Encapsulation (GRE) tunnel. If the connectivity between the Cisco AP and the Cisco WLC is lost, the data traffic for the existing PMIPv6 clients continue to flow until the connectivity between the Cisco AP and the client is lost. When the AP is in stand-alone mode, no new client associations are accepted on the PMIPv6 enabled WLAN.
The following example shows how to enable client reassociation and security key caching on the Cisco WLC for a WLAN whose ID is 2:
(Cisco Controller) >config wlan flexconnect central-assoc 2 enable
To enable or disable client IP address learning for the Cisco WLAN controller, use the config wlan flexconnect learn-ipaddr command.
config wlan flexconnect learn-ipaddr wlan_id { enable | disable}
Disabled when the config wlan flexconnect local-switching command is disabled. Enabled when the config wlan flexconnect local-switching command is enabled.
Release | Modification |
---|---|
8.3 | This command was introduced. |
If the client is configured with Layer 2 encryption, the controller cannot learn the client IP address, and the controller will periodically drop the client. Disable this option to keep the client connection without waiting to learn the client IP address.
Note | This command is valid only for IPv4. |
Note | The ability to disable IP address learning is not supported with FlexConnect central switching. |
The following example shows how to disable client IP address learning for WLAN 6:
(Cisco Controller) >config wlan flexconnect learn-ipaddr disable 6
To configure local switching, central DHCP, NAT-PAT, or the override DNS option on a FlexConnect WLAN, use the config wlan flexconnect local switching command.
config wlan flexconnect local-switching wlan_id { enable | disable} { { central-dhcp { enable | disable} nat-pat { enable | disable} } | { override option dns { enable | disable} } }
Release | Modification |
---|---|
8.3 | This command was introduced. |
When you enable the config wlan flexconnect local-switching command, the config wlan flexconnect learn-ipaddr command is enabled by default.
Note | This command is valid only for IPv4. |
Note | The ability to disable IP address learning is not supported with FlexConnect central switching. |
The following example shows how to enable WLAN 6 for local switching and enable central DHCP and NAT-PAT:
(Cisco Controller) >config wlan flexconnect local-switching 6 enable central-dhcp enable nat-pat enable
The following example shows how to enable the override DNS option on WLAN 6:
(Cisco Controller) >config wlan flexconnect local-switching 6 override option dns enable
To configure a wireless LAN interface or an interface group, use the config wlan interface command.
config wlan interface { wlan_id | foreignAp} { interface-name | interface-group-name}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure an interface named VLAN901:
(Cisco Controller) >config wlan interface 16 VLAN901
To configure the Key Telephone System-based CAC policy for a WLAN, use the config wlan kts-cac command.
config wlan kts-cac { enable | disable} wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
To enable the KTS-based CAC policy for a WLAN, ensure that you do the following:
The following example shows how to enable the KTS-based CAC policy for a WLAN with the ID 4:
(Cisco Controller) >config wlan kts-cac enable 4
To override the global load balance configuration and enable or disable load balancing on a particular WLAN, use the config wlan load-balance command.
config wlan load-balance allow { enable | disable} wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable band selection on a wireless LAN with WLAN ID 3:
(Cisco Controller) >config wlan load-balance allow enable 3
To configure the maximum number of client connections on a wireless LAN, guest LAN, or remote LAN, use the config wlan max-associated-clients command.
config wlan max-associated-clients max_clients wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to specify the maximum number of client connections on WLAN ID 2:
(Cisco Controller) >config wlan max-associated-clients 25 2
To configure the maximum number of WLAN client per access point, use the config wlan max-radio-clients command.
config wlan max-radio-clients max_radio_clients wlan_id
Maximum number of client connections to be accepted per access point radio. The valid range is from 1 to 200. |
|
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to specify the maximum number of client connections per access point radio on WLAN ID 2:
(Cisco Controller) >config wlan max-radio-clients 25 2
To configure multicast-direct for a wireless LAN media stream, use the config wlan media-stream command.
config wlan media-stream multicast-direct { wlan_id | all} { enable | disable}
Configures multicast-direct for a wireless LAN media stream. |
|
Release | Modification |
---|---|
8.3 | This command was introduced. |
Media stream multicast-direct requires load based Call Admission Control (CAC) to run. WLAN quality of service (QoS) needs to be set to either gold or platinum.
