- Boot up your WLC.
- Enter the username "Recover-Config", if it's not the very first username to be entered you need to reboot the server.
- Let the WLC reboot.
- Run through the inital configuraiton wizard.
- Connect to the web interface.
What's this for?
WLC Factory Reset is for when your colleague who's now happily retired has set a password on a device but forgot to put it in the password management software. It's also useful for you newbies to the land of networking who have received a second hand WLC from a popular online e-buying site but it's got a password set on it.
I'm afraid unlike routers and switches you don't have the option to recover the configuration. Your only option is to factory reset the device; If this device is in production I hope you have a good backup policy!
The outputs below come from the following setup...
- Hardware: Cisco WLC 5520
- OS: AirOS
- Version: 22.214.171.124
- Date: 10-08-2019
WLC Factory Reset
So what we're going to do in this ramblings is run through the steps needed to get back into your Cisco WLC.
Warning: if you do not own the WLC your about to attempt this on you will probably be breaking some sort of company policy / law of the land you live in. If in doubt seek legal advise and or permission from the person that owns the router. Please also read the disclaimer on the About page of this website.
Before we start there is something important to understand. When the wireless LAN controllers that are based on the Cisco C-Series servers are booting up they will get to the 'Cisco Bootloader Loading Stage2...' and they will stop outputting on the KVM. That's because they have essentially started running the AirOS software. The AirOS software was originally designed to run on the dedicated WLC hardware. Dedicated WLC hardware doesn't make sense when you own a server business too; you have to pay two hardware development teams. The C-Series servers were more versatile so they won the fight. This is not really a big problem though as you don't really need to access the server like this using the KVM; the WLC is designed to be configured from the serial port. So just like we did with the dedicated hardware devices we can just plug into the serial port to configure the WLC. The serial port will even give you the output before the 'Cisco Bootloader Loading Stage2... prompt. For me however the beauty of running the WLC on the C-Series hardware is you get a CIMC thrown in. The CIMC allows you to SSH into the serial port remotely.
To illustrate the above point I have opened the KVM from the CIMC and taken a picture for you. If you were to plug a screen into the 'console' port on the front you get exactly the same output.
Before starting this guide I would recommend configuring your CIMC card. I have a guide here on how to do a basic configuration on the CIMC version 4.0. If you are running a CIMC older than version 4.0 it's likely to look a bit different so there is a guide here on how to upgrade from older CIMC versions.
With the above in mind lets SSH to the CIMC and tell the server to boot up.
wlc001-oobm# show chassis detail Chassis: Power: off Serial Number: ########### Product Name: PID : AIR-CT5520-K9 UUID: ##########-####-####-####-############ Locator LED: off Description: Asset Tag: Unknown wlc001-oobm# wlc001-oobm# scope chassis wlc001-oobm /chassis # power on This operation will change the server's power state. Do you want to continue?[y|N]y wlc001-oobm /chassis # exit
Once this is done we can connect to the serial port via the SSH session and watch the server boot up.
wlc001-oobm # connect host CISCO Serial Over LAN: Press Ctrl+x to Exit the session Configuring platform hardware...
Once the server is all booted up it will prompt you for a username. At this point we need to make sure the first username we enter is 'Recover-Config'. If we enter anything else we will have to reboot the serevr to start over again; this command MUST be the first username you enter after boot.
Enter User Name (or 'Recover-Config' this one-time only to reset configuration to factory defaults) User: Recover-Config Initiating system recovery process... please wait Rebooting system Updating license storage ... Done. Exiting SL process ! Terminated sh: can't kill pid 1872: No such process
At this point the server will reboot the AirOS and eventually take us into the setup wizard. First thing we want to do is disable autoinstall. Autoinstall is where the WLC will go out to the network to find a configuration to use.
Welcome to the Cisco Wizard Configuration Tool Use the '-' character to backup Would you like to terminate autoinstall? [yes]: yes
After this we are asked to provide the WLC with a hostname, username and password.
System Name [Cisco_##:##:##] (31 characters max): wlc001 Enter Administrative User Name (24 characters max): AdmPri Enter Administrative Password (3 to 24 characters): ********** Re-enter Administrative Password : **********
Next we are asked to configure the service interface IP Address. This is the "Service" port on the back on the controller. It's not a routed interface so you can't use it for out of band management but you can use it as a walk up to the back of the server plug into the port and SSH / HTTPS to the WLC. It's not something you use often but when you do use it your normally glad its there! When allocating an IP address for this use an IP range that you don't use on the main production network. I normally reserve 192.168.0.0/16 for this sort of stuff as it's not practical to route this in a business network otherwise when people VPN in from home strange things happen.
Service Interface IP Address Configuration [static][DHCP]: static Service Interface IP Address: 192.168.0.1 Service Interface Netmask: 255.255.255.0
Link Aggregation Protocol is a bit of a no brainer on WLCs if you ask me; it's something I just do. There might be some more specialist deployments when you don't want to do this but these are few and far between. Basically if you're not familiar with Link Aggregation it basically takes two or more physical interfaces (ideally in multiples of 2) and creates on logical interface out of them. For more information about link aggregation see the article here.
