The Cisco WLAN Facts Collection

Author: Herbert Haas
herbert AT perihel DOT at
Revision: 0.5
Date: 2007-10-29
Copyright: Copyright (c) 2007 Herbert Haas.


This document summarizes important facts about modern Wireless LANs. It is not a WLAN tutorial. The reader should already be familiar with WLAN fundamentals (see e. g. my WLAN lecture notes). Besides general WLAN theory, practial issues are exemplified on the basis of Cisco WLAN products. If you find any mistakes please send me an E-Mail, thanks! Many thanks to Frank Vergeer for many corrections and input.


1   802.11 Protocol Issues

New standards (CCX Version 4 supports them partly)

1.1   Dynamic Frequency Selection (DFS)

  • Non-Occupancy Time 30 min -- time a channel must not be used. LAPs save a list of their current radar detections in flash, therefore after reset the LAP will still continue the non-occupancy time.
  • Channel Availability Check 60 sec -- before using a channel
  • Channel Move Time 10 sec
  • Channel Closing Transmission Time 260 msec (except Beacon and Probe Responses)

1.2   Encapsulation or "Transform"

When the access point/bridge receives data packets that are not 802.11 packets (for example Ethernet II packets), the access point or bridge must format these packets to 802.11 using one of the following encapsulation transformation method:

  1. 802.1H: This method provides 'optimum performance' for Cisco Aironet wireless products.

    • LLC: AA AA 03 (a SNAP header follows)
    • SNAP: 00 00 08 ("Ethernet Tunnel") + EtherType

    This is the default setting.

  2. RFC1042: This setting ensures interoperability with non-Cisco Aironet wireless equipment. It is used by other manufacturers of wireless equipment.

    • LLC: AA AA 03
    • SNAP: 00 00 00 ("RFC-1042 OUI") + EtherType

You see the difference is minimal. Usually there is no need to change this setting.

2   Autonomous APs (IOS)

2.1   Features

  • Supports up to 50 users when acting as local authenticator
  • Monitors clients, utilization, and multipath interference
  • Support IGMP v1, v2, and v3.

2.2   LED Meanings

  • 1130 AP, status LED blinking dark blue = firmware upgrade in progress
  • 1230 AP, status LED solid red, other LEDs off = firmware upgrade in progress
  • 1240 AG, only radio LED is dark blue (others off): Normal operating condition, at least one wireless client device is associated with the unit.
  • 1240 AG, same as above but blinking: Software upgrade in progress.

2.3   Management Issues

  • Default IOS image for automatic TFTP download (press & hold MODE): c1200-k9w7-tar.default
  • Data rates: 'basic-' in the speed command means required rate.
  • You MUST NOT configure a loopback interface. Configuring a loopback interface might generate an IAPP GENINFO storm on your network and disrupt network traffic.
  • WDS: Verify that APs participate in FSR: show wlccp wds ap

3   Lightweight APs (LWAPP)

3.1   LED Meanings

1000 series general
  • All LEDs blink on/off together: WLC found, code upgrade in progress

  • Alarm red flashing (Power off, radio off): Duplicate IP address

  • Alarm red on: LAP boots.

  • Power green on, alarm off: WLC found, code OK, normal status.

  • blinking green

    • on REAP: loss of connectivity to WLC
    • other APs: Site Survey mode
  • When using DFS:

    • During Channel Move Time, the band LED will blink at fast rate (2-3 times per sec) => Radar detected.
    • During the Channel Availability Check, the band LED will blink at a slow rate (1-2 times per second) indicating that the LAP is quietly scanning the channel for radar.
Specific issues
  • 1000 AP, blinking green power LED = site survey mode
  • 1010 AP, alarm LED flashing red, others off = IP address exists
  • 1030 REAP, blinking green LED = lost connection to WLC

All 1000 series AP only support IGMPv1.

4   Mobile Access Router (MAR) 3200

4.1   Integrated components

  • ISR router (802.1Q, optionally with Gigabit port, optionally SFP)
  • 10/100 LAN switch (802.1Q)
  • 802.11 APs and bridges (2.4 GHz, 4.9 GHz, and 5 GHz)
  • Stateful FW
  • Encryptor card
  • Cellular modems (UMTS, HSDPA, GRPS, EGDE, plus GPS functionality)
  • 'Future' wireless technologies
  • Embedded linux PC with 40 GB HD (optionally with VMWare-based Windows!)
  • Video server (with digital and analog video interfaces, MPEG-4 or H.264 codec, 30 GB HD, Video analytics, etc.)
  • Optional with ADSL2+ interfaces

4.2   Technical details

  • Internal components always require 9V DC
  • Smallest embedded devices industry form factor PC 104-plus (3.775x3.55 inch)
  • Self-stacking (no backplane)
  • All components rated for -40 to +85 °C
  • WLAN components called WMICs (both at end of stack to reduce interferences)
  • Different enclosures depending on application (street light poles, busses, ...)
  • 14-slot enclosure available (i. e. 14 components inside!)

4.3   Deployment issues

  • 4.9 GHz or 5.8 GHz backhaul bridging
  • Mobile IP supported for continuous IP connectivity (but HA must perform double-tunneling: one tunnel to FA, inner tunnel to MR)
  • Support for Co-located CoA: MR can use its own interface IP address as CoA

5   Integrated Service Routers (ISR)

6   Cisco Compatibility EXstensions (CCX)

A current CCX feature overview table can be found here

6.1   Version 1


6.2   Version 2

  • WPA
  • QoS: eDCF
  • CCKM
  • Radio Management: RF Scanning and reporting with MBSSID
  • TPC

6.3   Version 3

  • AES
  • WPA2
  • QoS: WMM
  • Proxy-ARP IE

6.4   Version 4

  • Voice metrics
  • TSPEC based CAC
  • Wireless NAC
  • Wireless IDS
  • AP-directed roaming
  • Location Service: client emits (optionally) multicast beacons like an RFID
  • Keep Alive
  • Link Test
  • U-APSD (Unscheduled Automatic Power Save Delivery) aka "reverse polling": AP has per client buffer; send/receive in one step
  • SSID-List (SSIDL): Win XP wireless users with WPS support will be able to extract SSID list from the beacons as if they were broadcasted in a separate broadcasts Note: the SSIDL IE sent by the AP contains all SSIDs not only guest SSIDs! Multiple BSSID (MBSSID) is an alternative for legacy clients.

6.5   Version 5

  • Client MFP

7   Site Survey Issues

Today's (2007) radio parameter recommendations have changed in order to support modern services such as Voice over WLAN and Location Based Services (LBS).

8   Bridging 1400, 1300

The range for a Cisco Aironet 1400 Series Wireless Bridge in a point-to-point link is 8.5 miles at a data rate of 54 Mbps, versus 1.5 miles at 54 Mbps for the Cisco Aironet 1300 Series (typical range with integrated antennas).

If there is more than 1 km between the sites, you need to set the distance parameter on the root bridge to allow for sufficient time for the bridges to acknowledge the frames received. If this parameter is not set on a bridge link over 1 km, the bridges show duplicate frames.

Only the Cisco Aironet 1300 Series can be managed by WLC and WCS. When migrated to LWAPP the 1300 can currently only be used as an AP and NOT as a bridge. 1300 Series have a digital thermometer build-in.