The following example shows how to enable the global multicast-direct media stream with WLAN ID 2:
(Cisco Controller) >config wlan media-stream multicast-direct 2 enable
To enable Multi-User, Multiple-Input, Multiple-Output (MU-MIMO) on a WLAN, enter the config wlan mu-mimo command.
config wlan mu-mimo { enable | disable} wlan-id
enable wlan-id |
Enables MU-MIMO on the WLAN that is specified |
disable wlan-id |
Disables MU-MIMO on the WLAN that is specified |
Release | Modification |
---|---|
8.3 | This command was introduced. |
To configure a default realm for a PMIPv6 WLAN, use the config wlan pmipv6 default-realm command.
config wlan pmipv6 default-realm { default-realm-name | none } wlan_id
default-realm-name | Default realm name for the WLAN. |
none |
Clears the realm name for the WLAN. |
wlan_id |
Wireless LAN identifier between 1 and 512. |
None.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure a default realm name on a PMIPv6 WLAN:
(Cisco Controller) >config wlan pmipv6 default-realm XYZ 6
To edit a profile associated to a WLAN, use the config wlan profile command.
config wlan profile wlan_id profile-name
Name of the WLAN profile. |
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to edit a profile associated to a WLAN:
(Cisco Controller) > config wlan disable 1 (Cisco Controller) > config wlan profile 1 new_sample (Cisco Controller) > show wlan summary Number of WLANs.................................. 1 WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility ------- ------------------------- -------- --------------- --------------- 1 new_sample / new_samp Disabled management none
To configure client profiling on a WLAN, use the config wlan profiling command.
config wlan profiling { local | radius} { all | dhcp | http} { enable | disable} wlan_id
local |
Configures client profiling in Local mode for a WLAN. |
radius |
Configures client profiling in RADIUS mode on a WLAN. |
all |
Configures DHCP and HTTP client profiling in a WLAN. |
dhcp |
Configures DHCP client profiling alone in a WLAN. |
http |
Configures HTTP client profiling in a WLAN. |
enable |
Enables the specific type of client profiling in a WLAN. When you enable HTTP profiling, the Cisco WLC collects the HTTP attributes of clients for profiling. When you enable DHCP profiling, the Cisco WLC collects the DHCP attributes of clients for profiling. |
disable |
Disables the specific type of client profiling in a WLAN. |
wlan_id |
Wireless LAN identifier from 1 to 512. |
Ensure that you have disabled the WLAN before configuring client profiling on the WLAN.
Client profiling is disabled.
Release | Modification |
---|---|
8.3 | This command was introduced. |
Only clients connected to port 80 for HTTP can be profiled. IPv6 only clients are not profiled.
If a session timeout is configured for a WLAN, clients must send the HTTP traffic before the configured timeout to get profiled.
The following example shows how to enable both DHCP and HTTP profiling on a WLAN:
(Cisco Controller) >config wlan profiling radius all enable 6
HTTP Profiling successfully enabled.
DHCP Profiling successfully enabled.
To change the quality of service (QoS) for a wireless LAN, use the config wlan qos command.
config wlan qos wlan_id { bronze | silver | gold | platinum}
config wlan qos foreignAp { bronze | silver | gold | platinum}
foreignAp |
Specifies third-party access points. |
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to set the highest level of service on wireless LAN 1:
(Cisco Controller) >config wlan qos 1 gold
To set the Cisco radio policy on a wireless LAN, use the config wlan radio command.
config wlan radio wlan_id { all | 802.11a | 802.11bg | 802.11g | 802.11ag}
Configures the wireless LAN on only 802.11b/g (only 802.11b if 802.11g is disabled). |
|
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure the wireless LAN on all radio bands:
(Cisco Controller) >config wlan radio 1 all
To configure RADIUS accounting servers of a WLAN, use the config wlan radius_server acct command.
config wlan radius_server acct { enable | disable} wlan_id | add wlan_id server_id | delete wlan_id { all | server_id} | framed-ipv6 { address | both | prefix } wlan_id}
address |
Configures an accounting framed IPv6 attribute to an IPv6 address. |
both |
Configures the accounting framed IPv6 attribute to an IPv6 address and prefix. |
prefix |
Configures the accounting framed IPv6 attribute to an IPv6 prefix. |
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable RADIUS accounting for the WLAN 2:
(Cisco Controller) >config wlan radius_server acct enable 2
The following example shows how to add a link to a configured RADIUS accounting server:
(Cisco Controller) > config wlan radius_server acct add 2 5
To configure the interim update of a RADIUS accounting server of a WLAN, use the config wlan radius_server acct interim-update command.
config wlan radius_server acct interim-update { enable | disable | interval } wlan_id
Interim update of a RADIUS accounting sever is set at 600 seconds.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to specify an interim update of 200 seconds to a RADIUS accounting server of WLAN 2:
(Cisco Controller) >config wlan radius_server acct interim-update 200 2
To configure RADIUS authentication servers of a WLAN, use the config wlan radius_server auth command.
