List Cisco IOS XE Wireless Features per Release

Available Languages

Download Options

  • PDF     (63.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (94.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (96.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 6, 2024
Document ID:214855

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes briefly and lists the features supported on Catalyst 9800 Series Wireless LAN Controllers.

    Features in each Cisco IOS XE release

    Each feature is only mentioned in the release it was first introduced with subsequent releases and only lists changes to the given feature.

    Cisco IOS XE - 17.15.1

    • Catalyst 9800 is now supported in Oracle Cloud
    • AP location enhancement (support of 9120)
    • UNII-3 low power support for UAE and Qatar
    • Small improvement for cleanair to now scan better channels at the end of a band.
    • SE Linux policy enforcement. No visible impact for user.
    • Extended 6Ghz support to more countries. Check AP specific documentation for details.
    • "Show tech wireless" can now be collected via netconf.
    • 15 countries support added for 9163 outdoor AP. Check AP specific documentation for details.

    Cisco IOS XE - 17.14.1

    • CAPWAP control message aggregation for messages to be sent to the same AP.
    • New countries for 6Ghz support.
    • Kernel minidump
    • support for the new CW9800 H and M platforms
    • Layer 3 VLAN override for CWA FlexConnect clients is supported.
    • gNMI telemetry and proto encoding enhancements
    • Israel and Turkey are moved to the -E domain.
    • "show tech diagnostics" is introduced for appliances
    • RRM DCA support for Mesh backhaul
    • SDA IPv6 underlay support
    • AFC, BLE support for 9167
    • AFC support for 9165
    • PoE power profile for 30 watts for the 9167
    • QoS, GPS and SNMP support on 9165 and 9167 WGBs
    • CAPWAP mode support for 9165
    • Cleanair pro support on 9167
    • Support for CW-ANT-D1-NS-00 Antenna on Cisco Catalyst 9163E Access Point
    • Secure Data wipe capabilities in the factory reset
    • Scanning radio support on 9167
    • Tier B/C/D country support on 9166D1
    • YANG support for "clear aaa counters", "clear radius statistics" and support for multiple next hops

    Cisco IOS XE - 17.13.1

    • Amazon S3 storage extension support
    • 802.11h support on 9167 AP
    • FlexConnect ACLs now provide hit counters for clients
    • 9124 AP can now operate in indoor mode and has a PoE-out capability
    • DHCP Option 82 support in Flex Local Switching and in guest anchor scenarios
    • "show ap image detail" is a new CLI introduced to verify the AP image integrity
    • Catalyst 9163E AP support
    • Concurrent radios are supported in 9124 and 9130 WGBs
    • Event-driven RRM is supported on 6Ghz
    • The rogue AP manual classification and the rogue client manual classification limit have been enhanced from 625 to 10,000 configurations at a time.
    • NAT,PIM and OSPF commands are introduced to allow the WLC to act as a layer 3 node
    • Low Latency profiles for 9165 IOT WGB
    • Quad-radio mode support for 9136 AP
    • This feature enables WGB to periodically query for latest neighbor APs and associate to the optimal AP on next roam. The scan handoff mode with dual 5G radio is supported from this release.

    Dublin - 17.12.4

    • From this release, multicast on AAA overriden VLAN is supported (through Cisco bug ID CSCwk20436 )

    Dublin - 17.12.2

    • From this release, Layer 2 VRF is also supported with WGB, RADSEC, and TRUSTSEC capabilities. However, RLAN is not supported with VRF

    Dublin - 17.12.1

    • Wireless Mesh Support for Cisco Software-Defined Access
    • Wakeup Threshold for AP Power Save Mode
    • VRF Support on the 9800 WLC
    • support for AP 3700/2700/1700/1570
    • Software entropy enhancement for FIPS 140-3
    • Rogue PMF
    • Rogue Channel Width
    • RF based Automatic Load Balancing
    • From this release, Australia, Brazil, Costa Rica, Honduras, Hong Kong, Japan, Jordan, Kenya, Malaysia, Morocco, New Zealand, Peru, Qatar, Saudi Arabia, and United Arab Emirates are added to the list of countries that supports 6-GHz radio band
    • Mesh Support in Cisco Catalyst 9130AX Series Access Points
    • MacBook Analytics
    • Intelligent Capture (iCAP) Hardening
    • Indoor deployment support for UK -ROW domain on IW9167I and IW9167E
    • Improve crash datacollection, kernel panics, out of memory
    • the Embedded Packet Capture (EPC) feature is enhanced to support increased buffer size, continuous capture, and filtering of multiple MAC addresses in one EPC session.
    • Cisco Catalyst IW9167I Heavy Duty Access Point
    • Cisco Catalyst 9800 Wireless Controller for Cloud - Ultra-Low Profile (Beta, No TAC Support)
    • Cisco Catalyst 9166D Series Wi-Fi 6E Access Point
    • Archive logs can be collected for less than 1 day
    • Access Point Auto Location Support in conjunction with Cisco Spaces
    • Cleanair Pro can record interferers for Cisco TAC troubleshooting
    • You can now configure WPA transition mode and WPA3 on the same WLAN profile with 6ghz
    • AP client debug bundle