8.1   Installation Issues

  • In autoinstall mode, the default distance setting is 99 km. When you change the radio role to operational mode, the value goes back to 0 km.

  • Typical Connectivity Issues: Data rate mismatch

  • Default CCA: -62

  • CW-min 3 and CW-max 10, are best for point-to-point links.

  • Multipoint Links CWmin/CWmax:

    • up to 5 NRB: 4/10
    • up to 10 NRB: 5/10
    • up to 17 NRB: 6/10
  • If packet concatenation is enabled, you need to adjust the CW-min and CW-max settings only for traffic class 0. Concatenation is enabled by default.

  • In order to utilize packet concatenation, both bridges will need to have both the root bridge and non-root bridge packet concatenation enabled.

  • 1400: The default value for packet concatenation is 3500 bytes.

  • RTS Threshold is 4000 for the root (i.e. disabled) and 1 for non-roots (i.e. enabled)

  • Fragmentation threshold is 4000 (i.e. disabled)

  • There is no RSSI voltage port on a BR1310.

8.2   SSIDs and VLANs

Aironet 1300 supports only a single SSID. This SSID should be assigned to the native VLAN. This SSID is used for association of the Non-Root Bridge to the Root Bridge. Additional VLANs can also be assigned to this SSID and are then communicated via 802.1Q.

Configuring your access point/bridge to support VLANs is a five-step process:

  1. Create subinterfaces on the radio and Ethernet interfaces.
  2. Enable 802.1Q encapsulation on the subinterfaces and assign one subinterface to the native VLAN.
  3. Assign a bridge group to each VLAN.
  4. (Optional) Enable WEP on the native VLAN.
  5. Assign the bridge's SSID to the native VLAN.

The configuration would look like this:

bridge(config)# interface dot11radio0.1
bridge(config-subif)# encapsulation dot1q 1 native
bridge(config-subif)# bridge group 1
bridge(config-subif)# exit
bridge(config)# interface fastEthernet0.1
bridge(config-subif)# encapsulation dot1q 1 native
bridge(config-subif)# bridge group 1
bridge(config-subif)# exit
bridge(config)# interface dot11radio0
bridge(config-if)# ssid batman
bridge(config-ssid)# vlan 1
bridge(config-ssid)# infrastructure-ssid
bridge(config-ssid)# end

8.3   Spanning Tree

  • The 1300 and 1400 Aironet Bridges support PVST.
  • The Aironet 340 and 350 series bridge supports only a single instance STP even when multiple VLANs have been configured.
  • When STP is disabled, the 350 series bridge acts as an AP and disallows association of non-root bridges.
  • The Radio port path cost is 33 (and the port priority is 128 as usual).

8.4   WGB Restrictions

  • You cannot pass VLANs between a WGB and an AP.
  • A WBG cannot communicate directly with another WBG.
  • Multiple WGBs can communicate with a single AP because the WGB behaves as a client.

8.5   Non-Root Bridge Configuration

Non-root bridges automatically uses RTS/CTS because multiple Non-root bridges typically do not see each other (their directional antennas pointing only to the Root Bridge).

Configuration Steps:

  • Set AP to non-root role.
  • Set Infrastructure Devices to associate only to this SSID.
  • Set Infrastructure SSID

8.6   Etherchannel - Link Aggregation

When a WLC (4404 or WiSM) LAG port is connected to a Catalyst 6500 channel group (or Cat 3750G) then note the following rules:

  • Without LAG, each WLC port only supports 48 LAPs. With LAG enabled the total LAP capacity is available to all interfaces! That is if on a 4404 e. g. three interfaces fail the remaining can handle up to 100 LAPs. With LAG only one functional physical port is needed to maintain connectivity!

  • LAG requires the Etherchannel to be configured for the "on" mode on both the WLC and the switch. There is not negotiation protocol supported on the WLC.

  • Therefore it does not matter if the switch is configured with either Link Aggregation Control Protocol (LACP) or the Cisco Port Aggregation Protocol (PAgP). Both LACP and PAgP are not supported on the controllers.

  • On the switch a load-balancing method must be chosen that terminates all IP datagram fragments on a single WLC port pair. On the 4404 there is one Network Processing Unit (NPU) for fragment reassembly for ports 1+2 and another NPU for ports 3+4. (On the 4402 there is only a single NPU for ports 1+2 so there is no problem with load balancing.)

    • The recommended load-balancing method for Catalyst switches is port-channel load-balance src-dest-ip.
  • All WLC ports must belong to the same LAG group! Only one LAG group is supported, therefore the WLC can only be attached to one switch (otherwise disable LAG mode). However it is recommended to terminate the links on different modules on a modular switch. Terminating on two different modules within a single Catalyst 6500 switch provides redundancy and ensures that connectivity between the switch and the controller is maintained when one module fails.

  • HSRP is NOT supported!

  • Any change to the LAG configuration requires a controller reboot.

  • When enabling LAG:

    1. Mgmt and AP-Mgr interfaces move to the LAG port
    2. All dynamic AP-Mgr interfaces are deleted
    3. VLAN interfaces are moved to LAG port
    4. WLANs are disabled and mapped to the Mgmt interface - you need to reassign them to the VLANs!
    5. You can only create interfaces on the LAG logical port 29.

    All packets are transmitted over that physical ports where the packets were received.

  • When disabling LAG:

    1. Mgmt and AP-Mgr interfaces as well as VLAN interfaces move to port 1
    2. You should define secondary ports for all interfaces (for backup)
    3. You must assign AP-Mgr interfaces to each port

    Packets can be forwarded over any port no matter where it originally came in.

  • LAG is enabled per default and cannot be disabled on the WiSM and on the integrated WLC inside the Catalyst 3750G.

PAgP switchover takes at least 30 seconds, which is too slow to maintain certain traffic (for example, TCP) when switching from port to the other. There is no workaround for this limitation.

LAG configuration on the switch:

interface GigabitEthernet1/0/18
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 30 mode on !!! specifying a channel group number forces LAG without PAgP or LACP
interface GigabitEthernet1/0/20
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 30 mode on !!! specifying a channel group number forces LAG without PAgP or LACP

9   WLSE

  • Uses SNMP to shut down rogue APs on switches
  • Client Walkabout uses configured radio settings
  • Interference Detection requires a Radio Scan first
  • Up to 4 'prior configuration versions' can be archived
  • WLSE Express local AAA supports up to 1000 clients
  • AP Radio Scan
  • Monitoring
  • Rogue AP Detection
  • Interference Detection
  • Radio Parameter Generation
  • Auto Re-Site Survey
  • Self Healing
  • Scanning-only AP
  • Ad-Hoc Network Detection
  • Send traps ONLY in SNMPv2c format
Two ways to generate Radio Parameters:
  1. Radio Management
  2. Assisted Site Survey Wizard

A WCS converted from a WLSE can handle up to 100 Controllers and 1500 APs.

Auto-Manage Templates can be used for the criteria Device Type and Subnet.

10   WLC

10.1   General Facts

  • CDP version 2 is supported on 2X00 and 440X series (not in integrated WLCs such as WiSM, WLCM etc)

  • Virtual Interface used by layer 3 security, DHCP relay, and Mobility Managers

  • up to 17 Radius Servers per WLAN.