config wlan radius_server auth { enable wlan_id | disable wlan_id} { add wlan_id server_id | delete wlan_id { all | server_id}}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to add a link to a configured RADIUS authentication server with WLAN ID 1 and Server ID 1:
(Cisco Controller) >config wlan radius_server auth add 1 1
To configure the interim update of a RADIUS accounting server of a WLAN, use the config wlan radius_server acct interim-update command.
config wlan radius_server acct interim-update { enable | disable | interval } wlan_id
Interim update of a RADIUS accounting sever is set at 600 seconds.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to specify an interim update of 200 seconds to a RADIUS accounting server of WLAN 2:
(Cisco Controller) >config wlan radius_server acct interim-update 200 2
To change the state of 802.1X security on the wireless LAN Cisco radios, use the config wlan security 802.1X command.
config wlan security 802.1X { enable { wlan_id | foreignAp} | disable { wlan_id | foreignAp} | encryption { wlan_id | foreignAp} { 0 | 40 | 104} | on-macfilter-failure { enable | disable}}
Release | Modification |
---|---|
8.3 | This command was introduced. |
To change the encryption level of 802.1X security on the wireless LAN Cisco radios, use the following key sizes:
The following example shows how to configure 802.1X security on WLAN ID 16.
(Cisco Controller) >config wlan security 802.1X enable 16
To configure Cisco Key Integrity Protocol (CKIP) security options for the wireless LAN, use the config wlan security ckip command.
config wlan security ckip { enable | disable} wlan_id [ akm psk set-key { hex | ascii} { 40 | 104} key key_index wlan_id | mmh-mic { enable | disable} wlan_id | kp { enable | disable} wlan_id]
(Optional) Configures encryption key management for the CKIP wireless LAN. |
|
Sets the static encryption key length to 40 bits for the CKIP WLAN. 40-bit keys must contain 5 ASCII text characters or 10 hexadecimal characters. |
|
Sets the static encryption key length to 104 bits for the CKIP WLAN. 104-bit keys must contain 13 ASCII text characters or 26 hexadecimal characters. |
|
(Optional) Configures multi-modular hash message integrity check (MMH MIC) validation for the CKIP wireless LAN. |
|
(Optional) Configures key-permutation for the CKIP wireless LAN. |
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure a CKIP WLAN encryption key of 104 bits (26 hexadecimal characters) for PSK key index 2 on WLAN 03:
(Cisco Controller) >config wlan security ckip akm psk set-key hex 104 key 2 03
To enable or disable conditional web redirect, use the config wlan security cond-web-redir command.
config wlan security cond-web-redir { enable | disable} wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable the conditional web direct on WLAN ID 2:
(Cisco Controller) >config wlan security cond-web-redir enable 2
To configure the 802.1X frames pass through on to the external authenticator, use the config wlan security eap-passthru command.
config wlan security eap-passthru { enable | disable} wlan_id
Enables 802.1X frames pass through to external authenticator. |
|
Disables 802.1X frames pass through to external authenticator. |
|
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable the 802.1X frames pass through to external authenticator on WLAN ID 2:
(Cisco Controller) >config wlan security eap-passthru enable 2
To configure 802.11r Fast Transition Roaming parameters, use the config wlan security ft command.
config wlan security ft { enable | disable | reassociation-timeout timeout-in-seconds} wlan_id
enable |
|
Reassociation timeout value, in seconds. The valid range is 1 to 100 seconds. |
|
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable 802.11r Fast Transition Roaming support on WLAN 2:
(Cisco Controller) >config wlan security ft enable 2
The following example shows how to set a reassociation timeout value of 20 seconds for 802.11r Fast Transition Roaming support on WLAN 2:
(Cisco Controller) >config wlan security ft reassociation-timeout 20 2
To configure 802.11r fast transition parameters over a distributed system, use the config wlan security ft over-the-ds command.
config wlan security ft over-the-ds { enable | disable} wlan_id
Enables 802.11r fast transition roaming support over a distributed system. |
|
Disables 802.11r fast transition roaming support over a distributed system. |
|
Release | Modification |
---|---|
8.3 | This command was introduced. |
Ensure that you have disabled the WLAN before you proceed.
Ensure that 802.11r fast transition is enabled on the WLAN.
