Cisco Wireless Control System (WCS)

Author: Herbert Haas
herbert AT perihel DOT at
Revision: 0.5
Date: 2007-10-29
Copyright: Copyright (c) 2007 Herbert Haas.


This document summarizes important facts about Cisco's Wireless Control System (WCS). It is not a WLAN tutorial. Note that Cisco-related explanations or recommendations are provided as is, without any warranty - please consult for more detailed information. The reader should already be familiar with WLAN fundamentals (see e. g. my WLAN lecture notes). If you find any mistakes please send me an E-Mail, thanks!


1   WCS

1.1   Main facts

  • WCS version 4 runs on Windows 2003 and Red Hat Enterprise Linux ES 4.0 and AS 4.0 servers.

  • WLC version should not be greater than WCS version.

  • Login: root/public new: root/Public1! (since version 4.1)

  • All monitor data available for 7 days (e.g. for trending analysis)

  • Don't block port 169 otherwise WCS can't receive any traps

  • Calibration 150 data points are required, 50 locations

  • Six user groups are supported:
    • SuperUsers (most important - can do anything)
    • Admin (anything but security administration)
    • ConfigManagers (manage networks, alerts, maps)
    • System Monitoring (read only: network configs, alerts, subset of maps)
    • Users Assistant
    • Lobby Ambassador (manages guest users only)
  • When clearing alarm, underlying event is not cleared

  • HTTP and HTTPS ports can be changed during installation

  • Search criteria to search WLCs: name, networks, IP address

  • Audit trail should be purged manually

  • Installation log will be put on the desktop of the server

1.2   Limitations

  • Low-end 50 Controllers/500 APs
  • Standard 150 Controllers/2000 APs
  • High-end 250 Controllers / 3000 APs
  • Max 100 APs per floor map (WCS version 3.0 !!!)
  • There is no limit to the number of walls but the maximum recommended number of walls (using the floor map editor) is 400.
  • WCS Map -> -35 dBm red through -85 dBm dark blue
  • Audit on the WCS (compare WCS database with Controller) does NOT compare shared key and passwords

A WCS converted from a WLSE can handle up to 100 Controllers and 1500 APs.

1.3   Upgrading procedure

  1. Stop all WCS user interfaces to stabilize the database.
  2. Back up the WCS database
  3. Uninstall the WCS application
  4. Install the new version of WCS
  5. Restore the WCS database

1.4   Guest users

  • Managed by the Lobby Ambassador accout. Creation of guest users can be done via Guest Users Templates where user name, password, and SSID can be specified. After pressing SAVE the associated WLCs can be selected. Then press Apply to Controllers.
  • Optionally auto-generation of passwords
  • Guest user accounts can be managed via templates which are sent to selected WLCs (not necessarily all WLCs).
  • Deletion of guest user accounts: On the WCS as LobbyAmbassador and choose the command Delete Guest User. This removes the template from the WLCs.
  • When guest account on a WLC expires the WLC notifies the WCS via an SNMP trap and the WCS removes that account from the configuration of that WLC. A notice appears in the event logs.
  • WCS displays the remaining lifetime of each user account in the template detail page.

1.5   Other features

  • Backup Automatically - Can enforces WLCs to perform periodic (1:00 am daily) configuration backups via TFTP on specified TFTP server. Period can be changed.

    Note: The TFTP server cannot run on the same computer as the WCS, because the WCS and the TFTP server use the same communication port.

  • Config Groups - Group WLCs that should have same mobility group name and similar configuration. Assign templates to that group and push them to all WLCs in the group.

2   Location Appliance

2.1   Access

  • Default login/password = admin/admin
  • Default port is 8001
  • Communicates with WCS via SOAP/XML

2.2   Features:

  • Fetches RFID-tag data (which has been collected by the WLCs) from the WLCs
  • Can do real time tracking of 2500 clients simultaneously.
  • Cisco recommends a practical limit of 400 walls per floor for machines with 1 GB RAM or less.
  • The location appliance uses no more than 50 heavy walls in its calculations;
  • Keeps audit trail for 30 days
  • Does not use more than 50 heavy walls in its calculations.
  • Does not use light walls in its calculations at all! (Assumed to be accounted for during calibration.)
Default Location Engine Polling Parameters from WCS
  • Client Stations: 300 sec
  • Rogues: 600 sec
  • Asset Tags: 600 sec
  • Statistics: 900 sec

Polling value should equal to or greater than RFID tag beacon interval. Cisco recommends that the RFID timeout value on your WLC should be 8-10 times the tag beacon rate. If the RFID beacon is 10s, the timeout should be between 80-100 seconds:

(WLC) >config rfid timeout 80

2.3   WLC/AP Settings

  • LAPs must be in normal, monitor or H-REAP mode.

  • Clients and LAPs must support CCXv2 or higher (1030 does not!). On configured intervals the LAPs send broadcast radio measurement requests for every SSID. CCXv2-clients reply with probe requests on all channels specified in the measurement request. On version 4.0 this was a broadcast message and the LAP calculated RF parameters which were send to the Location Appliance. Since version 4.1 the clients send unicast probe requests and send RF parameters from their perspective.

    WLC software release 4.1 also improves the ability of the Location Appliance to accurately interpret the location of a device through a new CCXv4 feature called location-based services. The controller issues a path-loss request to a particular CCXv4 client. If the client chooses to respond, it sends a path-loss measurement report to the controller. These reports contain the channel and transmit power of the client.

  • On WLC enable CCX Location Measurement under Wireless > 802.11 a|b/g > Network. Optionally change the interval (default: 60 sec).

  • LAPs must be separated every 17-20 meters (50-70 feet).

  • Devices must be detected at signals greater than -75 dBm for the WLCs to forward information to the Location Appliance.

2.4   RFID Issues

2.4.1   Basic principle

Active RFID tags do not associate to LAPs and therefore are not affected by any WLAN or WLC settings. RFID tags send L2 multicast packets which are automatically forwarded by the LAP if the WLC is configured for RFID Tag Data Collection:

(Cisco Controller) >config rfid status enable

The WCS and Location Server poll the SNMP table of the WLC in order to view tag information.

2.4.2   Note

  • Multicast or broadcast does not need to be turned on for the WLC because these packets do not pass through the WLC. (Actually you do not even need to configure WLANs.)
  • All LAPs must be in normal mode (not monitor mode because of some issues with degraded accuracy).
  • Use a fixed timeout on WLC (auto-timeout feature is buggy)
  • Increse timeout when loosing RFID tags frequently

2.5   Troubleshooting

  • Location Appliance is running: when Location Appliances' GUI is accessible on WCS