Connecting an Access Point to a WLC

Cisco - Enterprise

tl;dr

Console into your factory reset AP and enter the following lines of code. Remembering to use your own IPs etc

enable
Cisco
capwap ap ip address 172.16.2.1 255.255.255.0
capwap ap ip default-gateway 172.16.2.254
capwap ap hostname ap001
capwap ap preferred-domain nagronia.lab
capwap ap primary-base wlc001 192.168.193.1

What's this for?

Connecting an Access Point to a WLC is for when you have just got access to your first Wireless LAN controller and you want get it doing something 'wireless'. The controller itself doesn't have radio interfaces therefore you will need to get something that does. We can the something that does a Wireless Access Point. When it connects to a controller we often call it a Light Weight Access Point.

In this ramblings I am going to assume that you're working in a lab environment with a relatively simple setup. Therefore I am not going to talk you through how to configure DNS A-Records or DHCP scopes to include option 43. Instead we will just put some configuration directly into the AP to tell it where its controller is using its CLI interface.

Demo Enviroment

The outputs below come from the following setup...

Hardware: Cisco WLC 5520 & 2702i
OS: AirOS
Version: 8.5.135.0
Date: 11-08-2019

Connecting an Access Point to a WLC

Before we can jump too deep into this ramblings there is a few things we need to understand. The first thing is there is two types of Cisco Wireless Access Point:

Autonomous: these access points are designed to be, as the name suggests, autonomous. They can function on their own without the support of a wireless lan controller. If you have an autonomous access point you won't be able to connect it to the controller until have changed the image to a lightweight image.
Lightweight: these access point have similar capabilities to their autonomous siblings however they are designed to be centrally controlled from a wireless LAN controller. Unlike the autonomous access point the command line interface on these is a lot more 'light weight' you only really need to tell it where the controller is and then the rest you do from the controller. Depending on your network setup you might not even need to tell in where the controller is!

The next important thing to realise is there is a few different methods the light weight access points can use to find their access points. Personally I almost always use the config file but I will hold in my rant about why!

Broadcast: The AP will send out a broadcast and essentially say 'is there any Wireless LAN Controller out there'. If one responds it will join that controller. For this to work the controller and AP probably need to be on the same subnet.
Config File: If that fails it will take a look in its config file and see if you have told it about any controllers. You can tell the access point about up to three controllers. These are considered primary secondary and tertiary, they will be worked through sequentially. If it finds one it will try and join that controller.
OTAP: If none of the above controllers it will then try Over the Air Provisioning. Yeah, just don’t do that, disable it (it is disabled on all new access points).
DHCP Option 43 When OTAP fails, and hopefully it will, then the AP will look to see if the DHCP server presented it with an IP option 43. Option 43 will contain a list of IP addresses for different Wireless LAN Controllers that the AP can try and contact.
DNS Lookup: Finally if all that has failed it will do a DNS query for "CISCO-CAPWAP-CONTROLLER".

Now we understand how the AP connects we just need to do one quick thing on the controller before we can start working on the AP. SSH to the controller and tell it about how many access points you're licenced for. The amount of times I have seen people forget this and troubleshoot for a day or two is almost funny.

Note: Make sure to replace the #### with the number of APs you are licenced for.

(wlc001) >license add ap-count #### 
 
                Feature Name : ap-count 
 
        Right to Use 
 
        Enabling additional access points supported by this controller product may require the 
        purchase  of  supplemental or "adder" licenses.  You  may remove supplemental licenses 
        from  one  controller and  transfer to  another  controller in the same product family. 
        NOTE: licenses embedded in the controller at time of shipment are not transferrable. 
 
        By clicking  "I AGREE"  (or "I ACCEPT") below, you warrant and represent that you have 
        purchased sufficient supplemental licenses for the access points to be enabled. 
 
        All supplemental licenses are subject to the terms and conditions of the Cisco end user 
        license agreement 
        (http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html),  together with 
        any applicable supplemental end user license agreements, or SEULA's. 
 
        Pursuant  to such terms, Cisco is entitled to confirm that your access point enablement 
        is properly licensed. 
 
        If you do not agree with any of the above, do not proceed further and 
 
--More-- or (q)uit 
        CLICK "DECLINE" below. 
 
ACCEPT? [y/n]: y
 
 
Successfully added the license 
 
 
 
(wlc001) >

Now we have the legal bit out the way let's go and have a chat to our access point and tell it where its mate is.

Note: This assumes your access point is factory reset, if it's not checkout this ramblings.

If you have just booted your AP the CLI interface seems to load before the device is ready for CLI commands so you will get output that looks like this when you try to enable.

AP7872.5d60.94d8>en 
Password: Cisco 
capwap process not yet started.Please execute enable command again 
 
AP7872.5d60.94d8>en 
Password: Cisco 
capwap process not yet started.Please execute enable command again

Eventually you will be able to get in and this will look abit like this.