  • RFID timeout on WLC should be 8-10 times the tag beacon rate.

  • Max 512 VLANs

  • ESM - 1 for 4402, 2 for 4404, 1 Gbit and 1000 clients per ESM.

  • Can control up to 16 WLANs for each 10X0 series AP and 8 WLANs for the 1130/1200/1230 and 1240 series AP

  • Radius server index -> priority

  • Up to 3 rogues can be concurrently contained by a single AP with a maximum of 4 APs one rouge can be contained

  • All Multicast packets are send at the lowest QoS level.

  • AP Power level settings:

    • 1= Max
    • 2= 50%
    • 3= 25%
    • 4= 6.25% to 12.5%
    • 5= 0.195% to 6.25%
  • The WLC keeps up to 5 controller crash files.

  • An Access List (ACL) can be applied either on a VLAN interface or on a specific WLAN:

    config wlan acl [<Wlan id>] [<ACL name> | none]

    The same is true with MAC filters.

  • Maximum 256 message logs are stored locally (FIFO). Use external syslog server!

10.2   Aggressive load balancing

  • Normally (without Aggressive Load Balancing) clients automatically prefer another AP when the current AP has already 12 clients associated. This leads to an automatic load balancing.
  • Aggressive Load Balancing tries to evenly distribute all clients of one WLC. By default the threshold is 3 clients per LAP.
  • Requires client to be 'heard' for at least 5 seconds
  • WLC monitors acceptable RSSI and SNR value
  • Controller will list up to 8 possible APs per client
  • Association response contains status code=17 to prevent the client to associate

Note: The WLC only uses the user timeout and session timeout settings to terminate client sessions if aggressive load balancing is disabled.

10.3   LWAPP Protocol Issues

  • Destination ports:

    • Data: 12222
    • Control: 12223
  • Observed (FYI):

    • From SP=12221 (AP) to DP=12222 (WLC-Data)
    • From SP=12223 (WLC-Control) to DP=52799
  • Inter-controller messages

    • 16666 to 16666 and 16667 to 166667 (mobility traffic)
    • WLCs must not be separated by NAT because the WLC's IP address is also carried inside the (encrypted) packets and compared with the header source address. See Controller Hunt Algorithm for further details.
  • LWAPP discovery response contains:

    • controller name
    • controller type
    • current number of APs (load)
    • AP capacity
    • AP Manager ip address
    • Master Controller status
  • L2 LWAPP uses Ethertype 0xbbbb

10.4   DHCP Issues

10.4.1   LAP Deployment via DHCP

Using DHCP option 43 a DHCP server can announce the IP addresses of WLCs to LAPs. The native LWAPP-APs expect option 43 to be a simple ASCII string while converted APs need a hexadeximal TLV.

It is possible to mix both AP types because every LAP appends DHCP option 60 (the Vendor Class Identifier, VCI) to its DHCP request. A typical DHCP configuration on a Cisco router would therefore look like this:

ip dhcp pool POOL-1000er
  network /24
  option 60 ascii "Airespace.AP1200" ! identifies 1000 series
  option 43 ascii ","
ip dhcp pool POOL-1200er
  network /24
  option 60 ascii "Cisco AP c1200"
  option 43 hex f108ac1a0c59c0a80a09

Note that there must be a dedicated DHCP section for each AP type. The first pool identifies all 1000 series LAPs and assigns the primary WLC IP address and as secondary WLC address. The second pool matches all 1200 series LAPs (such as the 1231 but not the 1240!) and assigns a strange TLV which consists of:

  • Type = f1 (must always be this value!)
  • Length = 08 which announces 8 bytes of value following (2 IP addreses)
  • Value = ac1a0c59 and c0a80a09 which corresponds to the IP addresses and respectively

The VCI strings for all current Cisco APs are listed in the table below. Please note the odd VCI numbering and the dot in some fields. (The strings are really correct, I verified them twice ;-))

Access Point Vendor Class Identifier
1000 Airespace.AP1200
1100 Cisco AP c1100
1130 Cisco AP c1130
1200 Cisco AP c1200
1240 Cisco AP c1240
1300 Cisco AP c1300
1500 Cisco AP.LAP1510

10.4.2   WLC as DHCP Relay

The WLC acts as a DHCP relay device through the virtual interface. The virtual IP is used downstream to the client and the Management-IP is used upstream to the DHCP server!

Debugging: debug dhcp packet enable

10.4.3   Internal DHCP Server

Before WLC software version 4.0 the internal DHCP server could only assign IP addresses to clients and not to LAPs. (Now it is possible but the LAPs should be directly connected to the WLC. Also, you cannot share a DHCP scope between two or more WLCs.)

10.5   Controller Hunt Algorithm

When a LAP boots up it performs three steps:

  1. Get an IP address (DHCP)

  2. Create a List of reachable WLCs. The reachability is verified via an LWAPP discovery request/response mechanism. In order to find valid WLC IP addresses, the LAP does the following:

    1. The LAP sends a L3-LWAPP discovery message to (if L2-LWAPP is configured then only a L2 broadcast is used)
    2. The LAP checks whether IP addresses of any previously joined WLCs are stored in its flash
    3. The LAP asks other LAPs using its radio interface and the Over the Air Provisioning (OTAP) protocol
    4. The LAP checks whether a DHCP server sent WLC addresses via DHCP option 43
    5. The LAP tries a DNS name resolution for the name CISCO-LWAPP-CONTROLLER@local-domain
  3. Select one WLC based on a priority scheme:

    1. Prefer WLCs that are already stored in the flash. (The primary is tried first, the tertiary last.)
    2. Prefer the WLC with the Master Controller Flag set. This flag is included in the header of a discovery response.
    3. Prefer the least loaded WLC. Every WLC announces the number of already connected LAPs via the discovery response.

Note that the Master Controller Mode is disabled after reboot or SW upgrade.

  • On the WLC's AP pages enter the names of the primary, secondary, and tertiary WLC. Do NOT enter their IP addresses! Use the same names as can be seen on the monitor general page.

    When a LAP associates to the primary WLC, this WLC will automatically send the IP addresses of the secondary and tertiary WLCs to the LAP.

  • After a LAP joins a WLC, the LAP learns the IP addresses of other WLCs in that mobility group from its joined WLC.

  • Subsequently, the AP sends LWAPP primary discovery requests to each of the WLCs in the mobility group.

  • The WLCs respond with a primary discovery response to the LAP. This message includes information about the WLC type, the total capacity, and current AP load.

  • As long as the WLC has the AP Fallback parameter enabled, the AP can decide to change over to a less-loaded WLC.

10.5.1   MTU Detection (Jumbograms)

  1. The LAP will send the LWAPP join request as a padded jumbo frame (1596 bytes).
  2. If the join response to the jumbo frame is not received, the LAP sends an LWAPP Join Request as a standard (1500 bytes) frame.
  3. The LAP cycles between jumbo and regular LWAPP join messages until an LWAPP Join Response is received or both sizes have been retransmitted three times. If no LWAPP Join response is received, the LAP abandons the WLC and searches for a new one.

10.6   LAP Failover

  • Place WLCs in the same Mobility Group, then the LAP failover is "seamless" (typically 30-80 seconds switchover delay to the other WLC).