    Dublin - 17.11.1

    • New 6Ghz supported countries. See https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-11/config-guide/b_wl_17_eleven_cg/m_country_codes.html
    • Mesh background scanning and fast ancestor find
    • Webauth portal supports more characters
    • Calendar profile enhancement over several days
    • Client debug bundle on the WLC
    • FRA can put the redundant 2.4Ghz radio in monitor mode
    • Enhancement in client steering during rolling AP upgrade
    • Flex OTT and Roaming Latency Validation over BGP EVPN
    • Improved spectrum capture update rate on 6E APs
    • Jumbo frame support for RADIUS packets
    • Location-Capable Attribute in the RADIUS Access-Request Messages
    • AP secure data wipe
    • Multiauthentication Combination of 802.1X and Local Web Authentication
    • "show aaa server brief" CLI is introduced
    • Efficient AP  image upgrade through HTTPS
    • Reload reason history
    • Subscription Dampening-Period for On-Change Telemetry
    • AP Ethernet port LED enable/disable support
    • Wireless client latency statistics
    • Zero wait DFS on 9136
    • Site survey mode, WGB and UWGB support on IW9167
    • RAP Ethernet Daisy Chain with WSTP
    • GNSS support on IW 9167
    • "show tech wireless ap mac <MAC>" has been enhanced to help troubleshoot AP join issues
    • Intelligent capture can now collect over-the-air captures (that is a channel-based capture rather than client-based capture)
    • Improved off-channel scanning dwell times for Cleanair Pro chips
    • Support for IP overlap in central switching deployments.
    • Improved BLE support commands on AP
    • AP kernel can now dump crash files.
    • "debug ntp state" allows to debug NTP synchronization on APs along with "show ntp logs"

    Dublin - 17.10.1

    • Downloadable ACL (dACL) support for central switched deployments. No support for dACLs in Flexconnect deployment or on EWC-AP platforms
    • AP Prime Profile to bulk configure primary, secondary and tertiary WLC names and ip addresses on the Access Points
    • Load factored when you map APs/site tags across WNCds for more even load balancing across WNCds. 
    • Extended Netflow monitors from 2 to 4
    • New SFP supported : check the release notes for the exact list
    • AP power save feature enhanced with radio spatial streams and flexible poe
    • Upgrade Yang models to 1.1
    • WGB mode support on 9124 and 9130
    • Cleanair support on 6Ghz
    • Application performance monitor (includes Flex and Fabric modes)
    • Catalyst Center client event and SSID telemetry filter
    • Device classifier XML update system
    • Secure factory reset with data wipe
    • Device Analytics data can be sent through RADIUS accounting

    Cupertino - 17.9.6

    • From this release, multicast on AAA overriden VLAN is supported (through Cisco bug ID CSCwk20436 )

    Cupertino - 17.9.3

    • Support of IOS-based APs (x700 series)

    Cupertino - 17.9.2

    • An additional 75 countries are supported in Cisco Catalyst 916x Series Access Points and Cisco Catalyst 9136 Series Access Points.For more information about the list of countries that are supported, see the Chapter Regulatory Compliance Domain.
    • iPSK passphrase is supported for SAE H2E authentication in local mode
    • Channels 120, 124, and 128 for the -E regulatory domain are supported on 9124 and 9130.
    • 9162I AP is supported
    • The WLC can still learn up to 8 IPv6 addresses per wireless client but starting 17.9.2, it does not drop traffic from the client anymore if it comes with a new IP address after the eigth is learned but it replaces an existing learned IP with the new one and keep forwarding the traffic.
    • UNII 3 band supported for UK in -ROW domain on 9136 and 916x APs.
    • AP fallback to controllers Priming from the WLC.
    • The MIB CISCO-ENVMON-MIB was added
    • vMotion support for Esxi

    Cupertino - 17.9.1

    • Introduction of quotas and priorities for rogue classification at scale (to determine what rogues are dropped)
    • Support for FT-SAE security
    • Supports for TLS 1.3 on the 9800 web server
    • Access point can be configured with a timezone independant of the WLC timezone in the AP join profile
    • Support for CW9164 and CW9166 access points
    • Enhanced site survey mode for Wifi6E access points
    • RADIUS and TACACS authentication and accounting support for active and standby WLCs in a HA SSO pair.
    • Support for Chargeable User Identity in RADIUS accounting
    • AI-Enhanced RRM support for 6E
    • Cleanair Pro scan mode support
    • Concurrent radio support for WGBs on Catalyst APs
    • Configuring mDNS Location-Based Filtering Using Location Group
    • Ability to enable or disable AP console from the WLC
    • FRA support in 9166 AP
    • HA SSO support for ACI fabric deployments
    • Possibility to disable interim accounting under the policy profile
    • LLDP support on standby WLC
    • Accounting support for web UI config changes
    • Mesh backhaul RRM
    • More countries added to the -ROW domain
    • Site-Based Rolling AP Upgrade in N+1 Networks
    • 6Ghz support in Canada
    • Support for RFC 5580 Location Attributes in the Controller
    • VLAN Group to Support DHCP and Static IP Clients
    • Wireless Rogue Channel Width Support
    • Zero-wait DFS for 9130 APs in certain domains.
    • Wireless AP Multicast Unicast option for mDNS control traffic on 9800 WLC
    • BLE concurrent scan and beacon capability