The following example shows how to enable 802.11r fast transition roaming support over a distributed system on WLAN ID 2:
(Cisco Controller) >config wlan security ft over-the-ds enable 2
To modify the IPsec pass-through used on the wireless LAN, use the config wlan security passthru command.
config wlan security passthru { enable | disable} { wlan_id | foreignAp} [ ip_address]
(Optional) IP address of the IPsec gateway (router) that is terminating the VPN tunnel. |
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to modify IPsec pass-through used on the wireless LAN:
(Cisco Controller) >config wlan security passthru enable 3 192.12.1.1
To enable or disable splash page web redirect, use the config wlan security splash-page-web-redir command.
config wlan security splash-page-web-redir { enable | disable} wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable spash page web redirect:
(Cisco Controller) >config wlan security splash-page-web-redir enable 2
To configure static Wired Equivalent Privacy (WEP) key 802.11 authentication on a wireless LAN, use the config wlan security static-wep-key authentication command.
config wlan security static-wep-key authentication { shared-key | open} wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable the static WEP shared key authentication for WLAN ID 1:
(Cisco Controller) >config wlan security static-wep-key authentication shared-key 1
To disable the use of static Wired Equivalent Privacy (WEP) keys, use the config wlan security static-wep-key disable command.
config wlan security static-wep-key disable wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to disable the static WEP keys for WLAN ID 1:
(Cisco Controller) >config wlan security static-wep-key disable 1
To enable the use of static Wired Equivalent Privacy (WEP) keys, use the config wlan security static-wep-key enable command.
config wlan security static-wep-key enable wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable the use of static WEK keys for WLAN ID 1:
(Cisco Controller) >config wlan security static-wep-key enable 1
To configure the static Wired Equivalent Privacy (WEP) keys and indexes, use the config wlan security static-wep-key encryption command.
config wlan security static-wep-key encryption wlan_id { 40 | 104} { hex | ascii} key key-index
Release | Modification |
---|---|
8.3 | This command was introduced. |
One unique WEP key index can be applied to each wireless LAN. Because there are only four WEP key indexes, only four wireless LANs can be configured for static WEP Layer 2 encryption.
The following example shows how to configure the static WEP keys for WLAN ID 1 that uses hexadecimal character 0201702001 and key index 2:
(Cisco Controller) >config wlan security static-wep-key encryption 1 40 hex 0201702001 2
To configure the Temporal Key Integrity Protocol (TKIP) Message Integrity Check (MIC) countermeasure hold-down timer, use the config wlan security tkip command.
config wlan security tkip hold-down time wlan_id
hold-down |
Configures the TKIP MIC countermeasure hold-down timer. |
time |
TKIP MIC countermeasure hold-down time in seconds. The range is from 0 to 60 seconds. |
wlan_id |
Wireless LAN identifier from 1 to 512. |
The default TKIP countermeasure is set to 60 seconds.
Release | Modification |
---|---|
8.3 | This command was introduced. |
TKIP countermeasure mode can occur if the access point receives 2 MIC errors within a 60 second period. When this situation occurs, the access point deauthenticates all TKIP clients that are associated to that 802.11 radio and holds off any clients for the countermeasure holdoff time.
The following example shows how to configure the TKIP MIC countermeasure hold-down timer:
(Cisco Controller) >config wlan security tkip
To change the status of web authentication used on a wireless LAN, use the config wlan security web-auth command.
config wlan security web-auth {{ acl | enable | disable} { wlan_id | foreignAp} [ acl_name | none]} | { on-macfilter-failure wlan_id} | { server-precedence wlan_id | local | ldap | radius} | { flexacl wlan_id [ ipv4_acl_name | none]} | { ipv6 acl wlan_id [ ipv6_acl_name | none]} | { mac-auth-server { ip_address wlan_id }} | { timeout { value_in_seconds wlan_id }} | { web-portal-server { ip_address wlan_id }}
Configures the authentication server precedence order for Web-Auth users. |
|
flexacl |
Configures Flexconnect Access Control List. |
ipv4_acl_name |
(Optional) IPv4 ACL name. You can enter up to 32 alphanumeric characters. |
ipv6_acl_name |
(Optional) IPv6 ACL name. You can enter up to 32 alphanumeric characters. |
ipv6 |
Configures IPv6 related parameters. |
mac-auth-server |
Configures MAC authentication server for the WLAN. |
timeout |
Configures Web authentication Timeout. |
value_in_seconds |
Timeout value in seconds; valid range is between 300 and 14400 seconds. |
web-portal-server |
Configures CMCC web portal server for the WLAN. |
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure the security policy for WLAN ID 1 and an ACL named ACL03:
(Cisco Controller) >config wlan security web-auth acl 1 ACL03
To add an access control list (ACL) to the wireless LAN definition, use the config wlan security web-passthrough acl command.
