AP Audit Configuration

Information About AP Audit Configuration

The AP Audit Configuration feature helps to detect wireless service synchronization issues between the controller and an AP. In Cisco IOS XE Amsterdam, Release 17.3.1, two methods are implemented to support AP audit configuration.

  • Config Checker: This functionality helps in auditing the application of wireless policies during the AP join phase. Any discrepancies at this stage is reported on the controller. This is a built-in functionality and you cannot disable the same. When you try to configure any of the AP attributes such as name, IP address, controller information, tag, mode, radio mode, and radio admin state, the AP parses the CAPWAP payload configuration from the controller and reports errors detected back to the controller with proper code. If a discrepancy is detected, the controller flags errors using the syslog.

  • Config Audit: This functionality helps to perform periodic comparison of operational states between an AP and the controller after the AP join phase and while the corresponding AP is still connected. Discrepancies, if any, are reported immediately on the controller. The consolidated report is available at the controller anytime. This functionality is disabled by default. The periodic auditing interval is a configurable parameter.

    Use the ap audit-report command to enable and configure audit report parameters. When triggered, AP sends configurations from the database to the controller, and the controller compares the configurations against the current configuration. If a discrepancy is detected, the controller flags the error using the syslog.

Restrictions for AP Audit Configuration

  • Config checker alerts are available only through the syslog.

  • IOS AP is not supported.

  • The audit reports are not synchronized from the active to the standby controller. After SSO, they are not readily available until the next reporting interval of the already-connected APs.

  • The audit reports are not available when an AP is in standalone mode.

  • This feature is supported only on APs in FlexConnect mode.

Configure AP Audit Parameters (CLI)

The AP Audit Configuration feature helps you compare the operational states between an AP and the controller. The AP sends state view details to the controller, and the controller compares it with what it perceives as the AP state. This feature is disabled by default.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

ap audit-report enable

Example:

Device(config)# ap audit-report enable

Enables audit reporting.

Step 3

ap audit-report interval interval

Example:

Device(config)# ap audit-report interval 1300

Configures AP audit reporting interval. The default value for interval is 1440 minutes. The valid range is from 10 to 43200.

Verifying AP Audit Report Summary

To verify the AP audit report summary, use the ap audit-report summary command:

Device# show ap audit-report summary
WTP Mac                    Radio                   Wlan                 IPv4 Acl          IPv6 Acl       Last Report Time
-------------------------------------------------------------------------------------------------------------------------------
1880.90fd.6b40   OUT_OF_SYNC    OUT_OF_SYNC    IN_SYNC        IN_SYNC        01/01/1970 05:30:00 IST   

Verifying AP Audit Report Detail

To verify an AP audit report's details, use the show ap name ap-name audit-report detail command:

Device# show ap name Cisco-AP audit-report detail
Cisco AP Name   : Cisco-AP
=================================================
 IPV4 ACL Audit Report Status     : IN_SYNC
 
IPV6 ACL Audit Report Status     : IN_SYNC
 
Radio Audit Report Status        : IN_SYNC
 
WLAN Audit Report Status         : 
Slot-id  Wlan-id  Vlan           State          SSID           Auth-Type      Other-Flag
-------------------------------------------------------------------------------------
0        4        IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC
1        4        IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC
 
bh-csr1#show ap audit-report summary                        
WTP-Mac          Radio          Wlan           IPv4-Acl       IPv6-Acl       Last-Report-Time
------------------------------------------------------------------------------------------------------
4001.7aca.5140   IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        06/22/2020 13:17:39 IST    
4001.7aca.5a60   IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        06/22/2020 13:18:25 IST    
7070.8b23.a1a0   IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        06/22/2020 13:18:29 IST    
a0f8.49dc.9460   IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        06/22/2020 13:16:43 IST    
a0f8.49dc.96e0   IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        06/22/2020 13:17:55 IST