    Cupertino - 17.8.1

    • Access Point and WiFi6 Features:
      • AP power save : the controller can now disable some AP radio features to save power.
      • Workgroup Bridge (WGB) mode is now supported on 9105, 9115 and 9120 access points
      • BLE management is supported on 9136
      • From this release, client limiting is supported per AP, per radio, and per AP radio per WLAN.
      • APs with a flexible radio (2800/3800/9120/9130) now support XOR sniffer, where a single radio can act in sniffer mode while the other radio still serves clients.
      • Environmental sensor support on 9136 AP
      • 9136 CleanAir Pro radio can be dedicated to scanning
      • Simplified WGB configuration management with the "copy configuration" commands
      • RLAN ports on OEAP APs support the fallback from dot1x to MAB on their wired ports.
      • The AP client trace feature can now track dropped packets per protocol type with the config ap client-trace drop-count command
    • Possibility to disable IP-MAC binding and enable/disable ARP broadcast per VLAN in order to stop device tracking of NAC devices or support 3rd party WGBs.
    • Reports of device Analytics (including Intel Analytics) are now sent to Cisco DNA Center
    • Flexconnect Site Tags can now have up to 300 AP instead of a maximum of 100 previously.
    • OEAP Split Tunnel ACLs now support IPv6 as well as URL Filters
    • Support for nearest wired mDNS services provider and VLAN and MAC-based filtering in central switching mode, custom service policy in flexconnect mode
    • new SFPs are supported
    • Support for Trustsec inline tagging on PortChannel interfaces

    Cupertino - 17.7.1

    • Access Point and WiFi6 Features:
      • URL based ACLs support for Split Tunneling on OEAP
      • SD-AVC support for all the AP modes (including fabric and Flex)
      • Faster Mesh network teardown when the RAP detects an uplink failure
      • Serial backhaul for 9124 APs
      • FIPS mode on Mesh APs
      • RLAN support on 9124 APs
      • RLAN support on fabric APs
      • Co-existence of Icap and IoT telemetry tunnnels on the AP
      • Support of 9136 AP
    • Catalyst 9800 Wireless Innovations:
      • SUDI99 certificate support : New Root CAs from Cisco for WLC and APs with longer validity period
      • Better detection of Rogue Access Points advertising a wrong channel
      • WPA3 H2E support for SAE authentication
      • Transition mode disabed support for WPA3
      • AI-Enhanced RRM support : move your RRM algorithm to DNA Center and the cloud
      • 9800-CL support in Microsoft Azure cloud
      • Control the cipher suite for Local EAP authentication
      • Enable and configure AP BLE radios directly from the controller
      • 9800-CL licensing enforcement
    • Serviceability
      • Configure a customized string as NAS-ID
      • Possibility to reset an AP depending on AP real-time statistics threshold
      • Support of 802.11k/802.11v across site tags and WNCd instances
      • Web UI now has an alarm inbox page for critical events

    Bengaluru - 17.6.3

    • New SFP supported (ACU7M and ACU10M mainly)
    • Updated Apple and Samsung information for local device profiling on the 9800
    • SGT inline tagging support for PortChannels
    • command "ip arp-limit rate" was added to limit ARP traffic from clients

    Bengaluru - 17.6.2

    • Bi directional rate limit can now be fully applied per client in FlexConnect Local switching APs
    • Flex+Bridge mesh support for 9124 APs
    • 802.1X with webauth on mac filter failure suppor

    Bengaluru - 17.6.1

    • Access Point and WiFi6 Features:
      1. Global tag persistency configuration on the WLC that automatically write tags on the APs.
      2. Mesh EFT support on Catalyst 9124
      3. Rest Of World (-ROW) domain support
      4. C-ANT9104 antenna support along with beamdwitdh and antenna count configuration on the WLC
      5. WLAN Radio Policy : It is possible to configure on which 5ghz slot SSIDs are to be broadcasted
      6. Different types of SIA antennas can be plugged to the same AP although this is not a recommended deployment.
      7. 9124 max client association changed from 255 to 420
    • Catalyst 9800 Wireless Innovations
      1. High Availability support is now available in the mDNS feature when the controller is configured in service peer-enabled or disabled modes
      2. Auto-registering of random MAC Addresses in UDN environments
      3. Dataplane packet logging
      4. Fallback for AAA overriden VLAN : if the AAA overriden VLAN is not configured at the controller or AP (for FlexConnect LS mode), then the VLAN from the policy profile can be used if fallback is enabled.
      5. mDNS : FHRP Support on SDG for a Service Peer
      6. Intel device analytics are passed to Cisco DNA Center
      7. IPv6 Ready certification
      8. LDAP authentication can use attribute maps which allow to use other fields than CN for the user name (such as samAccountName)
      9. Link-local bridging of traffic after layer-3 roaming
      10. More management protocols are supported through the Service Port : SNMP,RADIUS,TACACS,Syslog, NTP,SSH,NETCONF,HTTPS,Netflow
      11. Device classifier (profiling) now includes data from Device Analytics
      12. After breaking an HA SSO setup, the standby keeps the same configuration (except with the interfaces shutdown) rather than losing all configuration
    • Serviceability
      1. FQDN support for gRPC telemetry
      2. More granular reasons for client deletion from the SANET process
      3. Some CLIs have been made more consistant from a MAC address format standpoint (towards xxxx.xxxx.xxxx)
      4. Secure Boot Setup for ESXi, KVM, NFVIS, and Microsoft Hyper-V
      5. Standby Interface Status Using Active Through SNMP
      6. Syslog support for aWips
      7. Clients can now be deauthenticated by IP address (wireless client ip-address A.B.C.D deauthenticate) or by username (wireless client username Bob deauthenticate)
      8. Key validation is only done on beacons and probe response frames (instead of all frames) when MFP is enabled to avoid detecting Cisco APs as rogue.
      9. "show ap name <ap-name> wlan vlan" now shows the wlan-vlan mapping of an AP with flexconnect local switching SSIDs
      10. The AP web server stops supporting TLS version before TLS 1.2
      11. Disabled Universal AP priming on Cat9100 APs.
    • New WLAN Wizard in the Web UI