  • What happens when you power down the primary WLC:

    1. Each associated LAP waits for the heartbeat timeout (30 seconds)
    2. Then each LAP sends 7 heartbeats (one per second) to the WLC
    3. Then each LAP searches another WLC using the default process
  • Optionally the heartbeat can be reduced down to 1 second

10.7   REAP

Note: max WAN RTT is 100 ms, the minimum datarate is 128 kbit/s.

Between the access point and the controller, a minimum of a 500 byte MTU is supported.

10.7.1   Legacy REAP Mode

The 1030 REAP can only reside on a single subnet because it cannot perform IEEE 802.1Q VLAN tagging. However, wireless traffic can still be segmented into different SSIDs but on the wired side all traffic is placed into the same VLAN.

When the WLC is not reachable only WLAN 1 is supported by the REAP. You should use a non-AAA based security policy for WLAN 1 such as WPA-PSK.

10.7.2   Hybrid REAP (H-REAP)

The H-REAP mode is supported by the lightweight 1130AG and 1240AG access points. The H-REAP may send data traffic back to the WLC but can also perform local switching.

The main differences to the legacy REAP mode are that H-REAP supports:

  • 802.1Q tagging -- even when the WLC is unreachable up to eight standalone VLANs are supported
  • Layer-3 authentication methods
  • QoS
  • LWAPP fragmentation with more than two fragments
  • NAC
  • Radio Management


  • On the WLC you must configure both centrally switched and locally switched WLANs.

  • For the locally switched WLAN choose WPA-PSK and under the WLAN/Advanced tab check the H-REAP Local Switching check box.

  • On the Wireless/Details page select the H-REAP role.

    • On the same page (right) a H-REAP Configuration section appears: Check VLAN Support and enter the number of the native VLAN. All other VLANs will be configured automatically and correspond to the VLAN interface settings of the WLC.
    • Below, click VLAN Mappings and enter the VLAN number from which the clients will get an IP address when doing local switching.

10.8   RF-Groups and Auto-RF

  • If APs on different WLCs hear validated (same RF group name) neighbors at -80 dBm or stronger they form dynamically an RF group
  • RRM algorithms run at 600 seconds interval by default
  • WLAN status message every 15 seconds 3x is dead timer
  • Up to 20 WLCs can be member of one RF group.
  • Up to 1000 LAPs may be used in total.
  • You need at least 4 LAPs so that Auto-RF (Radio Resource Management, RRM) can work.
  • Every 10 minutes one WLC (the Group Leader) decides if a channel/power adjustment is necessary.

The Group Leader is dynamically elected and cannot be chosen by an administrator. The RF group leader analyzes the real-time radio data collected by the group and calculates a master power and channel plan with -65 dBm on the cell borders.

10.8.1   Configurable RF Parameters

Auto-RF uses fixed and some configurable parameters. The following parameters can be configured:

Parameter Default Value Description
Interference 10% Specifies the maximum percentage of interference every LAP may detect.
Clients 12 Specifies the maximum number of clients that may be associated on every LAP. Range: 1-75
Noise -70 dBm Specifies the maximum noise power level on every LAP. Range: −127 to 0 dBm
Coverage 12 dB @ 2.4 GHz, 16 dB @ 5 GHz Specifies the lowest allowable SNR on every LAP. If the measured SNR drops below this coverage parameter then a coverage hole exists and the transmit power of the surrounding LAPs will be increased. Range: 3 to 50 dB
Utilization 80% Specifies the percentage of time a LAP may consume for transmissions.
Coverage Exception 25% Specifies the percentage of clients per LAP that experience a SNR below the coverage level but cannot roam to another LAP.
Data Rate 1000 Kbit/s Specifies the lowest allowable data rate a LAP can use for sending or receiving data. Range: 1 to 1000 Kbit/s
Client Min Exception Level 3 Specifies the maximum number of clients on a LAP that may experience a lower SNR as specified by the Coverage parameter. That is, the Client Min Exception Level indicates the number of clients necessary to trigger a Coverage Alarm if the Coverage Exception is also violated at the same time. A coverage alarm causes an SNMP trap. Range: 1 to 75

Additionally, an administrator can configure a (country-specific) channel list, as well as some monitor intervals. The table below shows the default monitor values:

Measurement Interval
Noise 180 s
Traffic Load 60 s
Receive Signal Power 60 s
Coverage (SNR) 180 s

Note that Noise=180s means that every AP must perform a noise scan through all channels within 180 seconds then send a report to the WLC (when LAP in local mode).

Country Code
WLC software version 4.0 only allows to configure one country code per WLC. Since version 4.1 one WLC can be configured for up to 20 county codes (to control LAPs in various different regulatory domains).

10.8.2   Unconfigurable RF Parameters

The following parameters are set by the manufacturer or created dynamically and cannot be changed:

Power Threshold and Neighbor Count
The WLC reduces the transmit power of the LAPs such that at maximum Neighbor Count LAPs can detect other LAPs at a receive power greater than Power Threshold.
Power Update Contribution
This setting specifies which quantity should trigger a recalculation of the power settings. These quantities are: load (L), signal (S), noise (N), and interference (I).
Power Assignment Leader
This variable tells which WLC is the actual RF Group Leader. The MAC address of the RF Group Leader is determined.
Last Power Level Assignment
This value indicates the last time a power level assignment had been performed.

10.9   Mobility and Mobility Groups

  • Up to 24 WLCs can be member of one mobility group (or up to 12 WiSMs = 3600 LAPs).
  • Traffic to Client (roamed) via the Anchor system and via EoIP to Foreign
  • Traffic from Client via the Foreign System.
  • Uses ports 16666 and 16667
Normal Mobility Event (Roam)
'Client Announce', 'No handoff'
Mobility Anchor Event
'Anchor Export Request', 'Anchor Export Request ACK', 'Export Foreign', 'Export Anchor'

10.9.1   From Foreign Controller Perspective

Output of the show debug mobility enable shows:

  1. Send: Mobile Announce
  2. Send: Anchor Export Request
  3. Receive: Received Anchor Export Ack
  4. Role: Export Foreign
  5. Action: Plumbing duplex mobility tunnel to

Hint: Look for receipt of final message in tunnel sequence "Received Anchor Export Ack".

10.9.2   From Anchor Controller Perspective

Output of the show debug mobility enable shows:

  1. Receive: Mobile Announce
  2. Receive: Anchor Export Request
  3. Send: Anchor Export Ack
  4. Message: Export Anchor, Plumbing duplex mobility tunnel

10.9.3   Fast Secure Roaming

A EoIP tunnel is created for every roaming client!

10.9.4   Auto-Anchoring / Guest Tunneling

This feature allows to restrain client traffic to a specific subnetwork no matter about their physical location. For example the whole guest WLAN traffic can be tunneled to an Anchor WLC placed in a DMZ of a firewall. Obviously the firewall must permit LWAPP traffic.


  • A subset of the WLCs of the mobility group can be configured as anchors for a WLAN. Configure the same set of WLCs on all WLCs of the mobility group! Each WLC sends a controller status message every 15 seconds. After three missing status messages that WLC is considered inactive.

  • As soon as the first client for an auto-anchored WLAN associates to the initial contact WLC, this WLC sends an announcement message to all other WLCs in the mobility group. If this announcement remains unanswered the WLC chooses the any (usually the first) Anchor WLC in the list (of configured Anchor WLCs) and establishes an EoIP tunnel to that anchor.