Enable Link Aggregation (LAG) [yes][NO]: yes
Next we want to configure the management interface. This is the IP Address we are going to use to administrator the WLC. As a rule of thumb you're not going to want your wireless clients being spat out onto on the same VLAN as your management traffic so were going to TAG the traffic with a VLAN ID reserved for management. Later on we can take the wireless clients to use a different VLAN ID.
Management Interface IP Address: 192.168.193.1 Management Interface Netmask: 255.255.255.0 Management Interface Default Router: 192.168.193.254 Management Interface VLAN Identifier (0 = untagged): 193
Even though we have told it we are using LAG it will still want to know a physical port for this management interface. Resistance is futile as you can see below so just give it a number.
Management Interface Port Num [1 to 2]: Invalid response Management Interface Port Num [1 to 2]: 1
In my lab setup this is just a Cisco 5520 WLC, plugging into a 2960G switch that then plugs into a Cisco 2811 router. The Cisco 2811 and 2960G are configured in a router on a stick setup. For the purposes of this I'm just going to use my 2811 router as a DHCP server.
Management Interface DHCP Server IP Address: 192.168.193.254
In this example I am not going to configure High Availability. If you want to see how to do this look at this guide here.
Enable HA [yes][NO]: no
You will probably find lots of guides saying use 126.96.36.199 or 188.8.131.52/24 etc for the Virtual IP address. Blunt answer, don't. These are not private IP addresses and can start being used on the internet. At the time of writing 184.108.40.206 has just became a public DNS server, anyone using 220.127.116.11 in there network will not be having issues accessing that online service. For this I wouldn't normally use an RFC1918 address instead I would go for a RFC5737.
Virtual Gateway IP Address: 192.0.2.1
The Multicast address is used by the controller for forwards traffic more efficiently to your access points. In a small deployment where all your access points are on the same VLAN as the controller this is pretty simple to do. However if you're using routing to get between your controller and access points this becomes a bit more complicated as you will need to do multicast routing. If you want to try this checkout this article here.
Multicast IP Address: 18.104.22.168
For simplicity unless you are going to start doing some more complex stuff with RF groups just leave this as the controllers hostname.
Mobility/RF Group Name: wlc001
If you already know what you want your SSID name to be put it here. If not dont worry too much as you can just delete this later.
Lets cover off quickly what the two options here mean:
- DHCP Bridging mode: The DHCP request will go straight through the AP, Controller to the Layer 3 interface on the switch. If this is the DHCP it will then respond. If it's not the DHCP server and has a helper-address configured this will send the packet off to the DHCP server wherever it is.
- DHCP Proxy mode: The DHCP packet will go through the AP and once it gets to the wireless lan controller this will then act similarly to the helper-address on the switch and the controller, not the switch, will relay the DHCP request to the DHCP server.
Configure DHCP Bridging Mode [yes][NO]: no
Without bursting into a rant clients should use DHCP. Plus, in a large deployment the likelihood is you also going to be using interface groups. With this there is no way to guarantee the client will always end up on the same VLAN for their static IP to work anyway.
Allow Static IP Addresses [YES][no]: no
I'm not going to setup RADIUS now but watch this space I will be doing lots of guides around this.
Configure a RADIUS Server now? [YES][no]: no Warning! The default WLAN security policy requires a RADIUS server. Please see documentation for more details.
Country code; self-explanatory. Get it wrong and your controller probably won't play nicely with your access points. The reason behind this is different countries licence different radio frequencies for WiFi usage.
Enter Country Code list (enter 'help' for a list of countries) [US]: GB
This is one where ideally you only want to enable the latest and greatest protocol. If you enable the older protocols you won't get such good performance. However you will have users that need to connect older devices so you just have to suck it up and enable them all in most cases; especially if you have BYOD.
Enable 802.11b Network [YES][no]: yes Enable 802.11a Network [YES][no]: yes Enable 802.11g Network [YES][no]: yes
This just let the controller make decisions on RF power levels etc. If you want this will really depend on your RF environment. I tend to find if you're not sure just enable it, you can always change your mind later.
Enable Auto-RF [YES][no]: yes
This is a no-brainer, of course you should configure NTP, otherwise analysing logs files is going to be horrid. If you don't have an internal NTP server you can just point this out to something on the internet. In my lab I will just configure the Cisco 2811 to be the NTP server.
Configure a NTP server now? [YES][no]: yes Enter the NTP server's IP address: 192.168.193.254 Enter a polling interval between 3600 and 604800 secs: 3600
If you are IPv6 ready, go you, you are the future. I don't have it in the lab so I'm not going to worry about it for now.
Would you like to configure IPv6 parameters[YES][no]: no
If you made a mistake part way through now it your opportunity to go back through. If not, lets go for it.
Configuration correct? If yes, system will save it and reset. [yes][NO]: yes Updating LAG configuration...Done Updating license storage ... Done. Exiting SL process ! Terminated sh: can't kill pid 4328: No such process
After the server has rebooted web browse to the management IP you have just configured. You will probably be prompted with some security warning around the website not being secure that you will need to get past. You will then be presented with this screen.
After this hit login and enter the username and password you have just configured. You should then be presented with the Network Summary page.Note: If you want to do anything of use you will need to hit adavnced in the top right corner.