how-to_‎ > ‎


IPv6 Accounting

posted Oct 20, 2015, 12:00 AM by Daniele Albrizio   [ updated Oct 20, 2015, 12:00 AM ]

Normally WLC will report only IPv6 prefixes on radius accounting.
This is a cli-only per WLAN setting.
Temporarily disable the interested WLAN.

config wlan radius_server acct framed-ipv6 both <wlanID>

Re-enable the WLAN.

Cisco New AP's 2700 and 3700 do not join WLC sw ver 7.x

posted Apr 28, 2015, 9:57 AM by Daniele Albrizio   [ updated Apr 28, 2015, 10:01 AM ]

They in fact come with firmware suitable for WLC SW version 8.x

This should be not a problem, but indeed they do not auto join the controller..
You will need either manually add a capwap exec command (that is you cannot preprovision the command without full controller connectivity since the command does not survive reboots).

# capwap ap controller ip address <wlc ip address>


Reboot the AP pushing the reset button to let it go in ROMMON mode and then issue the boot command (do not ask me why this should use different firmware/configuration cthan  the stock one).
I only know that this way I see these lines

*Mar  1 00:01:05.139: AP has SHA2 MIC certificate - Using SHA1 MIC certificate for DTLS.
*Apr 28 15:43:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246
*Apr 28 15:43:00.495: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: peer_port: 5246

instead of the failing one

*Mar  1 00:01:50.607: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.

But the definitive solution to avoid the manually-preprovision-each-ap disaster is to accept all types of AP certificate on the WLC side.
This is a scrinshot of my WLC configuration - note that I use authorization list:


Get SFP serial number on Cisco WLC 5508

posted Oct 30, 2014, 7:45 AM by Daniele Albrizio

Use this undocumented, unsuggested cli command to get sfp bays inserted media serial numbers

 debug fastpath cfgtool --dump.sfp

(WLCTS 5508) >debug fastpath cfgtool --dump.sfp

(WLCTS 5508) debug>FP0.
Port SFP Vendor       Transceiver Type    OUI PartNumber       Rev  SerialNumber     DateCode Auth
   1 CISCO-METHODE    (0x08)1000BaseTX        SP7041           E    00000MTC655363SA 08127501 ok     
   2 CISCO-METHODE    (0x08)1000BaseTX        SP7041           E    00000MTC655356KS 08127501 ok     
   3 Not Present      (0x00)NOT_SUPPORTED                                                     fail   
   4 Not Present      (0x00)NOT_SUPPORTED                                                     fail   
   5 Not Present      (0x00)NOT_SUPPORTED                                                     fail   
   6 Not Present      (0x00)NOT_SUPPORTED                                                     fail   
   7 Not Present      (0x00)NOT_SUPPORTED                                                     fail   
   8 Not Present      (0x00)NOT_SUPPORTED                                                     fail   

CoA change of authorization RFC 3576 on Cisco WLC5508

posted Apr 14, 2014, 9:20 AM by Daniele Albrizio

On WLC web interface select Security -> AAA -> Radius -> Authentication
For each server, enable the RFC 3576 Support.

You can now use the following simple script to do the job:

  IP=<ip address of wlc>
  PORT=<usually 3799>
  SECRET=<Radius shared secret>
  RESULT=`echo "User-Name = $1" | radclient $IP:$PORT 40 $SECRET  `
  echo $RESULT
  echo $RESULT | grep "code 42" >/dev/null
  if [ $? == 0 ]; then
    echo User $1 NOT CONNECTED on $NAME.
  echo $RESULT | grep "code 41" >/dev/null
  if [ $? == 0 ]; then

Please pay attention to the radius SECRET since de wlc silently discards unauthenticated packets making you mad!
Debug it using show radius rfc3576 statistics command and looking for "Bad Authenticator Requests" using WLC CLI.

Airopeek Remote Sniffing using Wireshark

posted Mar 3, 2014, 5:41 AM by Daniele Albrizio   [ updated Mar 3, 2014, 7:02 AM ]

This poorly documented feature enables remotely sniffing the airspece usine an lightweight AP in Sniffer mode.

  1. Select your favourite AP and begin sniffing by first electing his AP mode as sniffer
  2. Wait for the AP to reboot and check the admin status is enabled
  3. For each of the AP radio  in Radios > 802.11a/n/ac and Radios > 802.11b/g/n select:
    1. sniff > on
    2. channel > central channel to sniff on
    3. Server > ip address of a machine running wireshark
  4. On the machine running wireshark expect udp packets from WLC management IP port 5555 to your wireshark machine ip port 5000
  5. Start capturing with wireshark (filter: port 5000) then right click on one packet from the capture windows and select decode as PeekRemote dissector

More info :

Meaningful accounting Called-Station-Id

posted Jan 20, 2014, 2:10 PM by Daniele Albrizio   [ updated Jan 20, 2014, 2:11 PM ]

I'm using a 5500 Cisco WLC

As long as you use meaningful "talking" AP names clearly identifying the location of the AP, you can use the following to give sense to radius accunting packets:

config> radius auth callStationIdType ap-name-ssid
config> radius accounting callStationIdType ap-name-ssid

Other possible types in WLC software 7.5 are:
ap-group-name   Sets Called Station Id to the AP Group Name
ap-location     Sets Called Station Id to the AP Location
ap-macaddr-only Sets Call Station Id Type to the AP's MAC Address
ap-macaddr-ssid Sets Call Station Id Type to the format <AP MAC address>:<SSID>
ap-name         Sets Called Station Id to the AP Name
ap-name-ssid    Sets Called Station Id to the format <AP Name>:<SSID>
flex-group-name Sets Called Station Id to the Flex Connect Group Name
ipaddr          Sets Call Station Id Type to the system's IP Address
macaddr         Sets Call Station Id Type to the system's MAC Address
vlan-id         Sets Called Station Id to the VLAN id

P.S. Don't forget to save!

How to verify a Lightweight AP startup configuration

posted Nov 19, 2013, 2:09 AM by Daniele Albrizio

I needed to verify the startup CAPWAP configuration before delivering a Lightweight AP far far away.

  1. Boot a CAPWAP AP without connecting the network (It takes longer due to 2 or 3 timeout waiting for PHY).
  2. Connect to serial console.
  3. Login verifying the password from controller are successfully stored.
  4. Enter enable.
  5. If you configured a static IP verify it with
    show capwap ip config

    LWAPP Static IP Configuration...
  6. Issue
    show capwap client config
    and search in particular for the following lines
      Configured Switch 1 Addr

1-7 of 7