    Bengaluru - 17.5.1

    • Access Point and WiFi6 Features:
      1. New C9124AX Access Point Platform support
      2. Spectrum Intelligence for C9105AX
      3. Increased 11ax OFDMA users per transmission on Catalyst 9105, 9115 and 9120 Access Points
      4. 11ac and wifi6 MU-MIMO support for C9105AX
      5. Client load-based EDCA parameters
      6. Possibility to enable or disable specific wifi6 features per SSID
    • Catalyst 9800 Wireless Innovations
      1. LAG support on 9800-CL
      2. Support for MIC and LSC to join same C9800 WLC
    • Serviceability
      1. Standby Monitoring
      2. Possibility to forbid association of random MAC clients
      3. Tracking AP CPU usage
      4. HA Enhancements such as auto-upgrade of the standby WLC if the HA pair is not on the same release
      5. DHCP Relay : aligns the setting of DHCP relay parameters, such as, Gateway IP address, Option 82, and DHCP server address with the Cisco AireOS behaviour.
      6. Port channel available range from 1 to 64
    • Security and Resiliency
      1. Easy PSK: WLAN Client Onboarding without Registration
      2. Support to provision Suite B 192bit AVPs
      3. Default Gateway IP Reachability Check
      4. Intermediate CA support for LSC certificates
      5. Support for both MIC and LSC APs to join the controller
      6. Multiple cipher suites support for DTLS
      7. WPA(2)-PSK with webauth-on-mac-filter-failure combination support
      8. addition signatures for Wips

    Bengaluru - 17.4.1

    • Wave1 (Cisco IOS-based) access points are no longer supported (except the IW3700)
    • RLDP is not supported anymore from this release.
    • AP memory information are now shared
    • DHCP option 12 support to set the hostname of Access Points
    • Advanced scheduling request for clients
    • Detection of disconnected antennas
    • Boot integrity visibility
    • Gateway IP Check with native IPV6
    • "show ap image file summary" now displays AP images
    • OBSS-Packet Detect support
    • Support for overlapping IP addresses in Flex deployments
    • Faster detection of gateway reachability loss
    • RAP ethernet daisy chaining
    • Accounting session ID is supported in 802.1X
    • Support of delimiters in DHCP option 82 remoted ID suboption
    • Wips : configurable treshold for alarms and forensics capture support
    • Day0 CLI wizard
    • Support for rebooting all the APs associated to one site tag in one click.
    • Syslog servers can now be configured with FQDN
    • Smart Licensing using Policy
    • Web UI enhancements to monitoring CPU and dataplane usage
    • TWT support added for 9115 and 9120 APs
    • 9800 supports configuring the Framed-MTU RADIUS attribute

    Amsterdam - 17.3.5

    • command "ip arp-limit rate" was added to limit ARP traffic from clients

    Amsterdam - 17.3.2

    • Authorization of OfficeExtend Access Points via serial number
    • Administrator can enable or disable local access to Office Extend Access Points UI
    • BLE and Assurance coexistance on the AP without ICAP.
    • Smart Licensing using Policy
    • TLS support for telemetry towards DNA Center Cloud
    • Support of overlapping client subnet in Flex deployments, only for PSK and dot1x.

    Amsterdam - 17.3.1

    • 802.11ax / Wifi6
      • The Cisco DNA Center Assurance Wi-Fi 6 dashboard provides a visual representation of the wireless network.
      • Dynamic Tri-radio support for 9130
      • Both Uplink and Downlink Orthogonal frequency-division multiple access (UL OFDMA and DL OFDMA) features are supported in Cisco Catalyst 9130 APs in this release. Currently limited to support eight users in a DL OFDMA or UL OFDMA transmission. In this release, 37 users are supported in the 80-MHz and 160-MHz bandwidths.
      • Uplink Multi-user multiple-input and multiple-output (UL MU MIMO) feature is supported in Cisco Catalyst 9130 APs in this release.

        Access Point related features

    • AP Audit Configuration feature helps to detect wireless service synchronization issues between the controller and AP.
    • AP 9105 support
    • Wifi Direct support

    • AP image download time enhancement adds support to multiple sliding windows for control packets going from controller to AP.

    • AP support bundle : you can now retrieve the support bundle information of an AP and export it to the controller or an external server.
    • IW3702 specific features :
      • AVC support on IW3702
      • IW3702 can now enable or disable its heaters
      • Ethernet Daisy Chaining support on IW3702
      • Flexible antenna port configuration
    • Spectrum Intelligence feature on C9115 
    • External module support
    • gNMI configuration persistence
    • IoT module management
    • Ipv6 Multicast filtering
    • mDNS gateway support for Flex
    • DTLS encryption hardware assistance on 9120 and 9115
    • IGMPv3 support on COS APs (wave2 and 11ax APs)

    Controller related features

    • BLE management on the controller.