    Note: Each SSID requires a tunnel from the WLC to an Anchor WLC.

    The anchor WLCs may send a handoff message as announcement response to equally distribute the EoIP tunnels (usually on a round robin basis.)

  • Client traffic always travels a symmetric path.

  • Every WLC creates one EoIP tunnel for all associated clients (for that remotely anchored WLAN).

  • The mobility anchor of the local controller must point to the anchor controller, and the mobility anchor of the anchor controller must point to itself.

  • Each anchor controller supports up to 40 EoIP tunnels from various WLCs.

  • A 2000 series WLC cannot be configured as anchor.

  • Auto-anchored WLANs do not support IPsec and L2TP Layer 3 security policies. Web Authentication is supported and performed by the Anchor WLC.

10.10   Standard IDS Signatures on WLC

  • Bcast Deauth
  • NULL probe resp
  • Floods of Assoc, Reassoc, Probe, Disassoc, Deauth, EAPoL, Mgmt Frame
  • Res mgmt 6&7, D, E&F
  • Netstumbler 3.2.0, 3.2.3, 3.3.0, generic
  • Wellenreiter
  • FakeAP
  • AP impersonation
  • Spoofed deauth frame
  • FATA Jack
  • Honeypot AP
  • Monkey Jack
  • MITM
  • Broadcast deauth frame
  • Valid stations, invalid SSID
  • Invalid OUIs
  • WEP Weak IV detection

10.11   Web Authentication

  • The maximum number of local users in the local database:

    • Absolute maximum: 2048
    • Default-maximum: 512 [Security>General]

The configured datavase size is shared by local management users (including lobby ambassadors), net users (including guest users), MAC filter entries, and disabled clients.

10.12   Client exclusion policy, number of trials

Excessive 802.11 Association Failures
Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures.
Excessive 802.11 Authentication Failures
Clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures.
Excessive 802.1X Authentication Failures
Clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures.
IP Theft or IP Reuse
Clients are excluded if the IP address is already assigned to another device.
Excessive Web Authentication Failures
Clients are excluded on the fourth web authentication attempt, after three consecutive failures.

10.13   Rogue AP/Client Containment

  • Up to 4 APs can be used for containment of a rogue
  • Using more AP for containment
  • Only up to 3 rogues to be concurrently contained by any single access point

10.14   Qualtity of Service (QoS)

10.14.1   Downstream (from WLC to client)

  1. The WLC receives a marked packet destined for a WLAN client. The WLC encapsulates this packet with an LWAPP header and copies the inner 802.1P and DSCP values to the outer (Ethernet and IP) headers. The downstream switched or routed network can act on these labels.
  2. A LAP does not mark any packets with a QoS label. (This is also true for autonomous APs.) But the LAP recognizes the DSCP label (actually the outer) in incoming packets and can perform some configured queuing methods (e. g. WMM or 802.11e) when it forwards these frames on the wireless port.

10.14.2   Upstream (from client to WLC)

  1. When a WMM or 802.11e capable client (e. g. a 7920) send traffic to the LAP it already marks every packet with a DSCP label.
  2. The LAP encapsulates the IP packet with LWAPP and maps the 802.11e priority to the outer DSCP field (in the tunnel IP header). Note that there is no 802.1P tag for the frames running upstream to the WLC.
  3. Eventually, the WLC decapsulates the packets and forwards them to the upstream network. For every packet the WLC maps the (inner) DSCP value to an 802.1P tag.

10.14.3   AVVID (Re-)Markings

  • The LWAPP Control packets are always marked with DSCP=56 and 802.1p=7.
  • The new marking recommendation for Voice Control us DSCP 24 (not 26).
Traffic Type Cisco AVVID IP DSCP Cisco AVVID 802.1p UP IEEE 802.11e UP
Network Control 56 7 7
Reserved 48 6 --
Voice 46 (EF) 5 6
Video 34 (AF41) 4 5
Voice Control 26 (AF 31) 3 4
Background Gold 18 AF21) 2 2
Background Silver 10 (AF11) 1 1
Best effort 0 (BE) 0 0,3

11   WCS

11.1   Main facts

  • WCS version 4 runs on Windows 2003 and Red Hat Enterprise Linux ES 4.0 and AS 4.0 servers.

  • WLC version should not be greater than WCS version.

  • Login: root/public new: root/Public1! (since version 4.1)

  • All monitor data available for 7 days (e.g. for trending analysis)

  • Don't block port 169 otherwise WCS can't receive any traps

  • Calibration 150 data points are required, 50 locations

  • Six user groups are supported:
    • SuperUsers (most important - can do anything)
    • Admin (anything but security administration)
    • ConfigManagers (manage networks, alerts, maps)
    • System Monitoring (read only: network configs, alerts, subset of maps)
    • Users Assistant
    • Lobby Ambassador (manages guest users only)
  • When clearing alarm, underlying event is not cleared

  • HTTP and HTTPS ports can be changed during installation

  • Search criteria to search WLCs: name, networks, IP address

  • Audit trail should be purged manually

  • Installation log will be put on the desktop of the server

11.2   Limitations

  • Low-end 50 Controllers/500 APs
  • Standard 150 Controllers/2000 APs
  • High-end 250 Controllers / 3000 APs
  • Max 100 APs per floor map (WCS version 3.0 !!!)
  • There is no limit to the number of walls but the maximum recommended number of walls (using the floor map editor) is 400.
  • WCS Map -> -35 dBm red through -85 dBm dark blue
  • Audit on the WCS (compare WCS database with Controller) does NOT compare shared key and passwords

11.3   Upgrading procedure

  1. Stop all WCS user interfaces to stabilize the database.
  2. Back up the WCS database
  3. Uninstall the WCS application
  4. Install the new version of WCS
  5. Restore the WCS database

11.4   Guest users

  • Managed by the Lobby Ambassador accout. Creation of guest users can be done via Guest Users Templates where user name, password, and SSID can be specified. After pressing SAVE the associated WLCs can be selected. Then press Apply to Controllers.
  • Optionally auto-generation of passwords
  • Guest user accounts can be managed via templates which are sent to selected WLCs (not necessarily all WLCs).
  • Deletion of guest user accounts: On the WCS as LobbyAmbassador and choose the command Delete Guest User. This removes the template from the WLCs.
  • When guest account on a WLC expires the WLC notifies the WCS via an SNMP trap and the WCS removes that account from the configuration of that WLC. A notice appears in the event logs.
  • WCS displays the remaining lifetime of each user account in the template detail page.

11.5   Other features

  • Backup Automatically - Can enforces WLCs to perform periodic (1:00 am daily) configuration backups via TFTP on specified TFTP server. Period can be changed.

    Note: The TFTP server cannot run on the same computer as the WCS, because the WCS and the TFTP server use the same communication port.

  • Config Groups - Group WLCs that should have same mobility group name and similar configuration. Assign templates to that group and push them to all WLCs in the group.