config wlan security web-passthrough acl { wlan_id | foreignAp} { acl_name | none}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to add an ACL to the wireless LAN definition:
(Cisco Controller) >config wlan security web-passthrough acl 1 ACL03
To disable a web captive portal with no authentication required on a wireless LAN, use the config wlan security web-passthrough disable command.
config wlan security web-passthrough disable { wlan_id | foreignAp}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to disable a web captive portal with no authentication required on wireless LAN ID 1:
(Cisco Controller) >config wlan security web-passthrough disable 1
To configure a web captive portal using an e-mail address, use the config wlan security web-passthrough email-input command.
config wlan security web-passthrough email-input { enable | disable} { wlan_id | foreignAp}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure a web captive portal using an e-mail address:
(Cisco Controller) >config wlan security web-passthrough email-input enable 1
To enable a web captive portal with no authentication required on the wireless LAN, use the config wlan security web-passthrough enable command.
config wlan security web-passthrough enable { wlan_id | foreignAp}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable a web captive portal with no authentication required on wireless LAN ID 1:
(Cisco Controller) >config wlan security web-passthrough enable 1
To configure authentication key-management (AKM) using 802.1X, use the config wlan security wpa akm 802.1x command.
config wlan security wpa akm 802.1x { enable | disable} wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure authentication using 802.1X.
(Cisco Controller) >config wlan security wpa akm 802.1x enable 1
To configure authentication key-management using Cisco Centralized Key Management (CCKM), use the config wlan security wpa akm cckm command.
config wlan security wpa akm cckm { enable wlan_id | disable wlan_id | timestamp-tolerance }
CCKM IE time-stamp tolerance. The range is between 1000 to 5000 milliseconds; the default is 1000 milliseconds. |
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure authentication key-management using CCKM.
(Cisco Controller) >config wlan security wpa akm cckm 1500
To configure authentication key-management using 802.11r fast transition 802.1X, use the config wlan security wpa akm ft command.
config wlan security wpa akm ft [ over-the-air | over-the-ds | psk | [ reassociation-timeout seconds]] { enable | disable} wlan_id
(Optional) Configures 802.11r fast transition roaming over-the-air support. |
|
(Optional) Configures 802.11r fast transition roaming DS support. |
|
(Optional) Configures the reassociation deadline interval. The valid range is between 1 to 100 seconds. The default value is 20 seconds. |
|
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure authentication key-management using 802.11r fast transition:
(Cisco Controller) >config wlan security wpa akm ft reassociation-timeout 25 1
To configure the Wi-Fi protected access (WPA) preshared key mode, use the config wlan security wpa akm psk command.
config wlan security wpa akm psk { enable | disable | set-key key-format key} wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure the WPA preshared key mode:
(Cisco Controller) >config wlan security wpa akm psk disable 1
To disable WPA1, use the config wlan security wpa disable command.
config wlan security wpa disable wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to disable WPA:
(Cisco Controller) >config wlan security wpa disable 1
To enable WPA1, use the config wlan security wpa enable command.
config wlan security wpa enable wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure the WPA on WLAN ID 1:
(Cisco Controller) >config wlan security wpa enable 1
To configure the Wi-Fi protected authentication (WPA1) or Wi-Fi protected authentication (WPA2), use the config wlan security wpa ciphers command.
config wlan security wpa { wpa1 | wpa2} ciphers { aes | tkip} { enable | disable} wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
If you are not specifying the WPA versions, it implies the following:
If the ciphers enabled is AES+TKIP, you are configuring WPA/TKIP, WPA2/AES,or WPA/TKIP.
If the cipher enabled is TKIP, you are configuring WPA/TKIP or WPA2/TKIP.
You cannot configure TKIP as a standalone encryption method. TKIP can be used only with the AES encryption method.
The following example shows how to encrypt the WPA:
(Cisco Controller) >config wlan security wpa wpa1 ciphers aes enable 1
To enable the randomization of group temporal keys (GTK) between access points and clients on a WLAN, use the config wlan security wpa gtk-random command.
config wlan security wpa gtk-random { enable | disable} wlan_id
enable |
Enables the randomization of GTK keys between the access point and clients. |
disable |
Disables the randomization of GTK keys between the access point and clients. |
wlan_id |
WLAN identifier between 1 and 512. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
When you enable this command, the clients in the Basic Service Set (BSS) get a unique GTK key. The clients do not receive multicast or broadcast traffic.