    • The controller allows seamless roaming between same WLAN associated with different policy profile.

    • Embedded Wireless on Cat9k switches is now supported in a non-sda (but still fabric) manner.
    • The PKI management page was expanded and now allows for creation of CSRs and import of certificate.
    • Hostpot 2.0 Release 3 certification features

    • Web authentication and web admin now have separate settings for HTTP/HTTPS

    • Mesh features.
      • Mesh Backhaul in 2.4ghz. 
      • Mesh Off-channel background scanning
      • Enhanced Mesh convergence.
    • ARP proxy
    • The controller retains client session for 10 seconds instead of immediately deleting for few clients.

    • A rogue device that is enabled with 802.11w Protected Management Frames (PMF) is not contained. Instead, the rogue device is marked as Contained Pending and a wireless service assurance (WSA) alarm is raised to inform about the event.

    • It is possible to monitor a standby WLC in a HA SSO pair by reaching out to its redundancy management IP.

    • The Cisco User Defined Network (UDN) mobile application helps create a user defined network and restrict access to devices unless they are invited to share the network.

    • SR-IOV can be configured on KVM and ESXi environments.

    • The Syslog Support for Client State Change feature enables you to track the client details such as IP addresses, AP names, and so on.

    • Support for DS parameter set : The managed APs now have additional information about the DS Parameter Set of the detected Rogue AP, in the Rogue AP reports.
    • 2 extra Wips attack signatures.
    • Full support of ISSU
    • Custom webauth tar bundle is now copied to standby WLC as well
    • Client details now indicate if client is using a Universally adminstered mac address or a random MAC.

    • From 17.3 release onwards, high throughput templates can be configured on the Cisco Catalyst 9800-CL Cloud Wireless Controller private cloud instances.

    • Web UI :
      • Dark mode
      • AP LED blink
      • AP support bundle download
      • Enhanced PKI management page
      • OpenRoaming
      • Embedded wireless on 9000 switch (non-SDA)
      • Software upgarde page enhancements
      • TRi radio configuration
      • Tracking of appliance temperature in dashboard

    other changes

    • Cisco Catalyst 9800-CL Wireless Controllers now required 16 GB of disk.

    • From Cisco IOS XE Amsterdam 17.3.1 onwards, higher number of port channels are supported on these Cisco Catalyst 9800 Series Wireless Controllers:

      • Cisco Catalyst 9800-80 Wireless Controller: From 1-40 to 1-64

      • Cisco Catalyst 9800-40 Wireless Controller: From 1-4 to 1-16

      • Cisco Catalyst 9800-L Wireless Controller: From 1-6 to 1-14

    • From Cisco IOS XE Amsterdam 17.3.1 onwards, the AP name can only be up to 32 characters.

    • If you downgrade from Cisco IOS XE Amsterdam 17.3.1 to an earlier release. the port channels that are configured with higher range disappear.

    • When EoGRE AAA-proxy is used, AAA ports are set to 1645 and 1646 by default. To change this port configuration, use these command: tunnel eogre interface tunnel-intf aaa proxy key key key-name auth-port auth_port acct-port acct_port

    • Mobility Tunnel goes down and come up if SSO is triggered due to gateway check failure.

    • Adding support for the LED blink in Cisco Catalyst 9800 Wireless Controllers.

    • Log viewer window added to the GUI, to view radioactive trace logs.

    • New field added to display AP configuration state in the GUI.

    • Column header in rogue detection changed from MFP Required to PMF Required.

    • The Central Forwarding field that was present in the EoGRE > Tunnel Profiles > Edit Tunnel Profile > General tab, has been removed.

    These MIBs were modified.

    • CISCO-LWAPP-AP-MIB.my

      • Added these scalar objects:

        • cLApGlobalAPAuditReport

        • cLApGlobalAPAuditReportInterval

      • Added  objects to the cLApProfileEntry table:

        • cLApProfilePersistentSsidBroadcastEnable

        • cLApProfileDhcpFallback

    • CISCO-LWAPP-DOT11-CLIENT-CALIB-MIB.my

    • CISCO-LWAPP-DOT11-CLIENT-MIB.my

    • CISCO-LWAPP-DOT11-MIB.my

    • CISCO-LWAPP-WLAN-SECURITY-MIB.my

    • CISCO-WIRELESS-HOTSPOT-MIB.my

    • CISCO-LWAPP-REAP-MIB.my

    • CISCO-LWAPP-WLAN-MIB.my

      • cLWlanWifiDirectPolicyStatus: These policy value was added.