12   Location Appliance

12.1   Access

  • Default login/password = admin/admin
  • Default port is 8001
  • Communicates with WCS via SOAP/XML

12.2   Features:

  • Fetches RFID-tag data (which has been collected by the WLCs) from the WLCs
  • Can do real time tracking of 2500 clients simultaneously.
  • Cisco recommends a practical limit of 400 walls per floor for machines with 1 GB RAM or less.
  • The location appliance uses no more than 50 heavy walls in its calculations;
  • Keeps audit trail for 30 days
  • Does not use more than 50 heavy walls in its calculations.
  • Does not use light walls in its calculations at all! (Assumed to be accounted for during calibration.)
Default Location Engine Polling Parameters from WCS
  • Client Stations: 300 sec
  • Rogues: 600 sec
  • Asset Tags: 600 sec
  • Statistics: 900 sec

Polling value should equal to or greater than RFID tag beacon interval. Cisco recommends that the RFID timeout value on your WLC should be 8-10 times the tag beacon rate. If the RFID beacon is 10s, the timeout should be between 80-100 seconds:

(WLC) >config rfid timeout 80

12.3   WLC/AP Settings

  • LAPs must be in normal, monitor or H-REAP mode.

  • Clients and LAPs must support CCXv2 or higher (1030 does not!). On configured intervals the LAPs send broadcast radio measurement requests for every SSID. CCXv2-clients reply with probe requests on all channels specified in the measurement request. On version 4.0 this was a broadcast message and the LAP calculated RF parameters which were send to the Location Appliance. Since version 4.1 the clients send unicast probe requests and send RF parameters from their perspective.

    WLC software release 4.1 also improves the ability of the Location Appliance to accurately interpret the location of a device through a new CCXv4 feature called location-based services. The controller issues a path-loss request to a particular CCXv4 client. If the client chooses to respond, it sends a path-loss measurement report to the controller. These reports contain the channel and transmit power of the client.

  • On WLC enable CCX Location Measurement under Wireless > 802.11 a|b/g > Network. Optionally change the interval (default: 60 sec).

  • LAPs must be separated every 17-20 meters (50-70 feet).

  • Devices must be detected at signals greater than -75 dBm for the WLCs to forward information to the Location Appliance.

12.4   RFID Issues

12.4.1   Basic principle

Active RFID tags do not associate to LAPs and therefore are not affected by any WLAN or WLC settings. RFID tags send L2 multicast packets which are automatically forwarded by the LAP if the WLC is configured for RFID Tag Data Collection:

(Cisco Controller) >config rfid status enable

The WCS and Location Server poll the SNMP table of the WLC in order to view tag information.

12.4.2   Note

  • Multicast or broadcast does not need to be turned on for the WLC because these packets do not pass through the WLC. (Actually you do not even need to configure WLANs.)
  • All LAPs must be in normal mode (not monitor mode because of some issues with degraded accuracy).
  • Use a fixed timeout on WLC (auto-timeout feature is buggy)
  • Increse timeout when loosing RFID tags frequently

12.5   Troubleshooting

  • Location Appliance is running: when Location Appliances' GUI is accessible on WCS

13   Mesh Networking

13.1   Basics

  • Two types of LAPs:

    • Mesh APs (MAPs, default!)
    • Root APs (RAPs, has wired LWAPP connection to WLC)
  • Before deployment of MAPs, check:

    1. AP role (1500 default since code 4.0: MAP)
    2. Primary WLC name
    3. Bridge group name
    4. IP address (optional)
  • MAPs use 5 GHz and 18 Mbit/s backhaul channel to RAPs

  • Each MAP can have configured multiple RAPs for backup

  • A MAP can also have a wired connection when in wireless bridging role (e. g. AP 1510)

  • Scan mode is used by MAPs at startup or when they loose connectivity to the WLC

  • MAPs prefer other MAPs with same Bridge Group Name (BGN).

  • BGN has same functionality as SSID - here it prevents two networks on same channel from communicating with each other and to support MAPs in finding correct WLC.


    • Maximum 10 characters!
    • Default BGN=NULL - will connect to ANY neighbor node!
    • If WLC cannot be found using the configured BGN, the MAP changes the BGN to DEFAULT. All APs with code version greater then 4.0 will accept other nodes with that name.

    Hunt algorithm:

    1. Passively scan all neighbor nodes regardless of their BGN
    2. Try to connect to nodes with own BGN
    3. Try to connect using BGN=DEFAULT (Note: MAP remains in maintenance mode, i. e. accessibe via WLC! No clients or childs!)
    4. reboot

    If connected via BGN=DEFAULT, restart hunt algorithm every 30 minutes.

  • Per default max power level is used.

  • AWPP discovers paths and determines AP-relationships (parent or child)

  • Typical node distance: 1000 feet, up to 35 feet above ground.

  • One RAP supports up to 32 MAPs. Recommendation: < 20 MAPs.

  • When co-locating RAPs and MAPs keep safety minimum distance: 10 dBm 'damage level' for 5 GHz, 15 dBm for 2.4 GHz.

  • To prevent unauthorized LAPs to join the network:

    • Use MAC address filters
    • Configure a shared key
  • Maximum MAP distance from RAP: 4 hops.

  • Antenna options for the 1500 AP

    • 2.4 GHz: Omni 5.5 dBi or 8 dBi
    • 5 GHz: Omni 7 dBi, Patch 14 dBi or 17 dBi
Wireless > Mesh
Check the Enable Zero Touch Configuration check box to enable the LAPs to get the shared secret key from the WLC. If you uncheck the check box, the controller does not provide the shared secret key, and the access points use a default pre-shared key for secure communication. The default value is enabled (or checked).

14   WLAN for Voice best practices

On autonomous APs use IOS 12.3(8)JA or higher.

14.1   QBSS IE

  • Sent by LAP to client to notify a WLAN-phone about the current channel utilization.
  • If the announced QBSS value exceeds the threshold configured on the phone, the call will NOT be allowed and the phone will prompt Network Busy. This will not be logged on CallManager.
  • The QBSS is a standardized information element ('QBSS Load IE').
  • QBSS is not supported when using Wi-Fi 802.11a.

14.2   CAC Limit

Using CAC an AP can announce the available bandwidth to the client.

  • Cisco 7920 WLAN phones with older software expect that the CAC Limit is set to Client. That is, the client actively asks the AP.

  • To support newer software versions the AP CAC Limit must be enabled, that is the CAC Limit is announced by the LAP. This is good for mesh networks because also the backhaul bandwidth is announced.

    Wireless>802.11a>Voice: enable Admission Control (ACM) and configure Max RF Bandwidth (40-85%, default: 75%) and Reserved Roaming Bandwidth (0-25%, default: 6%). Optionally enable Metrics Collection (Traffic Stream Metric, usually only for troubleshooting - significant overhead!)

When access point-controlled CAC is enabled, the AP sends out a Cisco proprietary CAC IE and does not send out the standard QBSS IE.

With CAC, QoS will be maintained in a network overload scenario by ensuring that the number of active voice calls does not exceed the configured limits on the AP. With this feature, the client device will be capable of integrating layer 2 TSPEC admission control with layer 3 CCM admission control (RSVP). This facilitates providing a fast busy indication to the calling or called parties during times of network congestion.

Note: The 1000 series of AP announces inaccurate AP-CAC information. Always use the Client-CAC option with these LAPs.