The following example shows how to enable the GTK randomization for each client associated on a WLAN:
(Cisco Controller) >config wlan security wpa gtk-random enable 3
To disable OSU Server-Only Authenticated L2 Encryption Network (OSEN) on a WLAN, use the config wlan security wpa osen enable command in WLAN configuration mode.
config wlan security wpa osen disable wlan-id
wlan-id |
WLAN identification number. Enter a value between 1 and 512. |
OSEN is enabled.
WLAN configuration
Release | Modification |
---|---|
8.3 | This command was introduced. |
This example shows how to disable OSEN on a WLAN:
Cisco Controller > config wlan security wpa osen disable 12
To enable OSU Server-Only Authenticated L2 Encryption Network (OSEN) on a WLAN, use the config wlan security wpa osen enable command in WLAN configuration mode.
config wlan security wpa osen enable wlan-id
wlan-id |
WLAN identification number. Enter a value between 1 and 512. |
OSEN is not enabled.
WLAN configuration
Release | Modification |
---|---|
8.3 | This command was introduced. |
This example shows how to enable an OSEN on a WLAN:
Cisco Controller > config wlan security wpa osen enable 12
To disable WPA1, use the config wlan security wpa wpa1 disable command.
config wlan security wpa wpa1 disable wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to disable WPA1:
(Cisco Controller) >config wlan security wpa wpa1 disable 1
To enable WPA1, use the config wlan security wpa wpa1 enable command.
config wlan security wpa wpa1 enable wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable WPA1:
(Cisco Controller) >config wlan security wpa wpa1 enable 1
To disable WPA2, use the config wlan security wpa wpa2 disable command.
config wlan security wpa wpa2 disable wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to disable WPA2:
(Cisco Controller) >config wlan security wpa wpa2 disable 1
To enable WPA2, use the config wlan security wpa wpa2 enable command.
config wlan security wpa wpa2 enable wlan_id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable WPA2:
(Cisco Controller) >config wlan security wpa wpa2 enable 1
config wlan security wpa wpa2 cache sticky { enable | disable} wlan_id
sticky |
Configures Sticky Key Caching (SKC) roaming support on the WLAN. |
enable |
Enables SKC roaming support on the WLAN. |
disable |
Disables SKC roaming support on the WLAN. |
wlan_id |
Wireless LAN identifier between 1 and 512. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
In SKC (Sticky Key caching) also known as PKC (Pro Active Key caching), the client stores each Pairwise Master Key (PMK) ID (PMKID) against a Pairwise Master Key Security Association (PMKSA). When a client finds an AP for which it has a PMKSA, it sends the PMKID in the association request to the AP. If the PMKSA is alive in the AP, the AP provides support for fast roaming. In SKC, full authentication is done on each new AP to which the client associates and the client must keep the PMKSA associated with all APs.
The following example shows how to enable SKC roaming support on a WLAN:
(Cisco Controller) >config wlan security wpa wpa2 cache sticky enable 1
config wlan security wpa wpa2 cache sticky { enable | disable} wlan_id
enable |
Enables SKC on a WLAN. |
disable |
Disables SKC on a WLAN. |
wlan_id |
Wireless LAN identifier between 1 and 512 (inclusive). |
Stkcky PMKID Caching is disabled.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The controller supports Sticky PMKID Caching (SKC). With sticky PMKID caching, the client receives and stores a different PMKID for every AP it associates with. The APs also maintain a database of the PMKID issued to the client. In SKC also known as PKC (Pro Active Key caching), the client stores each Pairwise Master Key (PMK) ID (PMKID) against a Pairwise Master Key Security Association (PMKSA). When a client finds an AP for which it has the PMKSA, it sends the PMKID in the association request to the AP. If the PMKSA is alive in the AP, the AP provides support for fast roaming. In SKC, full authentication is done on each new AP to which the client associates and the client must keep the PMKSA associated with all APs. For SKC, PMKSA is a per AP cache that the client stores and PMKSA is precalculated based on the BSSID of the new AP.