        • xconnectNotAllow

    Amsterdam - 17.2.1

    • 802.11ax / Wifi6
      • Target Wake Time
      • Dynamic Tri-radio support for 9130
      • Spectrum analysis with DNAC
    • Support for IW6300 heave duty access point
    • Possibility to disable /enable Opportunistic Key Caching
    • Locally switched RLANs keep forwarding traffic in local mode even when the WLC is unreachable
    • Multi-LAG support
    • IPV6 QoS support (non-AVC) in flex local switching and fabric setups
    • Fabric in a box with external fabric edge support
    • FT is now supported for FlexConnect local switching and local authentication
    • Possibility to create a Mobility Domain ID for sharing cached keys between APs
    • DHCP required now supported for FlexConnect local switching
    • HA SSO with RMI : "ip default-gateway" command is not required anymore. Gateway IP can be found in the routing table.
    • BSSID counters statistics
    • OpenRoaming support in CLI
    • Aironet IE has been enhanced to include the AP name.
    • Sensor mode is not supported on the AP anymore
    • Web UI :
      • Tri-radio support
      • Device ecosystem intelligent client scan report
      • SGT and VN attributes display

    Amsterdam - 17.1.1s

    • High Availability (AP SSO)
      • Redundancy management interface
      • Gateway verification support
      • LACP support for HA SSO (LACP was already supported in standalone WLC)
    • 11ax / Wifi 6
      • BSS coloring (no OBSS-PD yet)
      • FastLocate on 9120
      • IPV6 RA forwarding in case of wired guest
      • OpenDNS on ipv6 and flexconnect support
      • Encrypted Traffic Analysis ipv6 support
      • Flex/Fabric AVC on Ipv6
      • Flexconnect local authentication on ipv6
      • CMX and DNA Spaces over ipv6 NMSP support
      • Ipv6 assurance and Netconf
      • UDPlite support for Capwapv6 tunnels
    • New Hardware
      • IW3700 and IW6300 AP support
      • 9800-CL support on HyperV
      • Support for Embedded Wireless Controller on Catalyst Access Points (EWC-AP)
    • Support for mesh (Bridge mode) on all indoor wave 2 APs
    • Flex+Bridge mode support (except for wifi6 APs)
    • 9800-L performance license support
    • aWips
    • Facebook Express Wi-fi
    • Vlan override support after guest authentication (LWA and CWA)
    • Mobility tunnel support for WLCs both behind NAT
    • Wireless client QoS policy change without disconnection
    • Device Ecosystem : Samsung Analytics
    • User Personal Network
    • AP up/down events tracking inside radius accounting
    • iPSK peer to peer blocking
    • mDNS advanced (policy under VLAN, mdns under RLAN, location filtering extension, mdns on AP, mdns for wired guest)
    • SGACL support for wireless guest acess with anchor
    • Smart License improved tracking of AP identity to avoid duplicate counts
    • Client multi-auth for guest: L2 (dot1x,PSK) + L3 (LWA/CWA) authentication combination support with guest anchor
    • TLS 1.2 support for local EAP authentication
    • Flex local switching support for DNS URL Filter ACLs pre and post-auth
    • Enhanced URL filters (Allowing per-URL permit/deny action) for Flex Local Switching only
    • DNS support for network services like Radius

    Gibraltar - 16.12.4a

    No new features in this release

    Gibraltar - 16.12.3

    From this release, only supported SFPs work. If you use a nonsupported SFP, the port does not function.

    Gibraltar - 16.12.2t

    No new features.

    Gibraltar - 16.12.2s

    • Support for 9120AXE and 9130-AXI AP

    • Default-policy-tag editable: Automatic mapping of wlan id 1-16 to default-policy-profile disabled

    Gibraltar - 16.12.1t

    • Prevents 9120AXE and 9130AXI from joining 9800

    Gibraltar - 16.12.1

    • Hardware
      • Support for 9800-L
      • Support for 1840 AP
      • Support for Google Cloud Platform as public cloud operator
    • Support for -P domain
    • BLE USB dongle support
    • WPA 3
    • Hostpot 2.0 support
    • Wired guest
    • Enhanced support for public cloud (up to 6000 APs)
    • OFDMA support for Catalyst 9100 APs
    • Wi-fi alliance agile multiband operation
    • MFP support
    • Airtime fairness on mesh
    • Best practice checker window on the WLC Web UI
    • Deny wireless client session establishment using calendar profile
    • Ipv6 support for fabric mode clients an pre and post authentication ACL
    • IPv6 multicast-to-unicast
    • Support for IPv6 Prime Infrastructure
    • Security-Enhanced Linux Permissive mode
    • RadioActive tracing now available from the web UI
    • RadioActive trace a multicast group IP address
    • Allow rollback to previous releases ("show install rollback")
    • FIPS certification
    • LACP for standalone WLC

    Gibraltar - 16.11.1

    • Hardware
      • Support for 9115, 9117, 9120 11ax WiFi6 AP Models
      • Embedded Wireless Support on Cat9400, Cat9500 (specifically on 16.11.1c)
    • mDNS gateway/proxy support on the 9800 WLC
    • Bi-directional Rate Limiting with AAA Override
    • PAT Support on CAPWAP for remote APs join (behind NAT/PAT)
    • AP Device Pack upgrade feature
    • Per Site or Per AP Model AP SMU Upgrade
    • Lobby Ambassador
    • LAG support on APs for Flexconnect mode
    • EoGRE support
    • DHCP on Root mesh APs with NAT support
    • Support for the BLE radios inside APs
    • Local Webauth (LWA) support for Ipv6 ACLs on Flex
    • Mesh CAC
    • Guestshell on Appliances [9800-40/9800-80]
    • RESTCONF Configuration Management Protocol (RESTCONF)
    • NETCONF and RESTCONF Service Level Access Control Lists
    • RadioActive Tracing for the NMSP process by using the CMX IP address
    • Mobility protocol statistics on the 9800 through the command "show wireless stats mobility messages
    • Reboot AP by groups
    • Web UI upgrade page now supports SFTP option
    • Passive client in SDA
    • Support for mac address as a filter in the packet tracer
    • Policy Classification Engine
    • Action Profile for UNKNOWN devices with Local Profiling:

    Gibraltar - 16.10.1

    This is the first release to support 9800 controllers.