14.3   Voice and Video Settings

  • Max 7 concurrent calls per 802.11b AP (using G.711 codec)
  • Lowest bitrate: 11 Mbit/s !!!
  • Voice media packets (downstream) sould be marked with 802.1p = 5 (802.11e = 6) and DSCP 46 (EF)
  • Voice signaling packets (downstream) sould be marked with 802.1p = 3 (802.11e = 4)
  • Cisco Wireless IP Phone 7920 marks voice-signaling packets as DSCP 26 (PHB AF31). The new marking recommendation is to use DSCP 24 (or PHB CS3).
  • The Cisco CallManager directs IP phones to mark voice media traffic or RTP traffic with DSCP 46 (PHB EF) and voice-signaling traffic (SCCP) with DSCP 24 (or PHB CS3).
AVVID priority mapping
is enabled by default and maps Ethernet packets tagged as CoS 5 to CoS 6. This feature enables the AP to apply the correct priority to voice packets for compatibility with Cisco AVVID networks.
  • QoS for video should use 802.1p tag 4.

14.4   Voice Metrics

This voice specific WLAN client Information Reporting Information Elements (IRIE) include:

  • Packet Jitter
  • Packet Loss
  • Roaming delay
  • other information

These data can be collected and analyzed to allow optimization.

15   Configuration Tasks

Quick Task List
  1. QoS enabled BSS (QBSS) is disabled by default. Enable QBSS with WMM (no 7920!) or QBSS in "7920 support mode"

  2. Configure the voice WLAN for WMM and the Platinum level. Disable that WLAN temporarily for following configuration.

  3. Under Wireless > 802.11a|bg > Voice

    • Click Admission Control (ACM) for BW-based CAC and Load-based AC.
    • Optionally change allocated BW for voice clients (default: 75%)
    • Optionally change reserved roaming bandwidth (default: 6%)

7920 does NOT support WMM: You cannot enable both WMM mode and client-controlled CAC mode on the same WLAN.

  • Don't use Aggressive Load Balancing together with voice!
  • Don't use Multicast together with voice!
  • Don't use 'Least congested channel'
  • Don't use PSPF (if a call is established as soon as the call is answered all packets are blocked!)
ARP Caching

A common AP configuration error concerns ARP caching. The phones expect this option to be enabled on the AP, but it is disabled be default on the AP. For optimal performance, Cisco recommends enabling ARP caching on the AP, especially when using Wi-Fi devices capable of power management.

Enable Address Resolution Protocol (ARP): One-way audio can occur if ARP caching is not configured on the access point.

Dynamic Transmit Power Control
Cisco highly recommends enabling Dynamic Transmit Power Control (DTPC) on the AP by using the Limit Client Power field to ensure hat the APs and Cisco 7920 phones use the same transmit power to avoid one-way audio.
Contention Windows
Min CW=3, Max CW=4, Fixed Slot Time =1
QoS Element for Wireless Phones
Enabled - if received by AP the AP prioritizes all packets for the phone (even when no QoS enabled on AP!)
Roaming Thresholds
QBSS Default: 45, RSSI Default: 5, Active Scan Time: 10 ms, Passive Scan Time: 110 ms
Cell Overlap

Radius: -67 dBm, 20 percent overlap. Separation of same channel cells should be 19 dBm (7920 RSSI=20).

The 7921 (5GHz) requires RSSI>35 at cell edges which is equivalent to -67 dBm

Simultaneous Calls
A single 802.11b wireless access point can support up approximately to seven active G.711 voice streams or eight active G.729 voice streams1 and also handle a reasonable level of data traffic.
Voice Metrics
CCX4 - Defines reporting elements of packet latency, packet jitter, packet loss, and roaming delay.
CCX4 - Maintains call levels for optimal QoS. If a network exceeds the capacity of a WLAN RF channel by even one call, all calls on the channel will suffer. CAC is a method of preventing channel overload and load-balancing calls transparent to the user.
Maximum radio frequency (RF) usage (per AP)

This is a maximum percentage of air bandwidth given to a user class. For example, if you have a network where the guest QoS profile has the max bw limitation for bronze set to 10% even if a single bronze user is using the AP, it can never receive more than 10% of the total available bandwidth.

Note: Only the 1000 series supports the maximum RF usage setting.

Queue Depth
This is the depth of the queue for the particular class. It causes packets greater than the value to be dropped at the AP.

15.1   QoS Processing Order

  1. Even if you have not configured a QoS policy, the access point always honors tagged 802.1P packets that it receives over the radio interface.
  2. QoS Element for Wireless Phones setting
  3. Policies you create on the access point
  4. Default classification for all packets on VLAN

15.2   WIRELESS Settings

  • Max RF Bandwidth that can be dedicated for voice clients: 40-85%, Default: 75%
  • Reserved Roaming Bandwidth 0-25%, Default: 6%

15.3   One-way audio during a connected call

  • Check transmit power setting is same on AP and phone. Use DTPC.
  • Check that the access point is enabled for ARP caching. When the Cisco Unified Wireless IP Phone 7920 is in power save mode or scanning, the access point can respond to the wireless IP phone only when ARP caching is enabled.
  • Check whether Firewall or NAT filters RTP packets
  • Check if data rate is 11 Mbit on AP and phone

16   Phones: 7920 and 7921

Comparison of dBm and RSSI Values for Unified Wireless IP Phone 7920

RSSI 5 10 15 20 25 30 35 40 45 50 55 60 65 70
dBm -98 -97 -89 -83 -79 -75 -67 -61 -57 -49 -44 -41 -38 -34

17   Security

Even relatively recent (german) studies show that more than 50% of all WLAN networks rely on WEP encryption, while approximately 17% are protected by WPA or WPA2. Roughly 22% are unprotected at all.

It is important to explain to decision makers that WEP encryption is not 'good enough'. WEP can be cracked within minutes (or even less) and the needed cracker tools can be operated by anybody. That is, using WEP is practically only slightly better than avoiding security measures at all!

17.1   Wireless Equivalent Privacy

WEPplus = WEP with avoidance of weak IVs

17.2   802.11i and WPA2

WPA2 supports FIPS 140-2 compliant security, basically AES in counter mode. (An early draft included AES-OCB instead but it was dropped due to patent issues.) A 48 bit IV protects against replay attacks.

Authentication and Integrity is maintained using an 8 byte CBC-MAC with a 48 bit nonce. Besides the data also the source and destination MAC addresses in the header are protected by the CBC-MAC. (These fields are called Additional Authentication Data (AAD).

The CBC-MAC, the nonce, and additional 2 byte IEEE 802.11 overhead make the CCMP packet 16 octets larger than an unencrypted IEEE 802.11 packet.

The AP advertises cipher suites both in beacons and probe responses.

17.2.1   Proactive Key Caching (PKC)

PKC allows a client to store PMKs to reuse them when later associated to the same AP or LAP. In order to support PKC the clients calculates and sends PMKIDs, i. e. a hash of the PMK, a string, the station MAC and the AP MAC. This 'PMK SA Identifier' is sent in an association request. The PMKID uniquely identifies the PMK on the WLC and therefore the 802.1x authentication can be by-passed. The client can send more than one key name in the association request. If the access point or WLC sends a success in the association response, then the client and access point proceed directly to the 4-way handshake.


  • PKC is automatically enabled on a Cisco WLC when WPA2 is enabled for a WLAN.
  • PKC does not work with Aironet Desktop Utility (ADU) as client supplicant.