AP7872.5d60.94d8>en
Password: Cisco
AP7872.5d60.94d8#

At this point we can tell the access point about its IP address and gateway. Needless to say add your own IP and subnet mask here!

AP7872.5d60.94d8#capwap ap ip address 172.16.2.1 255.255.255.0 
AP7872.5d60.94d8#capwap ap ip default-gateway 172.16.2.254

Just to keep things tidy and easier to find in the controller later let's give the AP a hostname. Needless to say add your own host and domain name here!

AP7872.5d60.94d8#capwap ap hostname ap001 
ap001#capwap ap preferred-domain nagronia.lab

Just before we issue the last command let's make sure everything so far has worked and make sure we can ping the WLC. If this doesn't work there's an issue you're going to need to fix!

ap001#ping 192.168.193.1 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 192.168.193.1, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Finally tell the access point where to find its controller. Needless to say add your own controller name and IP here!

ap001#capwap ap primary-base wlc001 192.168.193.1

Give it a moment or three and all of a suddent the AP will connect. If you AP is already on the correct AirOS version then it should just join. There is a lot of different versions of AirOS though so the likelihood is that it will start downloading the correct AirOS off the controller. Mine for example started downloading the correct AirOS.

ap001# 
*Mar  1 00:03:52.007: %LWAPP-4-CLIENTEVENTLOG: Timed out waiting on PNP config - Expect config from PNP server 
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255) 
 
*Mar  1 00:04:21.007: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS. 
 
examining image...! 
extracting info (288 bytes) 
Image info: 
    Version Suffix: k9w8-.153-3.JF8 
    Image Name: ap3g2-k9w8-mx.153-3.JF8 
    Version Directory: ap3g2-k9w8-mx.153-3.JF8 
    Ios Image Size: 13384192 
    Total Image Size: 15708672 
    Image Feature: WIRELESS LAN|LWAPP 
    Image Family: AP3G2 
    Wireless Switch Management Version: 8.5.135.0 
MwarVersion:08058700.First AP Supported Version:07066E02. 
 
Image version check passed 
 
Extracting files... 
ap3g2-k9w8-mx.153-3.JF8/ (directory) 0 (bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/U2.bin (8176 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/F2.bin (15184 bytes) 
*Aug 11 17:04:28.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.193.1 peer_port: 5246 
*Aug 11 17:04:28.207: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.193.1 peer_port: 5246 
*Aug 11 17:04:28.207: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.193.1perform archi!! 
extracting ap3g2-k9w8-mx.153-3.JF8/file_hashes (8652 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/8006.img (605570 bytes)!!!ve download capwap:/ap3g2 tar file 
*Aug 11 17:04:28.223: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller. 
*Aug 11 17:04:28.227: Loading file /ap3g2... 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
extracting ap3g2-k9w8-mx.153-3.JF8/B5.bin (2333 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/img_sign_rel_sha2.cert (1371 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/E5.bin (2213 bytes)! 
extracting ap3g2-k9w8-mx.153-3.JF8/Y2.bin (7008 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/final_hash.sig (512 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/info (288 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/MCU.bin (9031 bytes)! 
extracting ap3g2-k9w8-mx.153-3.JF8/HA2.bin (5840 bytes)! 
extracting ap3g2-k9w8-mx.153-3.JF8/final_hash (141 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/R5.bin (4547 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/X2.bin (16352 bytes)! 
extracting ap3g2-k9w8-mx.153-3.JF8/X5.bin (1916 bytes)! 
extracting ap3g2-k9w8-mx.153-3.JF8/triggerfish_cpld.img (2460 bytes) 
ap3g2-k9w8-mx.153-3.JF8/html/ (directory) 0 (bytes) 
ap3g2-k9w8-mx.153-3.JF8/html/level/ (directory) 0 (bytes) 
ap3g2-k9w8-mx.153-3.JF8/html/level/1/ (directory) 0 (bytes) 
ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/ (directory) 0 (bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/cisco-logo-2007.gif (1648 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/itp-logo.png (2822 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/background_web41.jpg (732 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/info.gif (399 bytes)! 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/login_homeap.gif (19671 bytes)! 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/sitewide.js (17290 bytes)! 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/forms.js (20442 bytes)!! 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/config.js (29225 bytes)!! 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/config-oeap.js (779 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/back.shtml (512 bytes)! 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/officeExtendap.css (41801 bytes)!!! 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/ap_home.shtml.gz (1540 bytes) 
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/jquery-1.11.3.min.js (95957 bytes)!!!!!!!

Whilst the AP is downloading you will be able to see it connected to the controller. Navigate to the "Wireless" tab at the top and you will see the AP in a downloading state.

Ignore the slightly different AP name dinner took priority and I forgot to take a photo of the first one!

After its downloaded the new AirOS the AP will reboot into it and should show as registered.

Now you have an access point all ready to go why not check out this ramblings on how to deploy your first SSID.