    • Platforms supported
      • 9800-40 (including SFP support for RP port, USB 3.0 support)
      • 9800-80
      • 9800-CL on ESXi, KVM, ENCS(NFviS) 
      • 9800-CL on AWS
      • 9800-SW - Fabric support on Cat9300
    • AP Modes
      • Local
      • FlexConnect
      • Bridge (Mesh)
      • Sniffer
      • Monitor
      • OEAP Support
    • General
      • CAPWAP Fragmentation
      • Data DTLS
      • Wireless Management Interface
      • Management over wireless
      • Regulatory Domain (20 Country codes supported)
      • Smart License Support
      • Specified License Reservation
      • L2 Port channel
      • L3 Access-List
      • WLC to generate 2048 bit RSA key
      • CSR certificates
      • PKI Locally signed Certificate (LSC)
      • Lawful  Intercept: AAA attributes
      • Sleeping Client
      • Web Server
      • Bring Your Own Device (BYOD)
      • Encrypted Traffic Analysis (ETA)
      • Support Dynamic Telemetry Subscription creation

      • Best Practices w/fix it

      • Plug-n-Play enhancements

      • Day 0 wizard

      • Migration Tool for brownfield deployment for private and public cloud hosted on vEWLC UI and standalone app
      • Smart Call Home
      • Stadium Vision
      • Embedded Packet Capture
      • Data Plane Packet Tracer
      • TrustSec SGT: SGACL and inline tagging at WLC
      • Wireless broadcast
      • DNS ACL, FQDN preauth ACL, URL filtering
      • Programmability and Telemetry
    • Network Services
      • DNS
      • RADIUS (including RADIUS selection by realm)
      • Ping
      • Telnet
      • SSH
      • HTTP
      • NTP
      • SNMP
      • Syslogs (including Support for configuring syslog hosts by hostname)
    • WLAN
      • New Configuration Model
      • Central Auth (WPA/WPA2, EAP-FAST/EAP-PEAP, WPA2-PSK)
      • Static WEP
      • WPA-PSK/TKIP
      • MAB
      • LDAP
      • Secure LDAP
      • CCKM
      • Multi-PSK (MPSK) security for SSIDs with up to 5 keys per SSID
      • Change of Authorization (CoA)
      • Multiple-Auth methods (PSK+LWA/CWA, MAB+iPSK+LWA, do1x+LWA) - for non-guest (foreign/anchor) clients only.
    • WLAN Advanced
      • Client Load balance
      • Client Limit
      • P2P Blocking
      • Band select
      • 802.11h
      • 11w
      • 11r
      • 11v (BSS Transition, Idle Timeout, Directed Multicast Service)
      • P2P Client support
      • AAA override
      • VLAN Grouping
      • IP Source guard v4/v6
    • DHCP
      • Internal DHCP server
      • IP Theft
      • DHCP Relay (including Option 82)
      • DHCP Option 82 (AP name-SSID, AP grp name, flex grp name, AP location, AP MAC, AP name + VLAN, AP eth MAC),
      • DHCP  sub-option 5, 151/152 (Cisco IOS and COS APs)
      • DHCP on AP with NAT (ipv4 only)
      • DHCP opt 60 + vendor name
    • Local Mode/Central Switched
      • Local Mode:Open Auth + MAB
      • Local Mode:WPA/WPA2-PSK/802.1x
      • Local Mode:LWA/CWA
      • Local Mode:Client IPv6
      • Local Mode: RF Grouping/TPC/DCA/CHD
      • Local Mode:802.11k
      • Local Mode:ACL
      • Local Mode:RxSoP
      • Local Mode:Smart Roam
      • Local Mode: Clean Air
      • Local Mode:EDRRM
      • Local Mode:XoR
      • Local mode: SXPv4 support for WLC
      • DNAC automation and Assurance workflow for Local
    • FlexConnect
      • Central Switching/Central DHCP
      • Efficient FlexConnect (FC) Image upgrade
      • Teleworker
      • TrustSec:SGT inline tagging for Flex mode
      • Ethernet fallback
      • Ethernet VLAN tag on AP
      • Split tunnel, NAT-PAT, Radius Fallback, central DHCP (local SW)
      • Client V6
      • Proxy ARP
      • Remote LAN (RLAN) support for 1815
      • TrustSec SGT: SGACL and inline tagging for flex
      • Flex AP via NAT to WLC. If link down, flex AP acts as Local DHCP server 
      • DNAC automation and Assurance workflow for Flex
    • Mesh
      • Best Parent selection - Ease calculation, parent decision, SNR smoothing, loop prevention, preferred parent
      • Multiple RAPs
      • RRM on 5GHz RAP
      • GPS support for outdoor
      • Deployment modes - Wireless backhaul, Universal access, Point to multipoint wireless bridging, P-P bridging
      • Localy Signed Certificates (LSC)
      • Different authentication mechanisms - MAC address, RADIUS, PSK, LSC
    • WGB
      • WGB with multiple VLANs (Mining feature)
      • Universal WGB
      • High speed roaming (WGB & WLC)
      • Static anchor WGB
    • RF/RRM/Rogue
      • RF Grouping
      • Dynamic Channel Assignment (DCA)
      • Transmit Power Control (TPC) 
      • Coverage Hole Detection
      • Rx-SOP
      • EDCA Parameters
      • 11ac - 80 Mhz
      • FRA
      • XOR
      • Dynamic Band Selection (DBS)
      • 3rd Radio Module Support
      • Per SSID enable/disable Date rates
      • DFS and non-DFS channel scan
      • Power Save (U-APSD)
      • Client Link
      • wIPS Auto SPT (switch port tracing) - Prime mandatory
      • Rogue/RLDP- Single controller
      • Rogue per AP
      • Airtime Entitlement
      • CleanAir
      • Spectrum Intelligence on 18xx APs
      • Flexible DFS
    • AP
      • AP Priority
      • AP Local Auth Internal
      • AP Local Auth External
      • AP Crash File Upload
      • AP CDP
      • AP Image Pre-Download
      • AP NTP
      • AP AuthList
      • AP packet dump
      • AP LAG (Local mode)
      • TCP MSS Adjustment (Local mode, Flexconnect and Fabric mode)
      • AP Filter
      • AP Provisioning PnP
      • Specify DNS and AP domain on APs using static ip address
      • AUX Ethernet Port Enabled on Wave 2 APs for downstream device connectivity
    • Mobility
      • IRCM
      • Guest Access
      • L2 Mobility (single instance) Open Auth
      • L2 Mobility MAB/dot1x
      • L2 Mobility LWA/CWA
      • L3 Mobility  Openauth
      • L3 Mobility  Dot1x, MAB
      • L3 Mobility CWA,LWA
      • Security profile updates for anchor use case (GS feature)
      • Apple L3 Mobility
      • Roaming for static client
      • Auto anchor support for DNS based ACL
    • Guest
      • Guest anchor 
      • internal/External webauth
      • CWA
      • Guest anchor Group Redundancy
      • Webauth on mac failure
      • Seamless roaming in WebAuth Pending
      • Foreign Map support
    • High Availability
      • HA AP & Client SSO [no RMI, no gateway check, no remote access to standby service port]