17.2.2   Preauthentication

While PKC reduces the reauthentication time on APs or WLCs where the client has been authenticated once, preauthentication reduces roaming delays because it allows clients to authenticate to other APs or WLCs without association. Note that the preauthentication process is realized through the current AP or WLC to which the client is currently associated! Using preauthentication the client can establish PMKs with all APs or WLCs. The PTK handshake is only performed when the client actively associates to a new AP or WLC. In this case the association request again carries a PMK SA Identifier as explained in the PKC section above.

17.2.3   Differences between 802.11i and WPA2

WPA2 compliant products are always backwards compatible with WPA. If all devices run AES-CCMP then 802.11i is used. If some run TKIP then WPA2 devices are needed which run a mixture of 802.11i and WPA.

17.2.4   Migration Mode

Aironet APs support a 'Migration Mode' to support both legacy WEP-only clients and new WPA clients. This mode can be enabled by selecting a cipher suite (>encryption manager) which supports both methods such as

  • TKIP+WEP128
  • TKIP+WEP40

Besides WPA clients, static and dynamic WEP clients (802.1x) are supported.

Additionally configure

  • Appropriate static WEP keys in slot 2 or 3
  • Key management 'WPA optional'

17.3   Management Frame Protection (MFP)

  • MFP Version 1 is called Infrastructure MFP, in which APs validate management packets emitted by other APs. Only infrastructur devices use MFP version 1. Clients simply cannot interpret the new MFP IE and ignore it. Actually a MIC IE is inserted at the end of each management frame. Other APs validate such frames or generate an IDS event.

    IE contains:

    1. Timestamp (therefore use NTP on all WLCs - the time window is 2 seconds only!)
    2. Sequence number
    3. MIC

    Two configuration options:

    1. Protection: Add MIC
    2. Validation: Check MIC and generate alert
  • MFP Version 2 is called Client MFP and is supported since WLC version 4.1. Requires CCXv5 compatible clients and WPA2 for key management. Management frames are encrypted like data frames via TKIP or AES.

17.4   Trusted AP Policies

Validate SSID
If a rogue (known internal!) uses one of our own SSIDs then generate alert!

17.5   Rogue Detection

Either via RLDP and/or using Rogue Detection APs which

17.6   WLC/ACS Radius

  • AES key wrap, (defined in draft-zorn-radius-keywrap-13) describes more secure methods for RADIUS to communicate keying material. On the WLC enable AES key wrap for a more secure RADIUS connection.

17.7   AP Authentication Policy

  • Similar MFP, also uses Timestamp
  • But the RF Group name is used as key (protects RF group)
  • Only applied to RRM frames between APs

17.8   ACS Issues

17.8.1   Connectivity

When either the IP address of the WLAN Controller s incorrect on the AAA Server or the Shared Secret on the controller is different than on the AAA server the error “Unknown Network Access Server” is shown in the ACS log file.

17.8.2   Radius Attributes for VLAN Assignment

The RADIUS user attributes used for the VLAN ID assignment are:

  • IETF 64 (Tunnel Type) - Set this to VLAN.
  • IETF 65 (Tunnel Medium Type) - Set this to 802.
  • IETF 81 (Tunnel Private Group ID) - Set this to the VLAN ID.
This attribute indicates the group ID for a particular tunneled session, and is also known as the Tunnel-Private-Group-ID attribute, type - 81
This attribute indicates the VLAN Interface a client is to be associated to. Type 26 = Vendor Specific

17.8.3   Scalability

ACS 4.0 supports from 10,000 to 300,000 internal users per server

17.9   PSPF

When PSPF is enabled on the controller, on the switch “protected port” should be enabled to prevent clients from seeing each other data

17.10   IPS

WLC 4.0 allows the integration of an LWAPP-based WLAN system with the Cisco IDS/IPS product line running software 5.0 or later. The goal is to allow the Cisco IDS/IPS system to instruct the WLCs to block certain clients from access to wireless networks when an attack is detected anywhere from Layer 3 through Layer 7 that involves the client in consideration.

  • Up to five IDS Sensors can be configured on a WLC.
  • Each configured IDS Sensor is identified by its IP address or qualified network name and authorization credentials.
  • Each IDS Sensor can be configured on a controller with a unique query rate in seconds.

A shun request from an IDS Sensor is distributed throughout the entire mobility group of the controller that retrieves the request from the IDS Sensor.

IPS 4100
4100 IPS 5.0 contains over 1000 built-in default signatures. Supports about 2000 attack signatures

18   Client Adapter Aironet CB21AG


19   Appendix

19.1   Classical QoS Mechanisms revisited

19.1.1   IP Type of Sercice (ToS)

At the IP layer, there is a 1-byte field Type of Service (ToS) field in the header. The most significant (rightmost1 ) six (RFC 791) or seven (RFC 1349) bits of this field can be used for QoS marks. As specified in RFC 1349:

Bits 0,1,2
may carry the same information as provided in the IEEE 802.1p field. This allows a mapping between layer-2 and layer-3 and both switches and routers can process the packet as desired. In the IP jargon this value is called IP precedence
Bit 3
specifies whether normal (0) or low (1) delay is desired
Bit 4
specifies whether normal (0) or high (1) throughput is desired
Bit 5
specifies whether normal (0) or high (1) reliability is desired
Bit 6
specifies whether normal (0) or low (1) monetary cost is desired
Bit 7
is reserved for ‘future use’ and must be zero

19.1.2   Differentiated Service Code Point (DSCP)

Since RFC 2474 (1998) the ToS field had been redefined and renamed to DiffServ Code Point (DSCP) or DS Field. As specified in RFC 2474 only six bits are used:

Bits 0,1,2
again carry the 0-7 IP precedence value, also known as class selector. However there is a new definition of these values as listed in the table below.
Level Meaning
7 unchanged (link layer and routing protocol keep alive)
6 unchanged (used for IP routing protocols)
5 Express Forwarding (EF)
4 AF Class 4
3 AF Class 3
2 AF Class 2
1 AF Class 1
0 Best effort
Bits 3,4,5
carry the drop precedence which allows a further differentiation of traffic within the same class level.

The following code points are common and recommended:

  • Best Effort (BE) should be the default PHB and uses DSCP 000 000.

  • Assured Forwarding (AF) as defined in RFC 2597 guarantees a certain bandwidth to a traffic class. If the traffic exceeds the commited bandwidth the drop propability is raised according to the specified drop precedence. There are 12 different AF ‘behaviour’ code points, consisting of four classes (AF1x to AF4x) and three drop propabilities for each class (low/med/hi).


    Class 1

    Class 2

    Class 3

    Class 4


    AF11 10/001010

    AF21 18/010010

    AF31 26/011010

    AF41 34/100010


    AF12 12/001100

    AF22 20/010100

    AF32 28/011100

    AF42 36/100100


    AF13 14/001110

    AF23 22/010110

    AF33 30/011110

    AF43 38/100110

  • Expedited Forwarding (EF) as defined in RFC 3246. DSCP 56 (binary: 101 110) is recommended for the EF PHB and means low delay, low loss and low jitter.

    Note: The Cisco AVVID marking defines DSCP 46 to be voice EF (while DSCP 56 is reserved for network control, e. g. LWAPP control packets).

20   Cisco Call Manager

21   Glossary of Terms