The following example shows how to enable Sticky PMKID Caching on WLAN 5:
(Cisco Controller) >config wlan security wpa wpa2 cache sticky enable 5
To configure WPA2 ciphers and enable or disable Advanced Encryption Standard (AES) or Temporal Key Integrity Protocol (TKIP) data encryption for WPA2, use the config wlan security wpa wpa2 ciphers command
config wlan security wpa wpa2 ciphers { aes | tkip} { enable | disable} wlan_id
(Cisco Controller) > aes |
Configures AES data encryption for WPA2. |
tkip |
Configures TKIP data encryption for WPA2. |
enable |
Enables AES or TKIP data encryption for WPA2. |
disable |
Disables AES or TKIP data encryption for WPA2. |
wlan_id |
Wireless LAN identifier between 1 and 512. |
AES is enabled by default.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable AES data encryption for WPA2:
(Cisco Controller) >config wlan security wpa wpa2 ciphers aes enable 1
To edit an SSID associated to a WLAN, use the config wlan ssid command.
config wlan ssid wlan_id ssid
Service Set Identifier (SSID) associated to a WLAN. |
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to edit an SSID associated to a WLAN:
(Cisco Controller) >config wlan disable 1 (Cisco Controller) >config wlan ssid 1 new_samp (Cisco Controller) >show wlan summary Number of WLANs.................................. 1 WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility ------- ------------------------- ------- ---------------- --------------- 1 sample / new_samp Disabled management none
To change the timeout of wireless LAN clients, use the config wlan session-timeout command.
config wlan session-timeout { wlan_id | foreignAp} seconds
Timeout or session duration in seconds. A value of zero is equivalent to no timeout.
|
For 802.1X client security type, which creates the PMK cache, the maximum session timeout that can be set is 86400 seconds when the session timeout is disabled. For other client security such as open, WebAuth, and PSK for which the PMK cache is not created, the session timeout value is shown as infinite when session timeout is disabled.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure the client timeout to 6000 seconds for WLAN ID 1:
(Cisco Controller) >config wlan session-timeout 1 6000
To enable WPA1, use the config wlan uapsd compliant-client enable command.
Note | This was introduced for Ascom non-wmm capable phones and is not applicable for Cisco 792x/9971 IP phones. |
config wlan uapsd compliant-client enablewlan-id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable WPA1:
(Cisco Controller) >config wlan uapsd compliant-client enable 1
Property Type | Property Value | Property Description |
---|---|---|
To disable WPA1, use the config wlan uapsd compliant-client disable command.
Note | This was introduced for Ascom non-wmm capable phones and is not applicable for Cisco 792x/9971 IP phones. |
config wlan uapsd compliant-client disablewlan-id
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable WPA1:
(Cisco Controller) >config wlan uapsd compliant-client disable 1
To configure the threshold data sent by the client during the idle timeout for client sessions for a WLAN, use the config wlan user-idle-threshold command.
config wlan user-idle-threshold bytes wlan_id
bytes |
Threshold data sent by the client during the idle timeout for the client session for a WLAN. If the client send traffic less than the defined threshold, the client is removed on timeout. The range is from 0 to 10000000 bytes. |
wlan_id |
Wireless LAN identifier between 1 and 512. |
The default timeout for threshold data sent by client during the idle timeout is 0 bytes.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to configure the threshold data sent by the client during the idle timeout for client sessions for a WLAN:
(Cisco Controller) >config wlan user-idle-threshold 100 1
To configure the timeout for idle client sessions for a WLAN, use the config wlan usertimeout command.
config wlan usertimeout timeout wlan_id
timeout |
Timeout for idle client sessions for a WLAN. If the client sends traffic less than the threshold, the client is removed on timeout. The range is from 15 to 100000 seconds. |
wlan_id |
Wireless LAN identifier between 1 and 512. |
The default client session idle timeout is 300 seconds.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The timeout value that you configure here overrides the global timeout that you define using the command config network usertimeout.
The following example shows how to configure the idle client sessions for a WLAN:
(Cisco Controller) >config wlan usertimeout 100 1
To release the guest user IP address when the web authentication policy time expires and exclude the guest user from acquiring an IP address for three minutes, use the config wlan webauth-exclude command.
config wlan webauth-exclude wlan_id { enable | disable}
Release | Modification |
---|---|
8.3 | This command was introduced. |
You can use this command for guest WLANs that are configured with web authentication.
This command is applicable when you configure the internal DHCP scope on the controller.
By default, when the web authentication timer expires for a guest user, the guest user can immediately reassociate with the same IP address before another guest user can acquire the IP address. If there are many guest users or limited IP address in the DHCP pool, some guest users might not be able to acquire an IP address.
When you enable this feature on the guest WLAN, the guest user’s IP address is released when the web authentication policy time expires and the guest user is excluded from acquiring an IP address for three minutes. The IP address is available for another guest user to use. After three minutes, the excluded guest user can reassociate and acquire an IP address, if available.