      • HA - N+1 Redundancy for Embedded Wireless on Switches (9800-SW)

      • Process restart and Patching support for embedded wireless on switches (9800-SW)
      • SMU + Rolling AP upgrade
      • N+1 Rolling AP upgrade for Full Controller Image Upgrade
    • QoS/Voice/Video
      • Voice over wireless
      • Auto QoS
      • Voice mobility
      • QoS - BSSID
      • QoS - Client
      • QoS - Fastlane
      • SDN QoS

      • QoS TCLAS, SIP

      • QoS SIP Voice Call snooping

      • SIP CAC

      • Dot1P markings

      • Approximate Fair Bandwidth

      • Voice Diagnostics

      • Voice metrics

      • Video CAC

    • AVC/Profiling
      • NBAR Protocol Discovery
      • Flexible Netflow
      • Application Visibility and Control (AVC)
      • Native Profiling
      • Dynamic Protocol Pack Upgrade
    • Multicast/mDNS
      • Multicast - IPv4 
      • Multicast - L2 Roaming (Single instance)
      • VLAN select & L2/L3 multicast optimization
      • Media Streaming (MC2UC)
    • IPV6
      • Native IPv6 
      • IP Source Guard V6
      • Webauth IPv6
      • IPv6 Client - Mobility/Roaming
      • IPv6 Client - SDA Wireless (only)
      • IPV6 Multicast-Multicast
      • IPv6 Internal DHCP Server
      • AP Join in Public Cloud via Cisco Cloud Connect PnP Workflow
      • AP Join in Private Cloud via Cisco DNA-Center PnP Workflow or via regular DHCP/DNS/Priming option
    • Location
      • NMSP
      • Hyperlocation
      • Probe RSSI & Location
      • Support for CMX Cloud
      • NMSP support for CleanAir
      • RFID Tag Support
      • Hyperlocation - CMX, HA & AP filtering
      • Hyperlocation support - Fabric modes
    • SDA
      • Support for Over the Top (OTT)/Flex
      • 1800s Sensor support
      • DNAC Automation and Assurance Workflow for Fabric
      • SDA IRCM
      • Netflow support Fabric Edge
      • Secure Control Plane
      • One WLC for multiple Fabric domains (MAP Server per AP-Group)
      • Outdoor AP Support
      • iCAP support for AP4800

    Revision History

    Revision Publish Date Comments
    12.0
    06-Aug-2024
    Updated with 17.15.1
    11.0
    16-Apr-2024
    Added 17.14
    10.0
    16-Jan-2024
    Added 17.13
    9.0
    08-Aug-2023
    Added 17.12
    8.0
    08-May-2023
    Added 17.11
    7.0
    08-Dec-2022
    Added 17.10.1
    6.0
    21-Nov-2022
    Added 17.9.2
    5.0
    03-Aug-2022
    Added 17.9
    4.0
    09-Dec-2021
    minor edit
    3.0
    02-Dec-2021
    Added 17.7.1
    2.0
    16-Aug-2021
    Added minor behavioral changes in 17.6
    1.0
    19-Sep-2019
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Nicolas Darchis
      Cisco TAC
    • Sudha Katgeri
      Cisco TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products