The following example shows how to enable the web authentication exclusion for WLAN ID 5:
(Cisco Controller) >config wlan webauth-exclude 5 enable
To configure Wi-Fi Direct Client Policy on a WLAN, use the config wlan wifidirect command.
config wlan wifidirect { allow | disable | not-allow | xconnect-not-allow} wlan_id
allow |
Allows Wi-Fi Direct clients to associate with the WLAN |
disable |
Ignores the Wi-Fi Direct status of clients thereby allowing Wi-Fi Direct clients to associate |
not-allow |
Disallows the Wi-Fi Direct clients from associating with the WLAN |
xconnect-not-allow |
Enables AP to allow a client with the Wi-Fi Direct option enabled to associate, but the client (if it works according to the Wi-Fi standards) will refrain from setting up a peer-to-peer connection |
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to allow Wi-Fi Direct Client Policy on WLAN ID 1:
(Cisco Controller) >config wlan wifidirect allow 1
To configure Wi-Fi Multimedia (WMM) mode on a wireless LAN, use the config wlan wmm command.
config wlan wmm { allow | disable | require} wlan_id
Specifies that clients use WMM on the specified wireless LAN. |
|
Release | Modification |
---|---|
8.3 | This command was introduced. |
When the controller is in Layer 2 mode and WMM is enabled, you must put the access points on a trunk port in order to allow them to join the controller.
The following example shows how to configure wireless LAN ID 1 to allow WMM:
(Cisco Controller) >config wlan wmm allow 1
The following example shows how to configure wireless LAN ID 1 to specify that clients use WMM:
(Cisco Controller) >config wlan wmm require 1
To download icon from TFTP or FTP server onto the controller, use the transfer download datatype icon command.
transfer download datatype icon
None |
None
WLAN configuration
Release | Modification |
---|---|
8.3 | This command was introduced. |
This example shows how to download icon from TFTP or FTP server onto the controller:
Cisco Controller > transfer download datatype icon
This section lists the debug commands to manage debugging of WLANs managed by the controller.
Caution | Debug commands are reserved for use only under the direction of Cisco personnel. Do not use these commands without direction from Cisco-certified staff. |
To configure the 802.11v debug options, use the debug 11v all command.
debug 11v all { enable | disable}
enable |
Enables all the debug. |
disable |
Disables all the debug. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable all the debug:
(Cisco Controller) >debug 11v all enable
To configure the 802.11v debug details, use the debug 11v detail command.
debug 11v detail { enable | disable}
enable |
Enables debug details. |
disable |
Disables debug details. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable 802.11v debug details:
(Cisco Controller) >debug 11v detail enable
To configure the 802.11v error debug options, use the debug 11v errors command.
debug 11v errors { enable | disable}
enable |
Enables error debug. |
disable |
Disables error debug. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable 802.11v error debug:
(Cisco Controller) >debug 11v error enable
To configure the debugging of a passive client that is associated correctly with the access point, use the debug client command.
debug client mac_address
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to debug a passive client with MAC address 00:0d:28:f4:c0:45:
(Cisco Controller) >debug client 00:0d:28:f4:c0:45
To configure the debugging of DHCP, use the debug dhcp command.
debug dhcp { message | packet} { enable | disable}
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable the debugging of DHCP messages:
(Cisco Controller) >debug dhcp message enable
To configure debugging of 802.11r, use the debug ft command.
debug ft { events | keys} { enable | disable}
events |
Configures debugging of the 802.11r events. |
keys |
Configures debugging of the 802.11r keys. |
enable |
Enables debugging of the 802.11r options. |
disable |
Disables debugging of the 802.11r options. |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable 802.11r debugging:
(Cisco Controller) >debug ft events enable
To configure the debugging of client profiling, use the debug profiling command.
debug profiling { enable | disable}
enable |
Enables the debugging of client profiling (HTTP and DHCP profiling). |
disable |
Disables the debugging of client profiling (HTTP and DHCP profiling). |
Disabled.
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to enable the debugging of client profiling:
(Cisco Controller) >debug profiling enable
This section lists the test commands for WLANs.
To delete an entry in the Pairwise Master Key (PMK) cache from all Cisco wireless LAN controllers in the mobility group, use the test pmk-cache delete command.
test pmk-cache delete [ all | mac_address] { local | global}
Deletes PMK cache entries from all Cisco wireless LAN controllers. |
|
MAC address of the Cisco wireless LAN controller from which PMK cache entries have to be deleted. |
|
local |
Deletes PMK cache entries only on this WLC (default) |
global |
Deletes PMK cache entries, for clients currently connected to this WLC, across the mobility group |
None
Release | Modification |
---|---|
8.3 | This command was introduced. |
The following example shows how to delete all entries in the PMK cache:
(Cisco Controller) >test pmk-cache delete all